[Systems] [Fwd: [USN-1066-1] Django vulnerabilities]

Rafael Ortiz rafael at activitycentral.com
Fri Feb 18 11:44:35 EST 2011 

On Thu, Feb 17, 2011 at 6:11 PM, Rafael Ortiz <rafael at activitycentral.com>wrote:

> On a side note we are seeing issues on pootle.
>
> http://bugs.sugarlabs.org/ticket/2625
>
>
>
To my knowledge the problem is that the email_re
table doesn't have data or is broken somewhat.




> it seems that all permission scheme is damaged.
>
> an upgrade to pootle 2.1.0 and Translate toolkit
> 1.8.0 is neccessary.
>
>
Recomendation from pootle folks was to install from tarball.  but this
implies a danger that will possibly broke some other things because  an
isolated installation cannot be done.


Any help/hints from our friendly sysadmins ?.





>  I'll work on an experimental installation on pootle's VM.
>
>
>
> On Thu, Feb 17, 2011 at 1:46 PM, Bernie Innocenti <bernie at codewiz.org>wrote:
>
>> Oh, no! Now we're forced to perturb Pootle yet another time
>>
>> /me takes a step back ;-)
>>
>>
>> -------- Forwarded Message --------
>> From: Jamie Strandboge <jamie at canonical.com>
>> Reply-to: ubuntu-users at lists.ubuntu.com, Ubuntu Security
>> <security at ubuntu.com>
>> To: ubuntu-security-announce at lists.ubuntu.com
>> Cc: full-disclosure <full-disclosure at lists.grok.org.uk>,
>> bugtraq at securityfocus.com
>> Subject: [USN-1066-1] Django vulnerabilities
>> Date: Thu, 17 Feb 2011 11:45:21 -0600
>>
>> ===========================================================
>> Ubuntu Security Notice USN-1066-1         February 17, 2011
>> python-django vulnerabilities
>> CVE-2011-0696, CVE-2011-0697
>> ===========================================================
>>
>> A security issue affects the following Ubuntu releases:
>>
>> Ubuntu 9.10
>> Ubuntu 10.04 LTS
>> Ubuntu 10.10
>>
>> This advisory also applies to the corresponding versions of
>> Kubuntu, Edubuntu, and Xubuntu.
>>
>> The problem can be corrected by upgrading your system to the
>> following package versions:
>>
>> Ubuntu 9.10:
>>  python-django                   1.1.1-1ubuntu1.2
>>
>> Ubuntu 10.04 LTS:
>>  python-django                   1.1.1-2ubuntu1.3
>>
>> Ubuntu 10.10:
>>  python-django                   1.2.3-1ubuntu0.2.10.10.2
>>
>> ATTENTION: This update introduces a small backwards-imcompatible change
>> to perform full CSRF validation on all requests. Prior to this update,
>> AJAX requests were excepted from CSRF protections. For more details,
>> please
>> see http://docs.djangoproject.com/en/1.2/releases/1.2.5/.
>>
>> In general, a standard system update will make all the necessary changes.
>>
>> Details follow:
>>
>> It was discovered that Django did not properly validate HTTP requests that
>> contain an X-Requested-With header. An attacker could exploit this
>> vulnerability to perform cross-site request forgery (CSRF) attacks.
>> (CVE-2011-0696)
>>
>> It was discovered that Django did not properly sanitize its input when
>> performing file uploads, resulting in cross-site scripting (XSS)
>> vulnerabilities. With cross-site scripting vulnerabilities, if a user were
>> tricked into viewing server output during a crafted server request, a
>> remote attacker could exploit this to modify the contents, or steal
>> confidential data, within the same domain. (CVE-2011-0697)
>>
>>
>> Updated packages for Ubuntu 9.10:
>>
>>  Source archives:
>>
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.2.diff.gz
>>      Size/MD5:    23178 9ee3275d17444e0fe9f29b558a50d656
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.2.dsc
>>      Size/MD5:     2215 9665d3d7efb78757cc7debdd8de52dee
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz
>>      Size/MD5:  5614106 d7839c192e115f9c4dd8777de24dc21c
>>
>>  Architecture independent packages:
>>
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-1ubuntu1.2_all.deb
>>      Size/MD5:  1538754 55ff7dfcdb230ee959fab143168fee3d
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.2_all.deb
>>      Size/MD5:  3905196 27510c2c2b922666858a4e9153edf0bb
>>
>> Updated packages for Ubuntu 10.04 LTS:
>>
>>  Source archives:
>>
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.3.diff.gz
>>      Size/MD5:    46514 cdf31c55963b3a900c532a56ad14ba54
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.3.dsc
>>      Size/MD5:     2215 4de71582b629ed7c3fe5c3334e1d98aa
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz
>>      Size/MD5:  5614106 d7839c192e115f9c4dd8777de24dc21c
>>
>>  Architecture independent packages:
>>
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-2ubuntu1.3_all.deb
>>      Size/MD5:  1538984 ed92fc05b0b71d3adc04b67424198a90
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.3_all.deb
>>      Size/MD5:  3882040 13e2019e1fa464992f8c68bbc52f4e36
>>
>> Updated packages for Ubuntu 10.10:
>>
>>  Source archives:
>>
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.2.debian.tar.gz
>>      Size/MD5:    27750 df339fbad6cc5389fc4979ea9ef89455
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.2.dsc
>>      Size/MD5:     2276 6dba452984483a7442de365e451f1fde
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3.orig.tar.gz
>>      Size/MD5:  6306760 10bfb5831bcb4d3b1e6298d0e41d6603
>>
>>  Architecture independent packages:
>>
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.2.3-1ubuntu0.2.10.10.2_all.deb
>>      Size/MD5:  1895718 bb292031a0bf07b951aea19bf8648e84
>>
>> http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.2_all.deb
>>      Size/MD5:  4176780 44a6a1e51fc90fd3054ef09a3a2294c8
>>
>>
>>
>> --
>> ubuntu-security-announce mailing list
>> ubuntu-security-announce at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
>>
>> --
>>   // Bernie Innocenti - http://codewiz.org/
>>  \X/  Sugar Labs       - http://sugarlabs.org/
>>
>>
>> _______________________________________________
>> Systems mailing list
>> Systems at lists.sugarlabs.org
>> http://lists.sugarlabs.org/listinfo/systems
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/private/systems/attachments/20110218/964e82e8/attachment.html>

More information about the Systems mailing list