Hi -release,
There is a minor security problem with python-django in stable; Nion
recommended the fix went this way instead of stable-security as it does
not affect typical installations. The patch is upstream-blessed.
The revelant changelog entry is:
python-django (1.0.2-1+lenny1) stable-proposed-updates; urgency=low
* Add patch to fix issue with a maliciously crafted URL gaining
access to any file on the filesystem (Closes: #539134)
Upstream writes:
Django includes a lightweight, WSGI-based web server for use in
learning Django and in testing new applications during early
stages of development. For sake of convenience, this web server
automatically maps certain URLs corresponding to the static media
files used by the Django administrative application.
The handler which maps these URLs did not properly check the
requested URL to verify that it corresponds to a static media
file used by Django. As such, a carefully-crafted URL can cause
the development server to serve any file to which it has read
access.
<http://www.djangoproject.com/weblog/2009/jul/28/security/>
Signed dsc etc. are available at:
http://people.debian.org/~lamby/539134/stable-proposed-updates/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org
`-
Attachment:
signature.asc
Description: PGP signature