FreeBSD Bugzilla – Attachment 129065 Details for
Bug 173017
www/py-django: update to latest versions (security fixes)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 10.70 KB, created by
Ruslan Makhmatkhanov
on 2012-10-24 10:30:00 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Ruslan Makhmatkhanov
Created:
2012-10-24 10:30:00 UTC
Size:
10.70 KB
patch
obsolete
>Index: www/py-django/Makefile >=================================================================== >--- www/py-django/Makefile (revision 306338) >+++ www/py-django/Makefile (working copy) >@@ -1,12 +1,8 @@ >-# New ports collection makefile for: django >-# Date created: 2005-11-19 >-# Whom: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe> >-# >+# Created by: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe> > # $FreeBSD$ >-# > > PORTNAME= django >-PORTVERSION= 1.4.1 >+PORTVERSION= 1.4.2 > CATEGORIES= www python > MASTER_SITES= https://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \ > CHEESESHOP >@@ -20,7 +16,7 @@ > LICENSE= BSD > > USE_GETTEXT= yes >-USE_PYTHON= yes >+USE_PYTHON= -2.7 > USE_PYDISTUTILS= yes > PYDISTUTILS_PKGNAME= Django > >@@ -28,20 +24,20 @@ > > DOCSDIR= ${PREFIX}/share/doc/py-django > >-OPTIONS_DEFINE= PGSQL MYSQL SQLITE FASTCGI HTMLDOCS >-OPTIONS_DEFAULT= >+# bypass infrastructure bug >+OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options >+OPTIONS_DEFINE= FASTCGI HTMLDOCS >+OPTIONS_DEFAULT=SQLITE >+OPTIONS_MULTI= DATABASE >+OPTIONS_MULTI_DATABASE= PGSQL MYSQL SQLITE >+HTMLDOCS_DESC= Install the HTML documentation (requires Sphinx) > >-HTMLDOCS_DESC= Build and install the HTML documentation (requires Sphinx) >- > MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 > >-# bypass infrastructure bug >-OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options >+.include <bsd.port.options.mk> > >-.include <bsd.port.pre.mk> >- > .if ${PORT_OPTIONS:MPGSQL} >-RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2 >+RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2 > .endif > > .if ${PORT_OPTIONS:MMYSQL} >@@ -49,7 +45,7 @@ > .endif > > .if ${PORT_OPTIONS:MSQLITE} >-RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3 >+RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3 > .endif > > .if ${PORT_OPTIONS:MFASTCGI} >@@ -57,7 +53,7 @@ > .endif > > .if ${PORT_OPTIONS:MHTMLDOCS} >-. if defined(NOPORTDOCS) >+. if empty(PORT_OPTIONS:MDOCS) > IGNORE= you cannot build documentation while setting NOPORTDOCS > . endif > BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx >@@ -79,4 +75,4 @@ > ${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR} > .endif > >-.include <bsd.port.post.mk> >+.include <bsd.port.mk> >Index: www/py-django/distinfo >=================================================================== >--- www/py-django/distinfo (revision 306338) >+++ www/py-django/distinfo (working copy) >@@ -1,2 +1,2 @@ >-SHA256 (python/Django-1.4.1.tar.gz) = 4d8d20eba350d3d29613cc5a6302d5c23730c7f9e150985bc58b3175b755409b >-SIZE (python/Django-1.4.1.tar.gz) = 7656756 >+SHA256 (python/Django-1.4.2.tar.gz) = edfd8733f45bbaa524cee25bcac3080ce28c21242c27227464eae3fa6b3d80e7 >+SIZE (python/Django-1.4.2.tar.gz) = 7722026 >Index: www/py-django/pkg-descr >=================================================================== >--- www/py-django/pkg-descr (revision 306338) >+++ www/py-django/pkg-descr (working copy) >@@ -7,4 +7,4 @@ > Web developers. It has convenient niceties for developing content-management > systems, but it's an excellent tool for building any Web site. > >-WWW: http://www.djangoproject.com/ >+WWW: http://www.djangoproject.com/ >Index: www/py-django/pkg-plist >=================================================================== >--- www/py-django/pkg-plist (revision 306338) >+++ www/py-django/pkg-plist (working copy) >@@ -5294,6 +5294,9 @@ > %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.py > %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyc > %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyo >+%%PYTHON_SITELIBDIR%%/django/utils/six.py >+%%PYTHON_SITELIBDIR%%/django/utils/six.pyc >+%%PYTHON_SITELIBDIR%%/django/utils/six.pyo > %%PYTHON_SITELIBDIR%%/django/utils/synch.py > %%PYTHON_SITELIBDIR%%/django/utils/synch.pyc > %%PYTHON_SITELIBDIR%%/django/utils/synch.pyo >Index: www/py-django13/Makefile >=================================================================== >--- www/py-django13/Makefile (revision 306338) >+++ www/py-django13/Makefile (working copy) >@@ -1,12 +1,8 @@ >-# New ports collection makefile for: django >-# Date created: 2005-11-19 >-# Whom: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe> >-# >+# Created by: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe> > # $FreeBSD$ >-# > > PORTNAME= django >-PORTVERSION= 1.3.3 >+PORTVERSION= 1.3.4 > CATEGORIES= www python > MASTER_SITES= http://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \ > CHEESESHOP >@@ -22,7 +18,7 @@ > LATEST_LINK= ${PYTHON_PKGNAMEPREFIX}django13 > > USE_GETTEXT= yes >-USE_PYTHON= yes >+USE_PYTHON= -2.7 > USE_PYDISTUTILS= yes > PYDISTUTILS_PKGNAME= Django > >@@ -30,20 +26,20 @@ > > DOCSDIR= ${PREFIX}/share/doc/py-django > >-OPTIONS_DEFINE= PGSQL MYSQL SQLITE FASTCGI HTMLDOCS >-OPTIONS_DEFAULT= >+# bypass infrastructure bug >+OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options >+OPTIONS_DEFINE= FASTCGI HTMLDOCS >+OPTIONS_DEFAULT=SQLITE >+OPTIONS_MULTI= DATABASE >+OPTIONS_MULTI_DATABASE= PGSQL