the Django team is issuing multiple releases -- Django 1.3.4 and Django 1.4.2 -- to remedy security issues reported python-django-1.3.4-1.mga1 python-django-1.3.4-1.mga2 python-django-1.4.2-1.mga3 are availables
Version: Cauldron => 2Whiteboard: (none) => MGA1TOO
Assignee: bugsquad => shlomif
arf packages are here sorry shlomi, philippe can you add a advisory for the QA ? or is https://www.djangoproject.com/weblog/2012/oct/17/security/ enough ? cf https://wiki.mageia.org/en/Updates_policy
Assignee: shlomif => bugsquad
Suggested advisory: ======================== Updated python-django packages fix security vulnerabilities: The Host header parsing in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() -- was incorrectly handling username/password information in the header. Using this, an attacker can cause parts of Django -- particularly the password-reset mechanism -- to generate and display arbitrary URLs to users. References: https://www.djangoproject.com/weblog/2012/oct/17/security/
Assignee: bugsquad => qa-bugs
Previously tested using https://docs.djangoproject.com/en/dev/intro/tutorial01/
Whiteboard: MGA1TOO => MGA1TOO has_procedure
This seems to be CVE-2012-4520 could somebody confirm please?
Testing complete Mga2 32 Testing basic functionality only. $ mkdir python-django $ cd python-django $ django-admin.py startproject mysite $ cd mysite $ python manage.py runserver Validating models... 0 errors found Django version 1.3.3, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Checked it worked with a browser then quit it with ctrl-c
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure mga2-32-OK
Testing complete mga2 64 same procedure.
Whiteboard: MGA1TOO has_procedure mga2-32-OK => MGA1TOO has_procedure mga2-32-OK mga2-64-OK
Testing complete mga1 32
Whiteboard: MGA1TOO has_procedure mga2-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga2-32-OK mga2-64-OK
(In reply to comment #4) > This seems to be CVE-2012-4520 could somebody confirm please? Yep, thanks for catching this. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4520
CC: (none) => luigiwalser
Testing complete mga1 64 Validating Suggested advisory: ======================== Updated python-django packages fix security vulnerabilities: The Host header parsing in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() -- was incorrectly handling username/password information in the header. Using this, an attacker can cause parts of Django -- particularly the password-reset mechanism -- to generate and display arbitrary URLs to users. References: https://www.djangoproject.com/weblog/2012/oct/17/security/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4520 =========================== python-django-1.3.4-1.mga1 python-django-1.3.4-1.mga2 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure mga1-32-OK mga2-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-32-OK mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0315
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED