python-django: security and bugfix update

Python Django was updated to fix security issues and bugs.

Update to version 1.4.15 on openSUSE 12.3:
+ Prevented reverse() from generating URLs pointing to other hosts
to prevent phishing attacks (bnc#893087, CVE-2014-0480)
+ Removed O(n) algorithm when uploading duplicate file names
to fix file upload denial of service (bnc#893088, CVE-2014-0481)
+ Modified RemoteUserMiddleware to logout on REMOTE_USE change
to prevent session hijacking (bnc#893089, CVE-2014-0482)
+ Prevented data leakage in contrib.admin via query string manipulation
(bnc#893090, CVE-2014-0483)
+ Fixed: Caches may incorrectly be allowed to store and serve private data
(bnc#877993, CVE-2014-1418)
+ Fixed: Malformed redirect URLs from user input not correctly validated
(bnc#878641, CVE-2014-3730)
+ Fixed queries that may return unexpected results on MySQL
due to typecasting (bnc#874956, CVE-2014-0474)
+ Prevented leaking the CSRF token through caching
(bnc#874955, CVE-2014-0473)
+ Fixed a remote code execution vulnerabilty in URL reversing
(bnc#874950, CVE-2014-0472)

Update to version 1.5.10 on openSUSE 13.1:
+ Prevented reverse() from generating URLs pointing to other hosts
to prevent phishing attacks (bnc#893087, CVE-2014-0480)
+ Removed O(n) algorithm when uploading duplicate file names
to fix file upload denial of service (bnc#893088, CVE-2014-0481)
+ Modified RemoteUserMiddleware to logout on REMOTE_USE change
to prevent session hijacking (bnc#893089, CVE-2014-0482)
+ Prevented data leakage in contrib.admin via query string manipulation
(bnc#893090, CVE-2014-0483)

- Update to version 1.5.8:
+ Fixed: Caches may incorrectly be allowed to store and serve private data
(bnc#877993, CVE-2014-1418)
+ Fixed: Malformed redirect URLs from user input not correctly validated
(bnc#878641, CVE-2014-3730)
+ Fixed queries that may return unexpected results on MySQL
due to typecasting (bnc#874956, CVE-2014-0474)
+ Prevented leaking the CSRF token through caching
(bnc#874955, CVE-2014-0473)
+ Fixed a remote code execution vulnerabilty in URL reversing
(bnc#874950, CVE-2014-0472)

Fixed bugs
bnc#893088
VUL-0: CVE-2014-0481: python-django: file upload denial of service
bnc#893089
VUL-0: CVE-2014-0482: python-django: RemoteUserMiddleware session hijacking
bnc#874956
VUL-0: CVE-2014-0474: python-django: MySQL typecasting
bnc#878641
VUL-0: CVE-2014-3730: python-django: django.util.http.is_safe_url function
bnc#893090
VUL-0: CVE-2014-0483: python-django: data leakage via querystring manipulation in admin
bnc#874950
VUL-0: CVE-2014-0472: python-django: unexpected code execution using reverse()
bnc#877993
VUL-0: CVE-2014-1418: python-django: Insecure redirects and cache poisoning
bnc#893087
VUL-0: CVE-2014-0480: python-django: reverse() can generate URLs pointing to other hosts, leading to phishing attacks
bnc#874955
VUL-0: CVE-2014-0473: python-django: caching of anonymous pages could reveal CSRF token
Selected Binaries
openSUSE Build Service is sponsored by