<define-tag description>multiple vulnerabilities</define-tag> <define-tag moreinfo> <p>Several vulnerabilities were discovered in the Django web development framework:</p>
<ul> <li><a href="http://security-tracker.debian.org/tracker/CVE-2011-0696">CVE-2011-0696</a> <p>For several reasons the internal CSRF protection was not used to validate AJAX requests in the past. However, it was discovered that this exception can be exploited with a combination of browser plugins and redirects and thus is not sufficient.</p></li> <li><a href="http://security-tracker.debian.org/tracker/CVE-2011-0697">CVE-2011-0697</a> <p>It was discovered that the file upload form is prone to cross-site scripting attacks via the file name.</p></li> </ul> <p>It is important to note that this update introduces minor backward incompatibilities due to the fixes for the above issues. For the exact details, please see: <url http://docs.djangoproject.com/en/1.2/releases/1.2.5/> and in particular the <q>Backwards incompatible changes</q> section.</p> <p>Packages in the oldstable distribution (lenny) are not affected by these problems.</p> <p>For the stable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze1.</p> <p>For the testing distribution (wheezy), this problem will be fixed soon.</p> <p>For the unstable distribution (sid), this problem has been fixed in version 1.2.5-1.</p> <p>We recommend that you upgrade your python-django packages.</p> </define-tag> # do not modify the following line #include "$(ENGLISHDIR)/security/2011/dsa-2163.data" # $Id: dsa-2163.wml,v 1.2 2011-02-14 21:40:51 taffit-guest Exp $ -- To UNSUBSCRIBE, email to debian-l10n-russian-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110215010150.GB2484@meissa