Bug 8434

Summary: python-django new security issues fixed in 1.3.5 and 1.4.3
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: makowski.mageia, oe, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2012/dec/10/security/
Whiteboard: has_procedure mga2-64-OK mga2-32-OK
Source RPM: python-django CVE:
Status comment:

Description David Walser 2012-12-19 14:59:38 CET 
Upstream issued an advisory on December 10:
https://www.djangoproject.com/weblog/2012/dec/10/security/
David Walser 2012-12-19 14:59:59 CET

CC: (none) => makowski.mageia
Assignee: bugsquad => makowski.mageia

David Walser 2012-12-19 15:00:07 CET

CC: (none) => oe

Comment 1 David Walser 2012-12-19 18:40:26 CET 
Mandriva has issued an advisory for this today (December 19):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:181

The oct/17 issue (CVE-2012-4520) we already fixed in October.
Comment 2 Philippe Makowski 2012-12-19 22:20:05 CET 
python-django-1.3.5-1.mga2 is in update testing
python-django-1.4.3-1.mga3 was already there
Comment 3 David Walser 2012-12-20 03:43:24 CET 
Thanks Philippe!

Advisory:
========================

Updated python-django package fixes security vulnerability:

Host header and redirect poisoning vulnerabilities in python-django before
1.3.5 have been fixed.

References:
https://www.djangoproject.com/weblog/2012/dec/10/security/
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:181
========================

Updated packages in core/updates_testing:
========================
python-django-1.3.5-1.mga2

from python-django-1.3.5-1.mga2.src.rpm

Version: Cauldron => 2
Assignee: makowski.mageia => qa-bugs

Comment 4 claire robinson 2012-12-20 10:26:27 CET 
Previously tested with: https://docs.djangoproject.com/en/dev/intro/tutorial01/

Whiteboard: (none) => has_procedure

Comment 5 claire robinson 2012-12-20 10:44:15 CET 
I can't find any PoC so just checking the server starts with the tutorial
Comment 6 claire robinson 2012-12-20 10:47:22 CET 
See also https://bugs.mageia.org/show_bug.cgi?id=7835#c5

Testing complete mga2 64.

Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 7 claire robinson 2012-12-21 16:08:33 CET 
Testing complete mga2 32

Validating

Advisory and SRPM in comment 3.

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK

Comment 8 Thomas Backlund 2012-12-26 19:53:13 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0365

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 9 David Walser 2013-01-03 17:31:41 CET 
Update checked into Mageia 1 SVN.