Summary: | dev-python/django < 0.96.2 XSS (CVE-2008-2302) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Krzysztof Pawlik (RETIRED) <nelchael> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | trivial | CC: | python | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.djangoproject.com/weblog/2008/may/14/security/ | ||||||
Whiteboard: | ~4 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Krzysztof Pawlik (RETIRED)
2008-05-14 07:50:17 UTC
Python herd, please bump as necessary Bumping it won't be as easy as it seems: in 0.96.2 tarball some directories are missing (like extras, examples). I've filled a bug upstream about that, but it got closed as WONTFIX: http://code.djangoproject.com/ticket/7273, last comment from that bug: > Actually, the 0.96.1 tarball was generated by an svn export, while 0.96.2 was > generated by using the setup.py script. What this means, really, is that the > setup.py script was borked (a known issue), but unfortunately I don't think we > can do much about it; the bugfixes branches are really only for critical > security fixes. So the Django code should come from 0.96.2, and the rest from 0.96.1 or use 0.96.1 tarball with a patch. Created attachment 154317 [details]
django-0.96.1-to-0.96.2.ebuild.patch
This is a patch for 0.96.1 ebuild to create 0.96.2: it has both versions in SRC_URI and uses the missing directories from 0.96.1.
Krzysiek, feel free to commit the attached patch to CVS. Or do you need additional review? Done: ------------------------------------------------------------------------------ Version bump to fix security bug, see bug #222029. (Portage version: 2.1.5.2) ------------------------------------------------------------------------------ Thanks, closing without stabling and GLSA. |