As mentioned at http://www.djangoproject.com/weblog/2009/jul/28/security/, there was a recent security update where the development wsgi server has a path traversal vulnerability. There is also another change that deprecates the django.middleware.http.SetRemoteAddrFromForwardedFor middleware. Anyway, I thought I'd give a heads on this if you didn't know about it - it's probably worth doing a security update to 1.0.3.
Thank you for the report. I'm reviewing the information now.
Ricky, Would you be willing to help test the update once it's built?
I could help I guess...
Thanks Diego, I am updating the package now in devel. I'll respond back to this bug when the build is done ... I'd just like to have more than just my eyes to verify the update.
Hey, I can test EPEL packages (we have only one Django web app, but I pinged some Transifex developers like Diego, since they work with Django a lot more than I do).
devel package (F-12): http://koji.fedoraproject.org/koji/taskinfo?taskID=1563858 super quick smoke test passed for me so I'm building and will submit to testing soon.
Django-1.0.3-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/Django-1.0.3-2.fc11
Installed and testing. Looks fine so far on F11.
Excellent, thank you Diego. Building and submitting for F10, F9, and F8 to hit testing as well. I'll follow up with EPEL builds.
Ug F9 and F8 are not building (make build gives koji usage) ... I'll hold off on those unless someone needs them specifically and jump right over to F10 and EPEL5.
Django-1.0.3-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/Django-1.0.3-4.fc10
Django-1.0.3-6.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/Django-1.0.3-6.el5
Updated F12 (devel), F10 and F11 builds as well. https://admin.fedoraproject.org/updates/Django-1.0.3-6.fc10 https://admin.fedoraproject.org/updates/Django-1.0.3-6.fc11 All submitted for testing.
Testing went great. Requested stable for F11/F10/EL5. Once these are pushed I'll close this bug. If an earlier dist is needed please open a new bug requesting the dist build.
Django-1.0.3-6.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Django-1.0.3-6.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Waiting for EL5 update to hit too, then I will close this ticket.
Django-1.0.3-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
And there it is, closing this bug :-).