Re: [SECURITY] [DSA 2740-1] python-django security update
On Fri, Aug 23, 2013 at 05:53:12PM +0000, Salvatore Bonaccorso wrote:
> Package : python-django
> Vulnerability : cross-site scripting vulnerability
> Problem type : remote
> Debian-specific: no
> Nick Brunn reported a possible cross-site scripting vulnerability in
> python-django, a high-level Python web development framework.
> The is_safe_url utility function used to validate that a used URL is on
> the current host to avoid potentially dangerous redirects from
> maliciously-constructed querystrings, worked as intended for HTTP and
> HTTPS URLs, but permitted redirects to other schemes, such as
> The is_safe_url function has been modified to properly recognize and
> reject URLs which specify a scheme other than HTTP or HTTPS, to prevent
> cross-site scripting attacks through redirecting to other schemes.
> For the oldstable distribution (squeeze), this problem has been fixed in
> version 1.2.3-3+squeeze6.
> For the stable distribution (wheezy), this problem has been fixed in
> version 1.4.5-1+deb7u1.
Are there any plans to update squeeze-backports with this release,
please? (I can do so otherwise).