Re: [SECURITY] [DSA 2740-1] python-django security update

To: debian-security@lists.debian.org, debian-backports@lists.debian.org, metal@debian.org
Subject: Re: [SECURITY] [DSA 2740-1] python-django security update
From: Dominic Hargreaves <dom@earth.li>
Date: Wed, 28 Aug 2013 11:15:20 +0100
Message-id: <[🔎] 20130828101519.GB19203@urchin.earth.li>
In-reply-to: <E1VCvXs-0001KO-6w@master.debian.org>
References: <E1VCvXs-0001KO-6w@master.debian.org>

On Fri, Aug 23, 2013 at 05:53:12PM +0000, Salvatore Bonaccorso wrote:
> Package        : python-django
> Vulnerability  : cross-site scripting vulnerability
> Problem type   : remote
> Debian-specific: no
> 
> Nick Brunn reported a possible cross-site scripting vulnerability in
> python-django, a high-level Python web development framework.
> 
> The is_safe_url utility function used to validate that a used URL is on
> the current host to avoid potentially dangerous redirects from
> maliciously-constructed querystrings, worked as intended for HTTP and
> HTTPS URLs, but permitted redirects to other schemes, such as
> javascript:.
> 
> The is_safe_url function has been modified to properly recognize and
> reject URLs which specify a scheme other than HTTP or HTTPS, to prevent
> cross-site scripting attacks through redirecting to other schemes.
> 
> For the oldstable distribution (squeeze), this problem has been fixed in
> version 1.2.3-3+squeeze6.
> 
> For the stable distribution (wheezy), this problem has been fixed in
> version 1.4.5-1+deb7u1.

Hi,

Are there any plans to update squeeze-backports with this release,
please? (I can do so otherwise).

Cheers,
Dominic.

Reply to:

Prev by Date: Re: [SECURITY] [DSA 2743-1] kfreebsd-9 security update
Next by Date: Re: [SECURITY] [DSA 2744-1] tiff security update
Previous by thread: Re: [SECURITY] [DSA 2743-1] kfreebsd-9 security update
Next by thread: Re: [SECURITY] [DSA 2744-1] tiff security update
Index(es):
- Date
- Thread