Hello, I just made the required uploads to fix a cross-site scripting vulnerability in python-django. But for the unstable upload, I forgot to put urgency=high, if someone could lower the aging period that would be nice (python-django/0.96.2-1).
I also made a stable upload (version 0.95.1-1etch1), the vulnerability doesn't seem to warrant a DSA, so I'd like to push the fix through a stable upload. If you believe it's not needed, just reject the already-uploaded package. Attached is the debdiff. Security bug is: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481164 Cheers, -- Raphaël Hertzog Le best-seller français mis à jour pour Debian Etch : http://www.ouaza.com/livre/admin-debian/
diff -u python-django-0.95.1/debian/changelog python-django-0.95.1/debian/changelog --- python-django-0.95.1/debian/changelog +++ python-django-0.95.1/debian/changelog @@ -1,3 +1,10 @@ +python-django (0.95.1-1etch1) stable; urgency=low + + * Add new patch debian/patches/03_xss_fix.diff. Fixes cross-site + scripting vulnerability (CVE-2008-2302). Closes: #481164 + + -- Raphael Hertzog <[EMAIL PROTECTED]> Tue, 20 May 2008 00:40:59 +0200 + python-django (0.95.1-1) unstable; urgency=low [ Brett Parker ] only in patch2: unchanged: --- python-django-0.95.1.orig/debian/patches/03_xss_fix.diff +++ python-django-0.95.1/debian/patches/03_xss_fix.diff @@ -0,0 +1,21 @@ +Closes: http://bugs.debian.org/481164 +Comment: + Upstream patch grabbed from http://code.djangoproject.com/changeset/7528?format=diff&new=7528 + . + Fixes a cross-scripting vulnerability (CVE-2008-2302). + +--- python-django.orig/django/contrib/admin/views/decorators.py (revision 3360) ++++ python-django/django/contrib/admin/views/decorators.py (revision 7528) +@@ -4,4 +4,5 @@ + from django.contrib.auth import authenticate, login + from django.shortcuts import render_to_response ++from django.utils.html import escape + from django.utils.translation import gettext_lazy + import base64, datetime, md5 +@@ -23,5 +24,5 @@ + return render_to_response('admin/login.html', { + 'title': _('Log in'), +- 'app_path': request.path, ++ 'app_path': escape(request.path), + 'post_data': post_data, + 'error_message': error_message
