Hi -release, There is a minor security problem with python-django in stable; Nion recommended the fix went this way instead of stable-security as it does not affect typical installations. The patch is upstream-blessed. The revelant changelog entry is: python-django (1.0.2-1+lenny1) stable-proposed-updates; urgency=low * Add patch to fix issue with a maliciously crafted URL gaining access to any file on the filesystem (Closes: #539134) Upstream writes: Django includes a lightweight, WSGI-based web server for use in learning Django and in testing new applications during early stages of development. For sake of convenience, this web server automatically maps certain URLs corresponding to the static media files used by the Django administrative application. The handler which maps these URLs did not properly check the requested URL to verify that it corresponds to a static media file used by Django. As such, a carefully-crafted URL can cause the development server to serve any file to which it has read access. <http://www.djangoproject.com/weblog/2009/jul/28/security/> Signed dsc etc. are available at: http://people.debian.org/~lamby/539134/stable-proposed-updates/ Regards, -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org `-
Attachment:
signature.asc
Description: PGP signature