OpenSuSE has issued an advisory today (August 8): http://lists.opensuse.org/opensuse-updates/2012-08/msg00014.html Mageia 1 and Mageia 2 are also affected.
Whiteboard: (none) => MGA2TOO, MGA1TOOSeverity: normal => major
CC: (none) => oliver.bgr
CC: (none) => makowski.mageia
ok will try to work on in next days
There's also this for python-django-piston from November 11: http://www.debian.org/security/2011/dsa-2344 It's not clear which versions are affected.
about python-django-piston, no problem, Releasing version 0.2.3 have this security issue fixed
Pushed fixed release to 1/updates_testing and 2/updates_testing.
Assignee: bugsquad => qa-bugs
Thanks Philippe! Advisory: ======================== Updated python-django package fixes security vulnerabilities: The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL (CVE-2012-3442). The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file (CVE-2012-3443). The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image (CVE-2012-3444). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3444 http://lists.opensuse.org/opensuse-updates/2012-08/msg00014.html ======================== Updated packages in core/updates_testing: ======================== python-django-1.3.3-1.mga1 python-django-1.3.3-2.mga2 from SRPMS: python-django-1.3.3-1.mga1.src.rpm python-django-1.3.3-2.mga2.src.rpm
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
This update is not just security patches, it's a full update to django 1.3.3 from django 1.3.1. rpmdiff shows more than 1000 changed files!
CC: (none) => stormi
(In reply to comment #6) > This update is not just security patches, it's a full update to django 1.3.3 > from django 1.3.1. rpmdiff shows more than 1000 changed files! ok, "full update" should just bring security fixes, so how come rpmdiff shows that many changes?
The maintainer decided that upgrading this was the best way to handle these issues.
As this is an upgrade, I'm just testing basic functionality, following https://docs.djangoproject.com/en/dev/intro/tutorial01/ I've also confirmed the depcheck script shows no packages will need linking. Testing complete for Mageia 1 i586. I'll test x86-64 shortly.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO MGA1-32-OK has_procedure
Testing complete for Mageia 1 x86-64. I'll test Mageia 2 shortly.
Whiteboard: MGA1TOO MGA1-32-OK has_procedure => MGA1TOO MGA1-32-OK has_procedure MGA1-64-OK
Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm python-django-1.3.3-2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm python-django-1.3.3-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated python-django package fixes security vulnerabilities: The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL (CVE-2012-3442). The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file (CVE-2012-3443). The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image (CVE-2012-3444). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3444 http://lists.opensuse.org/opensuse-updates/2012-08/msg00014.html https://bugs.mageia.org/show_bug.cgi?id=6986
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA1-32-OK has_procedure MGA1-64-OK => MGA1TOO MGA1-32-OK has_procedure MGA1-64-OK MGA2-32-OK MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0219
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED