Upstream has released 1.3.6 and 1.4.4 to fix security issues: https://www.djangoproject.com/weblog/2013/feb/19/security/ Mageia 2 and Cauldron are both affected. Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageia
CC: (none) => dmorganecAssignee: bugsquad => makowski.mageia
Fixed in Cauldron by D Morgan, now we just need to update Mageia 2.
Version: Cauldron => 2
Debian has issued an advisory for this today (February 27): http://www.debian.org/security/2013/dsa-2634
URL: (none) => http://lwn.net/Vulnerabilities/540268/
Fixed in Mageia 2 python-django-1.3.7-1.mga2
Thanks Philippe! Advisory: ======================== Updated python-django packages fix security vulnerabilities: Orange Tsai discovered that the bundled administrative interface of django could expose supposedly-hidden information via its history log (CVE-2013-0305). Mozilla discovered that an attacker can abuse django's tracking of the number of forms in a formset to cause a denial-of-service attack due to extreme memory consumption (CVE-2013-0306). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0306 https://www.djangoproject.com/weblog/2013/feb/19/security/ http://www.debian.org/security/2013/dsa-2634 ======================== Updated packages in core/updates_testing: ======================== python-django-1.3.7-1.mga2 from python-django-1.3.7-1.mga2.src.rpm
Assignee: makowski.mageia => qa-bugs
No poc, so just testing update with ... # urpmi python-django $ mkdir django $ cd django $ django-admin.py startproject mysite $ cd mysite $ python manage.py runserver 8080 Then browse to http://127.0.0.1:8080 in a web browser. Testing complete on Mageia 2 i586 and x86_64. Could someone from the sysadmin team push the srpm python-django-1.3.7-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated python-django packages fix security vulnerabilities: Orange Tsai discovered that the bundled administrative interface of django could expose supposedly-hidden information via its history log (CVE-2013-0305). Mozilla discovered that an attacker can abuse django's tracking of the number of forms in a formset to cause a denial-of-service attack due to extreme memory consumption (CVE-2013-0306). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0306 https://www.djangoproject.com/weblog/2013/feb/19/security/ http://www.debian.org/security/2013/dsa-2634 https://bugs.mageia.org/show_bug.cgi?id=9189
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0076
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED