Closed
Bug 1119326
Opened 9 years ago
Closed 9 years ago
Django 1.4.18/1.6.10/1.7.3 update (One and Done)
Categories
(Mozilla QA Graveyard :: One and Done, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1119465
People
(Reporter: willkg, Assigned: bsilverberg)
Details
On January 17th, 2014, the Django project will issue a set of releases to remedy security issues reported. This bug contains descriptions of the issues. Please read the entirety of this bug. Then on the release day either: 1. apply the update and mark this bug as FIXED, or 2. verify this doesn't apply to your project and close this bug with a WONTFIX plus an explanation of why these don't apply to your project The rest of this bug is directly from the tracker bug === Notification is preliminary, details/patches have not yet been released. Multiple vulnerabilities have been released related to the Django framework. These issues include denial of service issues, and problems with unsanitized user-supplied data that depending on the application could result in security impact. Risk: MEDIUM Impact type: - DOS - Possible system access depending on application / authentication bypass - Possible end-user credential exposure CVES: - CVE-2015-0219 / WSGI header spoofing - CVE-2015-0220 / XSS attack via user-supplied redirect URLs - CVE-2015-0221 / DOS against django.views.static.service - CVE-2015-0222 / DOS against ModelMultipleChoiceField Affected: - Django master development branch - Django 1.7 - Django 1.6 - Django 1.5 (deprecated, not receiving security updates) - Django 1.4 Resolved versions: - Django 1.7.3 - Django 1.6.10 - Django 1.4.18
Reporter | ||
Comment 2•9 years ago
|
||
Bah. The security releases come out Tuesday, January **13**, **2015**.
Reporter | ||
Comment 3•9 years ago
|
||
Django Project just issued the security release. Details in their blog post: https://www.djangoproject.com/weblog/2015/jan/13/security/
Updated•9 years ago
|
Assignee: nobody → bob.silverberg
Assignee | ||
Comment 4•9 years ago
|
||
The site is currently being migrated off of playdoh and onto django 1.7.3, which will address this.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: mozilla-employee-confidential, webtools-security
Updated•6 years ago
|
Product: Mozilla QA → Mozilla QA Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•