There are new security releases for dev-python/django.
Thanks for the report, Albert.
From: https://secunia.com/advisories/52243/ : 1) An error when expanding XML entities can be exploited to consume large amounts of memory and cause a crash or hang via a specially crafted XML containing malicious attributes. 2) An error when processing certain XML data can be exploited to disclose certain information by sending specially crafted XML data including external entity references. 3) The administrative interface does not properly verify access permissions when accessing the history view, which can be exploited to view the history of any object accessible in the admin interface. 4) An error within formsets when handling form submissions can be exploited to consume large amounts of memory and render the application unusable by submitting specially crafted forms. The vulnerabilities are reported in versions prior to 1.3.6 and 1.4.4. Solution Update to version 1.3.6 or 1.4.4.
We probably want to jump to 1.3.7 and 1.4.5.
+*django-1.3.7 (23 Feb 2013) +*django-1.4.5 (23 Feb 2013) + + 23 Feb 2013; Mike Gilbert <floppym@gentoo.org> +django-1.3.7.ebuild, + +django-1.4.5.ebuild, django-9999.ebuild: + Version bumps for security bug 447470. Port 1.3.7 to distutils-r1. Disable + parallel testing. +
(In reply to comment #4) > +*django-1.3.7 (23 Feb 2013) > +*django-1.4.5 (23 Feb 2013) > + > + 23 Feb 2013; Mike Gilbert <floppym@gentoo.org> +django-1.3.7.ebuild, > + +django-1.4.5.ebuild, django-9999.ebuild: > + Version bumps for security bug 447470. Port 1.3.7 to distutils-r1. Disable > + parallel testing. > + Thanks, Mike! Arches, please test and mark stable both: =dev-python/django-1.3.7 =dev-python/django-1.4.5
We also need to stabilize the following as dependencies: =dev-python/mysql-python-1.2.3-r1 =dev-python/imaging-1.1.7-r2 =dev-python/psycopg-2.4.6-r1
amd64 stable
x86 stable
GLSA vote: no
NO too, closing.