python-django 1.2.3-1ubuntu0.2.10.10.3 source package in Ubuntu

Changelog

python-django (1.2.3-1ubuntu0.2.10.10.3) maverick-security; urgency=low

  * SECURITY UPDATE: session manipulation when using django.contrib.sessions
    with memory-based sessions and caching
    - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
      for session instead of root namespace
    - CVE-2011-4136
  * SECURITY UPDATE: potential denial of service and information disclosure in
    URLField
    - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
      default and use a timeout if available.
    - CVE-2011-4137, CVE-2011-4138
  * SECURITY UPDATE: potential cache-poisoning via crafted Host header
    - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
      default when constructing full URLs
    - CVE-2011-4139
  * debian/patches/01_disable_url_verify_regression_tests.diff: remove the
    test_correct_url_but_nonexisting_gives_404() test from the
    modeltests/validation/tests.py too. Not sure how it passed before, but
    this makes the CVE-2011-4137+4138.patch consistent with our other releases
    since the upstream fix for CVE-2011-4137+4138.patch removed this test too.
  * More information on these issues can be found at:
    https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
 -- Jamie Strandboge <email address hidden>   Wed, 07 Dec 2011 15:52:55 -0600