Accepted python-django 1.4.22-1+deb7u3 (source all) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Apr 2017 10:34:27 +0200
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.4.22-1+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django - High-level Python web development framework
python-django-doc - High-level Python web development framework (documentation)
Closes: 859515 859516
Changes:
python-django (1.4.22-1+deb7u3) wheezy-security; urgency=high
.
* CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs.
.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
"on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) "safe" when they shouldn't be.
.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack. (Closes: #859515)
.
* CVE-2017-7234: Open redirect vulnerability in django.views.static.serve().
.
A maliciously crafted URL to a Django site using the
django.views.static.serve() view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known,
useful functionality.
.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a development
aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516)
Checksums-Sha1:
dd3a4b7ebc0aa24d7b9be2308bae1b95d4b17a2e 2260 python-django_1.4.22-1+deb7u3.dsc
cedd81e52f794c6f69b9a71c65e90f16570783c7 7802249 python-django_1.4.22.orig.tar.gz
4be8dd645c20226eef8713a933f1da2ed076a0e6 31295 python-django_1.4.22-1+deb7u3.debian.tar.gz
a1fdf7a3c16767ff7bd4d86264a1aa4f33076b14 5336004 python-django_1.4.22-1+deb7u3_all.deb
333b4754d62b7de5077b885ebc274a11decef3e3 2463096 python-django-doc_1.4.22-1+deb7u3_all.deb
Checksums-Sha256:
6d69a742b4093df653dfdc50a2984da197250d24876043c0ef86dd5a761f18fd 2260 python-django_1.4.22-1+deb7u3.dsc
d0e2c9d772fcab2cf9c09e1c05e711cf5fe5eb93225762b29f0739d65e0d1784 7802249 python-django_1.4.22.orig.tar.gz
6a5d91948e1376226ae019df51496a154fd1b0e7637fcb80a9b5c1585df90724 31295 python-django_1.4.22-1+deb7u3.debian.tar.gz
5173a9d60212845680bd593ac9eb5d3076cd5d773d137a55a8f6e43f538c3859 5336004 python-django_1.4.22-1+deb7u3_all.deb
3232f1ac91d562495553126afdfc48d76c450d3e5f1ddf4916a46e156f332c88 2463096 python-django-doc_1.4.22-1+deb7u3_all.deb
Files:
86e829e98bb304c92dd907e3375de8f1 2260 python optional python-django_1.4.22-1+deb7u3.dsc
12dc09e5909ce4da93a9d4338db0a43d 7802249 python optional python-django_1.4.22.orig.tar.gz
1532a7396615de779379f0532c62e037 31295 python optional python-django_1.4.22-1+deb7u3.debian.tar.gz
676fa526b2ffecdd83d04c506b1d8421 5336004 python optional python-django_1.4.22-1+deb7u3_all.deb
75704dd248165b8dd3a8bb27a4312520 2463096 doc optional python-django-doc_1.4.22-1+deb7u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljks3UACgkQHpU+J9Qx
Hlj23Q/+K94lXaCbVAlZO7lS/x5UpmrQGoDX4FBsr7I81EBMw2EskA2Rb+cpCQlX
5jHg7jttQYo1cQV4OwnsHIlGOmO7ZC0QhUSbZd73c+LX9qxtyK83OOXSjtxrolkJ
OT9jlwV+pVyzlllDs97+nphb7ew3RioBMQsTBQJpFkdiDXU0l5AlbriyO9Ambxqr
FC8TR04W70QU7ZRZS/QcEdaZp8BAkCIl1Maq017GnTZO99pzfaMORWo7qCve1zPY
yQg6n1W0aYRIQOZqVlRiQkJgQpFzwRnmX0vJPuc/gybFNmd32iDF7HJdbofzbw1V
YprvUEgp9KtjLFh13vnU7wq3K6mjdFDMAhEAeTd5vUYSNF7i80Whc0jy8FfJReLU
QVMYxKXc9n9KTY0fzM+49oqSKFFqnt9OFUkywQ02NATS2Uo5mT3prXxnj7rxWn+i
WBAjr2VlW5Pll6B+CvgGxa/lodCPbhqhR+iSiwi03epK4uwITsoqKErcfz0LAJ0o
1rIyWRgyGV3GhC4twvew/+N73a4Njr5ALfXjfXqykbfsbZLxO7ziAqPyRpIlEMrW
3odfBNnXBiaL/FPKA0g0822YSQBFfs6dabCJTGw36F+3t+dHqEnG1seU7PeqYApk
K9o5H6rh/rYT6D7axBKLC//M82HbNoxKs9pHJpFNsy8JuhcQn3o=
=S55h
-----END PGP SIGNATURE-----