[Buildroot] [PATCH] python-django: security bump to version 1.7.3

Thomas Petazzoni thomas.petazzoni at free-electrons.com
Wed Jan 14 18:26:21 UTC 2015


Dear Gustavo Zacarias,

On Wed, 14 Jan 2015 15:21:44 -0300, Gustavo Zacarias wrote:
> Fixes:
> 
> CVE-2015-0219 - incorrectly handled underscores in WSGI headers. A
> remote attacker could possibly use this issue to spoof headers in
> certain environments.
> 
> CVE-2015-0220 - incorrectly handled user-supplied redirect URLs. A
> remote attacker could possibly use this issue to perform a cross-site
> scripting attack.
> 
> CVE-2015-0221 - incorrectly handled reading files in
> django.views.static.serve(). A remote attacker could possibly use this
> issue to cause Django to consume resources, resulting in a denial of
> service.
> 
> CVE-2015-0222 - incorrectly handled forms with ModelMultipleChoiceField.
> A remote attacker could possibly use this issue to cause a large number
> of SQL queries, resulting in a database denial of service.
> 
> Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
> ---
>  package/python-django/python-django.hash | 4 ++--
>  package/python-django/python-django.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)

Applied, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com



More information about the buildroot mailing list