MYSQL SQLITE >+HTMLDOCS_DESC= Install the HTML documentation (requires Sphinx) > >-HTMLDOCS_DESC= Build and install the HTML documentation (requires Sphinx) >- > MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 > >-# bypass infrastructure bug >-OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options >+.include <bsd.port.options.mk> > >-.include <bsd.port.pre.mk> >- > .if ${PORT_OPTIONS:MPGSQL} >-RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2 >+RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2 > EXTRA_PATCHES+= ${FILESDIR}/extra-patch-changeset_16520.diff > .endif > >@@ -52,7 +48,7 @@ > .endif > > .if ${PORT_OPTIONS:MSQLITE} >-RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3 >+RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3 > .endif > > .if ${PORT_OPTIONS:MFASTCGI} >@@ -60,7 +56,7 @@ > .endif > > .if ${PORT_OPTIONS:MHTMLDOCS} >-. if defined(NOPORTDOCS) >+. if empty(PORT_OPTIONS:MDOCS) > IGNORE= you cannot build documentation while setting NOPORTDOCS > . endif > BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx >@@ -83,4 +79,4 @@ > ${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR} > .endif > >-.include <bsd.port.post.mk> >+.include <bsd.port.mk> >Index: www/py-django13/distinfo >=================================================================== >--- www/py-django13/distinfo (revision 306338) >+++ www/py-django13/distinfo (working copy) >@@ -1,2 +1,2 @@ >-SHA256 (python/Django-1.3.3.tar.gz) = 8ef44cfd89dee0331018ec56a2ed27dc14ae8d65feb664c10e128b3437cbd46a >-SIZE (python/Django-1.3.3.tar.gz) = 6507280 >+SHA256 (python/Django-1.3.4.tar.gz) = 2626e6b216e1bdef887bd923f00d94d94b4d4e75fc2e336c6f156d842d10a607 >+SIZE (python/Django-1.3.4.tar.gz) = 6507771 >Index: www/py-django13/pkg-descr >=================================================================== >--- www/py-django13/pkg-descr (revision 306338) >+++ www/py-django13/pkg-descr (working copy) >@@ -7,4 +7,4 @@ > Web developers. It has convenient niceties for developing content-management > systems, but it's an excellent tool for building any Web site. > >-WWW: http://www.djangoproject.com/ >+WWW: http://www.djangoproject.com/ >Index: security/vuxml/vuln.xml >=================================================================== >--- security/vuxml/vuln.xml (revision 306338) >+++ security/vuxml/vuln.xml (working copy) >@@ -51,6 +51,69 @@ > > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="5f326d75-1db9-11e2-bc8f-d0df9acfd7e5"> >+ <topic>django -- multiple vulnerabilities</topic> >+ <affects> >+ <package> >+ <name>django</name> >+ <range><lt>1.4.2</lt></range> >+ </package> >+ <package> >+ <name>django13</name> >+ <range><lt>1.3.4</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>The Django Project reports:</p> >+ <blockquote cite="https://www.djangoproject.com/weblog/2012/oct/17/security/"> >+ <ol> >+ <li> >+ <p>Host header poisoning</p> >+ <p>Some parts of Django -- independent of end-user-written applications >+ -- make use of full URLs, including domain name, which are generated >+ from the HTTP Host header. Some attacks against this are beyond Django's >+ ability to control, and require the web server to be properly configured; >+ Django's documentation has for some time contained notes advising users >+ on such configuration.</p> >+ <p>Django's own built-in parsing of the Host header is, however, still >+ vulnerable, as was reported to us recently. The Host header parsing >+ in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() >+ -- was incorrectly handling username/password information in the header. >+ Thus, for example, the following Host header would be accepted by Django when >+ running on "validsite.com":</p> >+ <p>Host: validsite.com:random@evilsite.com</p> >+ <p>Using this, an attacker can cause parts of Django -- particularly the >+ password-reset mechanism -- to generate and display arbitrary URLs to users.</p> >+ <p>To remedy this, the parsing in HttpRequest.get_host() is being modified; Host >+ headers which contain potentially dangerous content (such as username/password >+ pairs) now raise the exception django.core.exceptions.SuspiciousOperation.</p> >+ </li> >+ <li> >+ <p>Documentation of HttpOnly cookie option</p> >+ <p>As of Django 1.4, session cookies are always sent with the HttpOnly flag, which >+ provides some additional protection from cross-site scripting attacks by denying >+ client-side scripts access to the session cookie.</p> >+ <p>Though not directly a security issue in Django, it has been reported that the >+ Django 1.4 documentation incorrectly described this change, by claiming that this >+ was now the default for all cookies set by the HttpResponse.set_cookie() method.</p> >+ <p>The Django documentation has been updated to reflect that this only applies to the >+ session cookie. Users of Django are encouraged to review their use of set_cookie() >+ to ensure that the HttpOnly flag is being set or unset appropriately.</p> >+ </li> >+ </ol> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://www.djangoproject.com/weblog/2012/oct/17/security/</url> >+ </references> >+ <dates> >+ <discovery>2012-10-17</discovery> >+ <entry>2012-10-24</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="a7706414-1be7-11e2-9aad-902b343deec9"> > <topic>Wireshark -- Multiple Vulnerabilities</topic> > <affects>
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 173017
: 129065