Bug 354183 (CVE-2011-0696)

Summary:	<dev-python/django-{1.1.4,1.2.5}: Multiple vulnerabilities (CVE-2011-{0696,0697})
Product:	Gentoo Security	Reporter:	Arfrever Frehtes Taifersar Arahesis (RETIRED) <arfrever>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	python
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://www.djangoproject.com/weblog/2011/feb/08/security/
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---

Description Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2011-02-09 04:38:41 UTC

Django 1.1.4 and Django 1.2.5 fix multiple vulnerabilities.

Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2011-02-09 04:39:59 UTC

Stabilize dev-python/django-1.2.5.

Comment 2 Agostino Sarubbo gentoo-dev

2011-02-09 12:06:19 UTC

amd64 ok

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2011-02-10 07:30:09 UTC

Per http://www.openwall.com/lists/oss-security/2011/02/09/6 the following CVEs have been assigned.

CVE-2011-0696 django Flaw in CSRF handling
CVE-2011-0697 django Potential XSS in file field rendering
CVE-2011-0698 django Directory-traversal vulnerability on Windows

Not including CVE-2011-0698 since it doesn't apply to us.

Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-02-10 11:26:45 UTC

x86 stable

Comment 5 Markos Chandras (RETIRED) gentoo-dev

2011-02-10 20:07:32 UTC

amd64 done. Thanks Agostino

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2011-02-12 19:10:23 UTC

Thanks, folks. Closing noglsa for XSS+CSRF. Please reopen if you disagree.