Affects <1.4.7, <1.5.3, <1.6_beta3.
(In reply to Dirkjan Ochtman from comment #0) > Affects <1.4.7, <1.5.3, <1.6_beta3. Thanks for the report. What about the 1.2 and 1.3 series?
From reading the $URL, I conclude they're not affected.
(In reply to Dirkjan Ochtman from comment #2) > From reading the $URL, I conclude they're not affected. Could you point where you see that are supported?
It explicitly lists the affected versions.
(In reply to Dirkjan Ochtman from comment #4) > It explicitly lists the affected versions. I don't see them available in the download main page. So I suppose there is no support and is why they didn't mention them in the advisory.
Okay. I think we can just punt everything < 1.4.5 (which is currently stable). Does anyone have a problem with that? If not, I'll do it in ~40h.
(In reply to Dirkjan Ochtman from comment #6) > Does anyone have a problem with that? There was bug #471614.
(In reply to Dirkjan Ochtman from comment #6) > Okay. I think we can just punt everything < 1.4.5 (which is currently > stable). Does anyone have a problem with that? If not, I'll do it in ~40h. (In reply to Arfrever Frehtes Taifersar Arahesis from comment #7) > (In reply to Dirkjan Ochtman from comment #6) > > Does anyone have a problem with that? > > There was bug #471614. then just package.mask <1.4.7 after the stabilization
Well, I think Markos should just clean up his code, we shouldn't carry around ebuilds for unpatched versions in the tree unless there's a lot of maintainer love (which it seems there isn't, for Django).
Stabilization will be handled in bug 484984.
CVE-2013-4315 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4315): Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag.
