Bug 514581 - Django security update
Summary: Django security update
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Django
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Steve Milner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-29 17:48 UTC by Ricky Zhou
Modified: 2009-08-04 13:28 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2009-08-04 13:28:31 UTC


Attachments (Terms of Use)

Description Ricky Zhou 2009-07-29 17:48:11 UTC
As mentioned at http://www.djangoproject.com/weblog/2009/jul/28/security/, there was a recent security update where the development wsgi server has a path traversal vulnerability.  

There is also another change that deprecates the django.middleware.http.SetRemoteAddrFromForwardedFor middleware.  

Anyway, I thought I'd give a heads on this if you didn't know about it - it's probably worth doing a security update to 1.0.3.

Comment 1 Steve Milner 2009-07-29 18:15:17 UTC
Thank you for the report. I'm reviewing the information now.

Comment 2 Steve Milner 2009-07-29 19:36:14 UTC
Ricky,

Would you be willing to help test the update once it's built?

Comment 3 Diego Búrigo Zacarão 2009-07-29 20:20:55 UTC
I could help I guess...

Comment 4 Steve Milner 2009-07-29 20:25:05 UTC
Thanks Diego,

I am updating the package now in devel. I'll respond back to this bug when the build is done ... I'd just like to have more than just my eyes to verify the update.

Comment 5 Ricky Zhou 2009-07-29 20:28:50 UTC
Hey, I can test EPEL packages (we have only one Django web app, but I pinged some Transifex developers like Diego, since they work with Django a lot more than I do).

Comment 6 Steve Milner 2009-07-29 20:48:32 UTC
devel package (F-12): http://koji.fedoraproject.org/koji/taskinfo?taskID=1563858

super quick smoke test passed for me so I'm building and will submit to testing soon.

Comment 7 Fedora Update System 2009-07-29 21:09:33 UTC
Django-1.0.3-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/Django-1.0.3-2.fc11

Comment 8 Diego Búrigo Zacarão 2009-07-29 21:49:06 UTC
Installed and testing. Looks fine so far on F11.

Comment 9 Steve Milner 2009-07-29 21:50:51 UTC
Excellent, thank you Diego.

Building and submitting for F10, F9, and F8 to hit testing as well.

I'll follow up with EPEL builds.

Comment 10 Steve Milner 2009-07-29 22:07:12 UTC
Ug F9 and F8 are not building (make build gives koji usage) ... I'll hold off on those unless someone needs them specifically and jump right over to F10 and EPEL5.

Comment 11 Fedora Update System 2009-07-30 00:53:30 UTC
Django-1.0.3-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/Django-1.0.3-4.fc10

Comment 12 Fedora Update System 2009-07-30 03:56:42 UTC
Django-1.0.3-6.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/Django-1.0.3-6.el5

Comment 13 Steve Milner 2009-07-30 03:57:31 UTC
Updated F12 (devel), F10 and F11 builds as well.

https://admin.fedoraproject.org/updates/Django-1.0.3-6.fc10
https://admin.fedoraproject.org/updates/Django-1.0.3-6.fc11

All submitted for testing.

Comment 14 Steve Milner 2009-08-01 23:27:14 UTC
Testing went great. Requested stable for F11/F10/EL5. Once these are pushed I'll close this bug.

If an earlier dist is needed please open a new bug requesting the dist build.

Comment 15 Fedora Update System 2009-08-03 19:21:42 UTC
Django-1.0.3-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2009-08-03 19:23:02 UTC
Django-1.0.3-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Steve Milner 2009-08-03 19:36:30 UTC
Waiting for EL5 update to hit too, then I will close this ticket.

Comment 18 Fedora Update System 2009-08-04 02:27:40 UTC
Django-1.0.3-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Steve Milner 2009-08-04 13:28:31 UTC
And there it is, closing this bug :-).


Note You need to log in before you can comment on or make changes to this bug.