-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 08 Feb 2011 16:02:06 +0000
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Changes: 
 python-django (1.2.3-3+squeeze1) stable-security; urgency=high
 .
   * Resolve two vulnerabilities:
 .
     - Flaw in CSRF handling
 .
       Django includes a cross-site request forgery protection mechanism, which
       makes use of a token inserted into outgoing forms. Middleware then checks
       for the token's presence on form submission, and validates it.
 .
       Previously, however, Django's CSRF protection made an exception for AJAX
       requests, on the following basis:
 .
       1. Many AJAX toolkits add an 'X-Requested-With' header when using
          XMLHttpRequest.
 .
       2. Browsers have strict same-origin policies regarding XMLHttpRequest.
 .
       3. In the context of a browser, the only way that a custom header of this
          nature can be added is with XMLHttpRequest.
 .
       Therefore, for ease of use, Django did not apply CSRF checks to requests
       that appeared to be AJAX on the basis of the X-Requested-With header. The
       Ruby on Rails web framework had a similar exemption.
 .
       Recently, engineers at Google made members of the Ruby on Rails
       development team aware of a combination of browser plugins and redirects
       which can allow an attacker to provide custom HTTP headers on a request
       to any website. This can allow a forged request to appear to be an AJAX
       request, thereby defeating CSRF protection which trusts the same-origin
       nature of AJAX requests.
 .
       Michael Koziarski of the Rails team brought this to the Django
       developers attention, and we were able to produce a proof-of-concept
       demonstrating the same vulnerability in Django's CSRF handling.
 .
       To remedy this, Django will now apply full CSRF validation to all
       requests, regardless of apparent AJAX origin. This is technically
       backwards-incompatible, but the security risks have been judged to
       outweigh the compatibility concerns in this case.
 .
       Extended notes on how to accomodate this change will be added to the
       Django homepage in following days.
 .
     - Potential XSS in file field rendering
 .
       Django's form system includes form fields and widgets for performing file
       uploads; in many cases, the name of the file currently stored in the
       field is displayed. In the process of rendering, the filename is
       displayed without being escaped.
 .
       In many cases this does not result in a cross-site-scripting
       vulnerability, as file-storage backends can and are encouraged to (and
       the default backends provided with Django do) sanitize the supplied
       filename according to their requirements. However, the risk of a
       vulnerability appearing in a backend which does not sanitize, or which
       performs insufficient sanitization, is such that Django will now
       automatically escape filenames in form rendering.
 .
    Thanks to James Bennett <james@b-list.org>.
Checksums-Sha1: 
 d002fea211de1121c3b6227eea197047ba919752 1539 python-django_1.2.3-3+squeeze1.dsc
 f65146218ab61bf5efe715db3fc3a177a24fba0d 6306760 python-django_1.2.3.orig.tar.gz
 1f4d9c41ca7bcd3fdd68787fa29d2b326364366e 26100 python-django_1.2.3-3+squeeze1.debian.tar.gz
 3d026bdc38748b882ea9f32518832f534055afb5 4178508 python-django_1.2.3-3+squeeze1_all.deb
 7c574bc93c571f5c2310073a763ea6a3e4f0be97 1896338 python-django-doc_1.2.3-3+squeeze1_all.deb
Checksums-Sha256: 
 f59a983609850c9de45e0a91c0edd520fa2eb8a6a0db59c726451267640411b0 1539 python-django_1.2.3-3+squeeze1.dsc
 cb830f6038b78037647150d977f6cd5cf2bfd731f1788ecf8758a03c213a0f84 6306760 python-django_1.2.3.orig.tar.gz
 29f1adceb1f1f3559a594d487d139d9027899b22d88dafc49ff60c7e9d3c3c8c 26100 python-django_1.2.3-3+squeeze1.debian.tar.gz
 53254256b817fc4dd5c0feab3f418f420d15f2158dc1bdd91b1d27eaa27d78c2 4178508 python-django_1.2.3-3+squeeze1_all.deb
 ddd5384c35b842123a627238f7068b9d740453da2942a65339f02dedf79f0034 1896338 python-django-doc_1.2.3-3+squeeze1_all.deb
Files: 
 63da398e7de1902ca47e31615c4d8338 1539 python optional python-django_1.2.3-3+squeeze1.dsc
 10bfb5831bcb4d3b1e6298d0e41d6603 6306760 python optional python-django_1.2.3.orig.tar.gz
 8bb305329f5f59a71e1267e16a2c1af3 26100 python optional python-django_1.2.3-3+squeeze1.debian.tar.gz
 0937bf90335d1bb73f9e79c7a7107d84 4178508 python optional python-django_1.2.3-3+squeeze1_all.deb
 30109ce08726edca9dbf18cd0119c4b8 1896338 doc optional python-django-doc_1.2.3-3+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk1WWXsACgkQ5/8uW2NPmiCHSACgkpX9eVDK6ffaoVVe5/4hxGZn
Dv0An3nTriTLL3C03b5kgrQnleBK50yC
=4ROd
-----END PGP SIGNATURE-----