[django/django] 546740: [1.7.x] Fixed a remote code execution vulnerabilty...

[GitHub]

  Branch: refs/heads/stable/1.7.x
  Home:   https://github.com/django/django
  Commit: 546740544d7f69254a67b06a3fc7fa0c43512958
      
https://github.com/django/django/commit/546740544d7f69254a67b06a3fc7fa0c43512958
  Author: Tim Graham <timogra...@gmail.com>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M django/core/urlresolvers.py
    A tests/urlpatterns_reverse/nonimported_module.py
    M tests/urlpatterns_reverse/tests.py
    M tests/urlpatterns_reverse/urls.py
    M tests/urlpatterns_reverse/views.py

  Log Message:
  -----------
  [1.7.x] Fixed a remote code execution vulnerabilty in URL reversing.

Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.

Backport of 8b93b31487d6d3b0fcbbd0498991ea0db9088054 from master


  Commit: 380545bf85cbf17fc698d136815b7691f8d023ca
      
https://github.com/django/django/commit/380545bf85cbf17fc698d136815b7691f8d023ca
  Author: Aymeric Augustin <aymeric.augus...@m4x.org>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M django/middleware/cache.py
    M tests/cache/tests.py

  Log Message:
  -----------
  [1.7.x] Prevented leaking the CSRF token through caching.

This is a security fix. Disclosure will follow shortly.

Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master


  Commit: 34526c2f56b863c2103655a0893ac801667e86ea
      
https://github.com/django/django/commit/34526c2f56b863c2103655a0893ac801667e86ea
  Author: Erik Romijn <erom...@solidlinks.nl>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M django/db/models/fields/__init__.py
    M docs/howto/custom-model-fields.txt
    M docs/ref/databases.txt
    M docs/ref/models/querysets.txt
    M docs/topics/db/sql.txt
    M tests/model_fields/tests.py

  Log Message:
  -----------
  [1.7.x] Fixed queries that may return unexpected results on MySQL due to 
typecasting.

This is a security fix. Disclosure will follow shortly.

Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master


  Commit: 5577fd673e071fbfb0d140ea66b31983956ab174
      
https://github.com/django/django/commit/5577fd673e071fbfb0d140ea66b31983956ab174
  Author: Erik Romijn <erom...@solidlinks.nl>
  Date:   2014-04-21 (Mon, 21 Apr 2014)

  Changed paths:
    M docs/releases/1.4.11.txt
    M docs/releases/1.5.6.txt
    M docs/releases/1.6.3.txt

  Log Message:
  -----------
  [1.7.x] Added information on resolved security issues to release notes.

Backport of c07f3e60c2d455e36ba4ac339d4283d32bbc3814 from master


Compare: https://github.com/django/django/compare/0bd913a19cf0...5577fd673e07

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/53559cad772a5_78741095d34121881%40hookshot-fe2-cp1-prd.iad.github.net.mail.
For more options, visit https://groups.google.com/d/optout.