[django/django] 2a5bcb: [1.5.x] Fixed a remote code execution vulnerabilty...

[GitHub]

  Branch: refs/heads/stable/1.5.x
  Home:   https://github.com/django/django
  Commit: 2a5bcb69f42b84464b24b5c835dca6467b6aa7f1
      
https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1
  Author: Tim Graham <timogra...@gmail.com>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M django/core/urlresolvers.py
    A tests/regressiontests/urlpatterns_reverse/nonimported_module.py
    M tests/regressiontests/urlpatterns_reverse/tests.py
    M tests/regressiontests/urlpatterns_reverse/urls.py
    M tests/regressiontests/urlpatterns_reverse/views.py

  Log Message:
  -----------
  [1.5.x] Fixed a remote code execution vulnerabilty in URL reversing.

Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.

Backport of 8b93b31487d6d3b0fcbbd0498991ea0db9088054 from master


  Commit: 6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8
      
https://github.com/django/django/commit/6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8
  Author: Aymeric Augustin <aymeric.augus...@m4x.org>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M django/middleware/cache.py
    M tests/regressiontests/cache/tests.py

  Log Message:
  -----------
  [1.5.x] Prevented leaking the CSRF token through caching.

This is a security fix. Disclosure will follow shortly.

Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master


  Commit: 985434fb1d6bf2335bf96c6ebf91c3674f1f399f
      
https://github.com/django/django/commit/985434fb1d6bf2335bf96c6ebf91c3674f1f399f
  Author: Erik Romijn <erom...@solidlinks.nl>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M django/db/models/fields/__init__.py
    M docs/howto/custom-model-fields.txt
    M docs/ref/databases.txt
    M docs/ref/models/querysets.txt
    M docs/topics/db/sql.txt
    M tests/regressiontests/model_fields/tests.py

  Log Message:
  -----------
  [1.5.x] Fixed queries that may return unexpected results on MySQL due to 
typecasting.

This is a security fix. Disclosure will follow shortly.

Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master


  Commit: cebfbcdb862c7800e84d7413afc80de992486c4a
      
https://github.com/django/django/commit/cebfbcdb862c7800e84d7413afc80de992486c4a
  Author: Erik Romijn <erom...@solidlinks.nl>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M docs/releases/1.4.11.txt
    M docs/releases/1.5.6.txt

  Log Message:
  -----------
  [1.5.x] Added information on resolved security issues to release notes.

Backport of c07f3e60c2d455e36ba4ac339d4283d32bbc3814 from master


Compare: https://github.com/django/django/compare/d6c685cc78d6...cebfbcdb862c

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/53559c9c6d2e0_293b12bdd3c1229a0%40hookshot-fe1-cp1-prd.iad.github.net.mail.
For more options, visit https://groups.google.com/d/optout.