This bug was fixed in the package python-django - 1.3.1-4ubuntu1.6
--------------- python-django (1.3.1-4ubuntu1.6) precise-security; urgency=low
* SECURITY UPDATE: host header poisoning (LP: #1089337) - debian/patches/fix_get_host.patch: tighten host header validation in django/http/__init__.py, add tests to tests/regressiontests/requests/tests.py. - https://www.djangoproject.com/weblog/2012/dec/10/security/ - No CVE number * SECURITY UPDATE: redirect poisoning (LP: #1089337) - debian/patches/fix_redirect_poisoning.patch: tighten validation in django/contrib/auth/views.py, django/contrib/comments/views/comments.py, django/contrib/comments/views/moderation.py, django/contrib/comments/views/utils.py, django/utils/http.py, django/views/i18n.py, add tests to tests/regressiontests/comment_tests/tests/comment_view_tests.py, tests/regressiontests/comment_tests/tests/moderation_view_tests.py, tests/regressiontests/views/tests/i18n.py. - https://www.djangoproject.com/weblog/2012/dec/10/security/ - No CVE number * SECURITY UPDATE: host header poisoning (LP: #1130445) - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting to django/conf/global_settings.py, django/conf/project_template/settings.py, django/http/__init__.py, django/test/utils.py, add docs to docs/ref/settings.txt, add tests to tests/regressiontests/requests/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - No CVE number * SECURITY UPDATE: XML attacks (LP: #1130445) - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion, and external entities/DTDs in django/core/serializers/xml_serializer.py, add tests to tests/regressiontests/serializers_regress/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-1664 - CVE-2013-1665 * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445) - debian/patches/CVE-2013-0305.patch: add permission checks to history view in django/contrib/admin/options.py, add tests to tests/regressiontests/admin_views/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-0305 * SECURITY UPDATE: Formset denial-of-service (LP: #1130445) - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt, docs/topics/forms/modelforms.txt, add tests to tests/regressiontests/forms/tests/formsets.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-0306 -- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 10:13:59 -0500
This bug was fixed in the package python-django - 1.3.1-4ubuntu1.6
---------------
python-django (1.3.1-4ubuntu1.6) precise-security; urgency=low
* SECURITY UPDATE: host header poisoning (LP: #1089337) patches/ fix_get_ host.patch: tighten host header validation in http/__ init__. py, add tests to regressiontests /requests/ tests.py. /www.djangoproj ect.com/ weblog/ 2012/dec/ 10/security/ patches/ fix_redirect_ poisoning. patch: tighten validation in contrib/ auth/views. py, contrib/ comments/ views/comments. py, contrib/ comments/ views/moderatio n.py, contrib/ comments/ views/utils. py, django/ utils/http. py, views/i18n. py, add tests to regressiontests /comment_ tests/tests/ comment_ view_tests. py, regressiontests /comment_ tests/tests/ moderation_ view_tests. py, regressiontests /views/ tests/i18n. py. /www.djangoproj ect.com/ weblog/ 2012/dec/ 10/security/ patches/ add_allowed_ hosts.patch: add new ALLOWED_HOSTS setting conf/global_ settings. py, conf/project_ template/ settings. py, http/__ init__. py, django/ test/utils. py, add docs to ref/settings. txt, add tests to regressiontests /requests/ tests.py. /www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/ patches/ CVE-2013- 166x.patch: forbid DTDs, entity expansion, core/serializer s/xml_serialize r.py, add tests to regressiontests /serializers_ regress/ tests.py. /www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/ patches/ CVE-2013- 0305.patch: add permission checks to history contrib/ admin/options. py, add tests to regressiontests /admin_ views/tests. py. /www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/ patches/ CVE-2013- 0306.patch: limit maximum number of forms in forms/formsets. py, add docs to docs/topics/ forms/formsets. txt, topics/ forms/modelform s.txt, add tests to regressiontests /forms/ tests/formsets. py. /www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- debian/
django/
tests/
- https:/
- No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
- debian/
django/
django/
django/
django/
django/
tests/
tests/
tests/
- https:/
- No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
- debian/
to django/
django/
django/
docs/
tests/
- https:/
- No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
- debian/
and external entities/DTDs in
django/
tests/
- https:/
- CVE-2013-1664
- CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
- debian/
view in django/
tests/
- https:/
- CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
- debian/
django/
docs/
tests/
- https:/
- CVE-2013-0306
-- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 10:13:59 -0500