-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 05 Apr 2017 10:34:27 +0200 Source: python-django Binary: python-django python-django-doc Architecture: source all Version: 1.4.22-1+deb7u3 Distribution: wheezy-security Urgency: high Maintainer: Chris Lamb <lamby@debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django - High-level Python web development framework python-django-doc - High-level Python web development framework (documentation) Closes: 859515 859516 Changes: python-django (1.4.22-1+deb7u3) wheezy-security; urgency=high . * CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs. . Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be. . Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. (Closes: #859515) . * CVE-2017-7234: Open redirect vulnerability in django.views.static.serve(). . A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality. . Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516) Checksums-Sha1: dd3a4b7ebc0aa24d7b9be2308bae1b95d4b17a2e 2260 python-django_1.4.22-1+deb7u3.dsc cedd81e52f794c6f69b9a71c65e90f16570783c7 7802249 python-django_1.4.22.orig.tar.gz 4be8dd645c20226eef8713a933f1da2ed076a0e6 31295 python-django_1.4.22-1+deb7u3.debian.tar.gz a1fdf7a3c16767ff7bd4d86264a1aa4f33076b14 5336004 python-django_1.4.22-1+deb7u3_all.deb 333b4754d62b7de5077b885ebc274a11decef3e3 2463096 python-django-doc_1.4.22-1+deb7u3_all.deb Checksums-Sha256: 6d69a742b4093df653dfdc50a2984da197250d24876043c0ef86dd5a761f18fd 2260 python-django_1.4.22-1+deb7u3.dsc d0e2c9d772fcab2cf9c09e1c05e711cf5fe5eb93225762b29f0739d65e0d1784 7802249 python-django_1.4.22.orig.tar.gz 6a5d91948e1376226ae019df51496a154fd1b0e7637fcb80a9b5c1585df90724 31295 python-django_1.4.22-1+deb7u3.debian.tar.gz 5173a9d60212845680bd593ac9eb5d3076cd5d773d137a55a8f6e43f538c3859 5336004 python-django_1.4.22-1+deb7u3_all.deb 3232f1ac91d562495553126afdfc48d76c450d3e5f1ddf4916a46e156f332c88 2463096 python-django-doc_1.4.22-1+deb7u3_all.deb Files: 86e829e98bb304c92dd907e3375de8f1 2260 python optional python-django_1.4.22-1+deb7u3.dsc 12dc09e5909ce4da93a9d4338db0a43d 7802249 python optional python-django_1.4.22.orig.tar.gz 1532a7396615de779379f0532c62e037 31295 python optional python-django_1.4.22-1+deb7u3.debian.tar.gz 676fa526b2ffecdd83d04c506b1d8421 5336004 python optional python-django_1.4.22-1+deb7u3_all.deb 75704dd248165b8dd3a8bb27a4312520 2463096 doc optional python-django-doc_1.4.22-1+deb7u3_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljks3UACgkQHpU+J9Qx Hlj23Q/+K94lXaCbVAlZO7lS/x5UpmrQGoDX4FBsr7I81EBMw2EskA2Rb+cpCQlX 5jHg7jttQYo1cQV4OwnsHIlGOmO7ZC0QhUSbZd73c+LX9qxtyK83OOXSjtxrolkJ OT9jlwV+pVyzlllDs97+nphb7ew3RioBMQsTBQJpFkdiDXU0l5AlbriyO9Ambxqr FC8TR04W70QU7ZRZS/QcEdaZp8BAkCIl1Maq017GnTZO99pzfaMORWo7qCve1zPY yQg6n1W0aYRIQOZqVlRiQkJgQpFzwRnmX0vJPuc/gybFNmd32iDF7HJdbofzbw1V YprvUEgp9KtjLFh13vnU7wq3K6mjdFDMAhEAeTd5vUYSNF7i80Whc0jy8FfJReLU QVMYxKXc9n9KTY0fzM+49oqSKFFqnt9OFUkywQ02NATS2Uo5mT3prXxnj7rxWn+i WBAjr2VlW5Pll6B+CvgGxa/lodCPbhqhR+iSiwi03epK4uwITsoqKErcfz0LAJ0o 1rIyWRgyGV3GhC4twvew/+N73a4Njr5ALfXjfXqykbfsbZLxO7ziAqPyRpIlEMrW 3odfBNnXBiaL/FPKA0g0822YSQBFfs6dabCJTGw36F+3t+dHqEnG1seU7PeqYApk K9o5H6rh/rYT6D7axBKLC//M82HbNoxKs9pHJpFNsy8JuhcQn3o= =S55h -----END PGP SIGNATURE-----