From ${URL} : Today the Django team issued multiple releases -- Django 1.4.21, 1.7.9, and 1.8.3 -- as part of our security process. These releases address a couple security issues, and we encourage all users to upgrade as soon as possible. More details can be found on our blog: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
*django-1.8.3 (15 Jul 2015) *django-1.7.9 (15 Jul 2015) *django-1.4.21 (15 Jul 2015) 15 Jul 2015; Ian Delaney <idella4@gentoo.org> +django-1.4.21.ebuild, +django-1.7.9.ebuild, +django-1.8.3.ebuild: bumps wrt bug #554864 I'd suggest go directly to stablilising; amd64 x86
Please stabilize django-1.7.9 django-1.4.21
CVE-2015-5145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5145): validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. CVE-2015-5144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5144): Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. CVE-2015-5143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5143): The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
+ 28 Jul 2015; Justin Lecher <jlec@gentoo.org> -django-1.4.20.ebuild, + -django-1.7.7.ebuild, -django-1.7.8.ebuild, -django-1.8.2.ebuild, + -files/django-1.4.19-test.patch, -files/django-1.5-objects.patch, + -files/django-1.6.10-test.patch: + Drop vulnerable version, bug #554864 + Cleaned.
GLSA Vote: Yes
(In reply to Yury German from comment #7) > GLSA Vote: Yes GLSA Vote: Yes
This issue was resolved and addressed in GLSA 201510-06 at https://security.gentoo.org/glsa/201510-06 by GLSA coordinator Kristian Fiskerstrand (K_F).