Security update for python-django
python Django was updated to fix a remote denial of service (resource exhaustion) possibility
in the auth views module. (bsc#941587, CVE-2015-5963)
Also is_safe_url() was made to reject URLs that start with control characters
to mitigate possible XSS attack via user-supplied redirect URLs
(bnc#923176, CVE-2015-2317)
- Method check_for_test_cookie is deprecated, bnc#914706
- Update to version 1.5.12 with various security fixes:
+ Fixed a regression with dynamically generated inlines and allowed field
references in the admin
+ Allowed related many-to-many fields to be referenced in the admin
+ Allowed inline and hidden references to admin fields
-
Submitted by
Bernhard Wiedemann (bmwiedemann)
Fixed bugs
bnc#914706
horizon dashboard: first login always fails
bnc#923176
VUL-1: CVE-2015-2317: python-django,python-Django: Django: possible XSS attack via user-supplied redirect URLs
bnc#941587
VUL-0: CVE-2015-5963,CVE-2015-5964: python-django,python-Django: DoS by filling session store via logout()
bnc#913054
VUL-1: CVE-2015-0220: python-django: Mitigated possible XSS attack via user-supplied redirect URLs
bnc#913055
VUL-1: CVE-2015-0222: python-django: database denial of service with ModelMultipleChoiceField
bnc#913053
VUL-1: CVE-2015-0219: python-django: WSGI header spoofing via underscore/dash conflation
bnc#913056
VUL-1: CVE-2015-0221: python-django: denial of service attack against django.views.static.serve
