On January 17th, 2014, the Django project will issue a set of releases to remedy security issues reported. This bug contains descriptions of the issues. Please read the entirety of this bug. Then on the release day either: 1. apply the update and mark this bug as FIXED, or 2. verify this doesn't apply to your project and close this bug with a WONTFIX plus an explanation of why these don't apply to your project The rest of this bug is directly from the tracker bug === Notification is preliminary, details/patches have not yet been released. Multiple vulnerabilities have been released related to the Django framework. These issues include denial of service issues, and problems with unsanitized user-supplied data that depending on the application could result in security impact. Risk: MEDIUM Impact type: - DOS - Possible system access depending on application / authentication bypass - Possible end-user credential exposure CVES: - CVE-2015-0219 / WSGI header spoofing - CVE-2015-0220 / XSS attack via user-supplied redirect URLs - CVE-2015-0221 / DOS against django.views.static.service - CVE-2015-0222 / DOS against ModelMultipleChoiceField Affected: - Django master development branch - Django 1.7 - Django 1.6 - Django 1.5 (deprecated, not receiving security updates) - Django 1.4 Resolved versions: - Django 1.7.3 - Django 1.6.10 - Django 1.4.18
Bah. The security releases come out Tuesday, January **13**, **2015**.
Django Project just issued the security release. Details in their blog post: https://www.djangoproject.com/weblog/2015/jan/13/security/
Landed: https://github.com/mozilla/kitsune/commit/659f6c9ed913e3b3d832299e155cb8ea2def87fe Deployed to prod
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Unchecking the boxes since this is done now.
Group: websites-security, mozilla-employee-confidential
You need to log in before you can comment on or make changes to this bug.