-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 04 Apr 2017 17:53:30 +0200 Source: python-django Binary: python-django python3-django python-django-common python-django-doc Built-For-Profiles: nocheck Architecture: source Version: 1:1.10.7-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 859515 859516 Changes: python-django (1:1.10.7-1) unstable; urgency=medium . * New upstream security release: . - CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs. . Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be. . Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. (Closes: #859515) . - CVE-2017-7234: Open redirect vulnerability in django.views.static.serve(). . A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality. . Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516) Checksums-Sha1: d406edb4c81726a0b444782d049eb21a771d2a6c 2776 python-django_1.10.7-1.dsc 5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz c0fe41bec64979d747cce197aa1e55e3833b3eb1 25376 python-django_1.10.7-1.debian.tar.xz 11694d5548b43df4ff6ffad4b413fe1224bb1ff4 8723 python-django_1.10.7-1_amd64.buildinfo Checksums-Sha256: e16cb37402b30421fecc2241e51c148cdedb724312c5c669cd703078cce1bdb4 2776 python-django_1.10.7-1.dsc 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz a0c646be8d148c8dd00849b7cc712d06267e551f320da39d5e3f58aa3f549f04 25376 python-django_1.10.7-1.debian.tar.xz 81783deada27b44fde2a387e375a139c2c5f61a86d0535b1183a8aa281340354 8723 python-django_1.10.7-1_amd64.buildinfo Files: 113fb9a8538eff5ce750b8775f8e9b15 2776 python optional python-django_1.10.7-1.dsc 693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz 46c5ed3063181c29f9f280097850bc4a 25376 python optional python-django_1.10.7-1.debian.tar.xz 9a0df9dc3e696e19514347411699da20 8723 python optional python-django_1.10.7-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljjwngACgkQHpU+J9Qx Hlj62xAAtZS1+jZHdH8b+MAbJvxmwYMMkrhk/COwtHSHzbreOoiTUSr5hAKTRXlK mvQPvnwjlhKqSY6513GMkHFwQk6HCnzZgPpQkqn+7sBW4hZIkKlPMOx+jT5AlyVX o7qAUuTpzxQRZ++mo6BKglAtw9Iu8t8b6BnsW3jY7kTKmGYMIuQldumkfxLi1dyN f6Vm1vVLp0caTz3I4x2W7UCLzFO5K5jnJHYjwfXJdBkjltifZuCUDvX8/6lPK67d EvcuAqsCmH6MHPI91G9QDdycpyIBFND2o5EXntS1Ldx4w6/ucbtCuU8bUB4njT/v thlz5RYgX3dKkPRaaWZ3d4H3ynD+KuUMtVgQYhT6pc79q6G7dUHEzzSpvkCqmnw0 jkUCycY8+7RIu0n/393EsxEdNCZwVCpQAZOGKuatKP8qshCi1QXkmBXIJxE+SyY4 mEbtmmSKUG+8FHDrtJJtkT95yixfEp9DPqPHKR6wuLkWWxux2vZ5q1POLf7g4VhJ 1icuh9YTrOeMPEN+v6TRSg4nc82hJb6tDNFKzP1ArxpUeQVb4fsMIQ+foEQsVgjb p031KMDi2e7LdYNPW8SICyu9c+PE/U6PcuaQl78V+sR15tdpwuaFgfthhbJe8PIa os7qiuQrsSNw6dnbVx0jKGTpIzI7jECU3XvygphS8FebwgnvhpM= =Tv/P -----END PGP SIGNATURE-----