[django/django] 4352a5: [1.6.x] Fixed a remote code execution vulnerabilty...

[GitHub]

  Branch: refs/heads/stable/1.6.x
  Home:   https://github.com/django/django
  Commit: 4352a50871e239ebcdf64eee6f0b88e714015c1b
      
https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b
  Author: Tim Graham <timogra...@gmail.com>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M django/core/urlresolvers.py
    A tests/urlpatterns_reverse/nonimported_module.py
    M tests/urlpatterns_reverse/tests.py
    M tests/urlpatterns_reverse/urls.py
    M tests/urlpatterns_reverse/views.py

  Log Message:
  -----------
  [1.6.x] Fixed a remote code execution vulnerabilty in URL reversing.

Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.

Backport of 8b93b31487d6d3b0fcbbd0498991ea0db9088054 from master


  Commit: d63e20942f3024f24cb8cd85a49461ba8a9b6736
      
https://github.com/django/django/commit/d63e20942f3024f24cb8cd85a49461ba8a9b6736
  Author: Aymeric Augustin <aymeric.augus...@m4x.org>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M django/middleware/cache.py
    M tests/cache/tests.py

  Log Message:
  -----------
  [1.6.x] Prevented leaking the CSRF token through caching.

This is a security fix. Disclosure will follow shortly.

Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master


  Commit: 5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292
      
https://github.com/django/django/commit/5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292
  Author: Erik Romijn <erom...@solidlinks.nl>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M django/db/models/fields/__init__.py
    M docs/howto/custom-model-fields.txt
    M docs/ref/databases.txt
    M docs/ref/models/querysets.txt
    M docs/topics/db/sql.txt
    M tests/model_fields/tests.py

  Log Message:
  -----------
  [1.6.x] Fixed queries that may return unexpected results on MySQL due to 
typecasting.

This is a security fix. Disclosure will follow shortly.

Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master


  Commit: d63bfb14dd1a35672fff18cd41f386330e109f8e
      
https://github.com/django/django/commit/d63bfb14dd1a35672fff18cd41f386330e109f8e
  Author: Erik Romijn <erom...@solidlinks.nl>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M docs/releases/1.4.11.txt
    M docs/releases/1.5.6.txt
    M docs/releases/1.6.3.txt

  Log Message:
  -----------
  [1.6.x] Added information on resolved security issues to release notes.

Backport of c07f3e60c2d455e36ba4ac339d4283d32bbc3814 from master


Compare: https://github.com/django/django/compare/25adac9b42e6...d63bfb14dd1a

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/53559c9a536c3_304cccfd4492182%40hookshot-fe1-cp1-prd.iad.github.net.mail.
For more options, visit https://groups.google.com/d/optout.