oss-sec mailing list archives
Re: [CVE request] Django 1.4.6 security release
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 19 Aug 2013 09:45:34 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/14/2013 09:06 PM, Kurt Seifried wrote:
On 08/14/2013 02:11 AM, Thijs Kinkhorst wrote:On Wed, August 14, 2013 09:42, Kurt Seifried wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/13/2013 11:31 PM, Moritz Muehlenhoff wrote:Hi, this needs two CVE assignments: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/Please provide links to the vulnerable code/fixed code thanks.Links to the patches of the various affected release branches can be found at the bottom of the quoted URL.ThijsFor the Issue: Cross-site scripting (XSS) in admin interface please use CVE-2013-4249 for this issue. For Issue: Cross-site scripting (XSS) in admin interface I'm going to consider this as security hardening unless someone tells me otherwise.
Ahh this should be: For the Issue: Cross-site scripting (XSS) in admin interface please use CVE-2013-4249 for this issue. For the second issue: Issue: Possible XSS via is_safe_url I'm going to consider this as security hardening unless someone tells me otherwise. Thanks to vdanen for pointing this out. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSEj2dAAoJEBYNRVNeJnmTKeoQAIz5AHdXMEji0E/6yY1vfqCZ yIoqoA9tGOcmdai7q0//6dHb4vBML/m6QmfBknc7BVEcehrA78A0pJeRGtQ/Waga IhSWSGU7Wr0Pk+rWFZhMu1DYWQqaa+fdGrB/d3jSU83lJMwMvEEnwodnp/LMCbC2 0k4BL8rbj1E6R8pJcyqG85RMdWqoMJW4+7bnFxlz8di5UWuGwuThvCiqibqCYmv5 fsj9E5OuXrm7eOa7HKddmhl8ZnLVln8E5jcGrdiC8s++qGDdoHps3+Q4DJwrV/J3 KMm/PZPzHWQ5pI3/+XlMX+b00ekJsgJXzmpT1qw0wMinnQWjBb2/Mtc8C44ogPyr sl5gL9Py6+u2rcc3V0lY240BILMruQMB8NFolN3dXtmeQvxI1ip2tUphKjxJidfB d+0ntbPaKdA5v1+AxZOnnV9NmpUW20YBXqX6kznGdNjknBxjp6RqvbqfKYz0YUcn KjpCUzOcbnRcUrWhv8Vp/dtCLf+SAX2+KDj+Q6AHLTRuzwucgijH/tAhE8gaah3k JwxzpZh1DjlHxhjfGA4f74/+9yYTPPYuvbSMZ8NuCu/V9GMVTWjgq0A8HKUt9CH0 urwqspp6hh4NG8EOICPF8uk0sYzOron3WMEuABnXzJTLTSmERdRARGXOYy0EbrO9 O3urq3HysUte9cf5L5Bc =PR5f -----END PGP SIGNATURE-----
Current thread:
- [CVE request] Django 1.4.6 security release Moritz Muehlenhoff (Aug 13)
- Re: [CVE request] Django 1.4.6 security release Kurt Seifried (Aug 14)
- Re: [CVE request] Django 1.4.6 security release Thijs Kinkhorst (Aug 14)
- Re: [CVE request] Django 1.4.6 security release Kurt Seifried (Aug 14)
- Re: [CVE request] Django 1.4.6 security release Kurt Seifried (Aug 19)
- Re: [CVE request] Django 1.4.6 security release Thijs Kinkhorst (Aug 14)
- Re: [CVE request] Django 1.4.6 security release Kurt Seifried (Aug 14)