[Systems] [Fwd: [USN-1066-1] Django vulnerabilities]

Rafael Ortiz rafael at activitycentral.com
Thu Feb 17 18:11:59 EST 2011


On a side note we are seeing issues on pootle.

http://bugs.sugarlabs.org/ticket/2625


it seems that all permission scheme is damaged.

an upgrade to pootle 2.1.0 and Translate toolkit
1.8.0 is neccessary.

 I'll work on an experimental installation on pootle's VM.



On Thu, Feb 17, 2011 at 1:46 PM, Bernie Innocenti <bernie at codewiz.org>wrote:

> Oh, no! Now we're forced to perturb Pootle yet another time
>
> /me takes a step back ;-)
>
>
> -------- Forwarded Message --------
> From: Jamie Strandboge <jamie at canonical.com>
> Reply-to: ubuntu-users at lists.ubuntu.com, Ubuntu Security
> <security at ubuntu.com>
> To: ubuntu-security-announce at lists.ubuntu.com
> Cc: full-disclosure <full-disclosure at lists.grok.org.uk>,
> bugtraq at securityfocus.com
> Subject: [USN-1066-1] Django vulnerabilities
> Date: Thu, 17 Feb 2011 11:45:21 -0600
>
> ===========================================================
> Ubuntu Security Notice USN-1066-1         February 17, 2011
> python-django vulnerabilities
> CVE-2011-0696, CVE-2011-0697
> ===========================================================
>
> A security issue affects the following Ubuntu releases:
>
> Ubuntu 9.10
> Ubuntu 10.04 LTS
> Ubuntu 10.10
>
> This advisory also applies to the corresponding versions of
> Kubuntu, Edubuntu, and Xubuntu.
>
> The problem can be corrected by upgrading your system to the
> following package versions:
>
> Ubuntu 9.10:
>  python-django                   1.1.1-1ubuntu1.2
>
> Ubuntu 10.04 LTS:
>  python-django                   1.1.1-2ubuntu1.3
>
> Ubuntu 10.10:
>  python-django                   1.2.3-1ubuntu0.2.10.10.2
>
> ATTENTION: This update introduces a small backwards-imcompatible change
> to perform full CSRF validation on all requests. Prior to this update,
> AJAX requests were excepted from CSRF protections. For more details, please
> see http://docs.djangoproject.com/en/1.2/releases/1.2.5/.
>
> In general, a standard system update will make all the necessary changes.
>
> Details follow:
>
> It was discovered that Django did not properly validate HTTP requests that
> contain an X-Requested-With header. An attacker could exploit this
> vulnerability to perform cross-site request forgery (CSRF) attacks.
> (CVE-2011-0696)
>
> It was discovered that Django did not properly sanitize its input when
> performing file uploads, resulting in cross-site scripting (XSS)
> vulnerabilities. With cross-site scripting vulnerabilities, if a user were
> tricked into viewing server output during a crafted server request, a
> remote attacker could exploit this to modify the contents, or steal
> confidential data, within the same domain. (CVE-2011-0697)
>
>
> Updated packages for Ubuntu 9.10:
>
>  Source archives:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.2.diff.gz
>      Size/MD5:    23178 9ee3275d17444e0fe9f29b558a50d656
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.2.dsc
>      Size/MD5:     2215 9665d3d7efb78757cc7debdd8de52dee
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz
>      Size/MD5:  5614106 d7839c192e115f9c4dd8777de24dc21c
>
>  Architecture independent packages:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-1ubuntu1.2_all.deb
>      Size/MD5:  1538754 55ff7dfcdb230ee959fab143168fee3d
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.2_all.deb
>      Size/MD5:  3905196 27510c2c2b922666858a4e9153edf0bb
>
> Updated packages for Ubuntu 10.04 LTS:
>
>  Source archives:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.3.diff.gz
>      Size/MD5:    46514 cdf31c55963b3a900c532a56ad14ba54
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.3.dsc
>      Size/MD5:     2215 4de71582b629ed7c3fe5c3334e1d98aa
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz
>      Size/MD5:  5614106 d7839c192e115f9c4dd8777de24dc21c
>
>  Architecture independent packages:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-2ubuntu1.3_all.deb
>      Size/MD5:  1538984 ed92fc05b0b71d3adc04b67424198a90
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.3_all.deb
>      Size/MD5:  3882040 13e2019e1fa464992f8c68bbc52f4e36
>
> Updated packages for Ubuntu 10.10:
>
>  Source archives:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.2.debian.tar.gz
>      Size/MD5:    27750 df339fbad6cc5389fc4979ea9ef89455
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.2.dsc
>      Size/MD5:     2276 6dba452984483a7442de365e451f1fde
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3.orig.tar.gz
>      Size/MD5:  6306760 10bfb5831bcb4d3b1e6298d0e41d6603
>
>  Architecture independent packages:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.2.3-1ubuntu0.2.10.10.2_all.deb
>      Size/MD5:  1895718 bb292031a0bf07b951aea19bf8648e84
>
> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.2_all.deb
>      Size/MD5:  4176780 44a6a1e51fc90fd3054ef09a3a2294c8
>
>
>
> --
> ubuntu-security-announce mailing list
> ubuntu-security-announce at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
>
> --
>   // Bernie Innocenti - http://codewiz.org/
>  \X/  Sugar Labs       - http://sugarlabs.org/
>
>
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/private/systems/attachments/20110217/0a3bea99/attachment.html>


More information about the Systems mailing list