From owner-svn-ports-head@FreeBSD.ORG Sun Feb 24 14:23:47 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C0F1FF1D; Sun, 24 Feb 2013 14:23:47 +0000 (UTC) (envelope-from pclin@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 9A32F29D; Sun, 24 Feb 2013 14:23:47 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r1OENlvE064099; Sun, 24 Feb 2013 14:23:47 GMT (envelope-from pclin@svn.freebsd.org) Received: (from pclin@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r1OENk5X064096; Sun, 24 Feb 2013 14:23:46 GMT (envelope-from pclin@svn.freebsd.org) Message-Id: <201302241423.r1OENk5X064096@svn.freebsd.org> From: Po-Chien Lin Date: Sun, 24 Feb 2013 14:23:46 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r312867 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Feb 2013 14:23:47 -0000 Author: pclin Date: Sun Feb 24 14:23:46 2013 New Revision: 312867 URL: http://svnweb.freebsd.org/changeset/ports/312867 Log: - Document Django 2013-02-21 vulnerabilty Approved by: araujo (mentor) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Feb 24 13:55:49 2013 (r312866) +++ head/security/vuxml/vuln.xml Sun Feb 24 14:23:46 2013 (r312867) @@ -51,6 +51,76 @@ Note: Please add new entries to the beg --> + + django -- multiple vulnerabilities + + + py26-django + py27-django + 1.31.3.6 + 1.41.4.4 + + + + +

The Django Project reports:

+
These security releases fix four issues: one potential phishing + vector, one denial-of-service vector, an information leakage issue, + and a range of XML vulnerabilities.
+
+
+
Host header poisoning
+
an attacker could cause Django to generate and display URLs that + link to arbitrary domains. This could be used as part of a phishing + attack. These releases fix this problem by introducing a new + setting, ALLOWED_HOSTS, which specifies a whitelist of domains your + site is known to respond to.
+
Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to + allow all hosts. This means that to actually fix the security + vulnerability you should define this setting yourself immediately + after upgrading.
+
+
+
Formset denial-of-service
+
an attacker can abuse Django's tracking of the number of forms in + a formset to cause a denial-of-service attack. This has been fixed + by adding a default maximum number of forms of 1,000. You can still + manually specify a bigger max_num, if you wish, but 1,000 should be + enough for anyone.
+
+
+
XML attacks
+
Django's serialization framework was vulnerable to attacks via XML + entity expansion and external references; this is now fixed. + However, if you're parsing arbitrary XML in other parts of your + application, we recommend you look into the defusedxml Python + packages which remedy this anywhere you parse XML, not just via + Django's serialization framework.
+
+
+
Data leakage via admin history log
+
Django's admin interface could expose supposedly-hidden + information via its history log. This has been fixed.
+
+
+

+ + + + CVE-2013-1664 + CVE-2013-1665 + CVE-2013-0305 + CVE-2013-0306 + 58022 + 58061 + + + 2013-02-21 + 2013-02-24 + + + chromium -- multiple vulnerabilities