Python-django stable upload, and testing migration

To: debian-release@lists.debian.org
Cc: python-django@packages.debian.org
Subject: Python-django stable upload, and testing migration
From: Raphael Hertzog <hertzog@debian.org>
Date: Tue, 20 May 2008 08:22:11 +0200
Message-id: <[🔎] 20080520062211.GA671@ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, debian-release@lists.debian.org, python-django@packages.debian.org

Hello,

I just made the required uploads to fix a cross-site scripting
vulnerability in python-django. But for the unstable upload, I forgot to
put urgency=high, if someone could lower the aging period that would be
nice (python-django/0.96.2-1).

I also made a stable upload (version 0.95.1-1etch1), the vulnerability
doesn't seem to warrant a DSA, so I'd like to push the fix through a
stable upload. If you believe it's not needed, just reject the
already-uploaded package. Attached is the debdiff.

Security bug is:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481164

Cheers,
-- 
Raphaël Hertzog

Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/

diff -u python-django-0.95.1/debian/changelog python-django-0.95.1/debian/changelog
--- python-django-0.95.1/debian/changelog
+++ python-django-0.95.1/debian/changelog
@@ -1,3 +1,10 @@
+python-django (0.95.1-1etch1) stable; urgency=low
+
+  * Add new patch debian/patches/03_xss_fix.diff. Fixes cross-site
+    scripting vulnerability (CVE-2008-2302). Closes: #481164
+
+ -- Raphael Hertzog <hertzog@debian.org>  Tue, 20 May 2008 00:40:59 +0200
+
 python-django (0.95.1-1) unstable; urgency=low
 
   [ Brett Parker ]
only in patch2:
unchanged:
--- python-django-0.95.1.orig/debian/patches/03_xss_fix.diff
+++ python-django-0.95.1/debian/patches/03_xss_fix.diff
@@ -0,0 +1,21 @@
+Closes: http://bugs.debian.org/481164
+Comment:
+ Upstream patch grabbed from http://code.djangoproject.com/changeset/7528?format=diff&new=7528
+ .
+ Fixes a cross-scripting vulnerability (CVE-2008-2302).
+
+--- python-django.orig/django/contrib/admin/views/decorators.py (revision 3360)
++++ python-django/django/contrib/admin/views/decorators.py (revision 7528)
+@@ -4,4 +4,5 @@
+ from django.contrib.auth import authenticate, login
+ from django.shortcuts import render_to_response
++from django.utils.html import escape
+ from django.utils.translation import gettext_lazy
+ import base64, datetime, md5
+@@ -23,5 +24,5 @@
+     return render_to_response('admin/login.html', {
+         'title': _('Log in'),
+-        'app_path': request.path,
++        'app_path': escape(request.path),
+         'post_data': post_data,
+         'error_message': error_message

Reply to:

Follow-Ups:
- Re: Python-django stable upload, and testing migration
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: More give-backs
Next by Date: Re: Python-django stable upload, and testing migration
Previous by thread: Re: More give-backs
Next by thread: Re: Python-django stable upload, and testing migration
Index(es):
- Date
- Thread