drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Cross-Site Scripting in python-djblets
Name: |
Cross-Site Scripting in python-djblets |
|
ID: |
FEDORA-2014-7224 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 19 |
|
Datum: |
Mi, 18. Juni 2014, 07:08 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3994 |
|
Applikationen: |
Python Djblets |
|
Originalnachricht |
Name : python-djblets Product : Fedora 19 Version : 0.7.30 Release : 2.fc19 URL : http://www.review-board.org Summary : A collection of useful classes and functions for Django Description : A collection of useful classes and functions for Django
------------------------------------------------------------------------------- - Update Information:
Fixes two XSS vulnerabilities in Djblets (used by Review Board) ------------------------------------------------------------------------------- - ChangeLog:
* Sat Jun 7 2014 Stephen Gallagher <sgallagh@redhat.com> 0.7.30-2 - Drop upstreamed patch * Fri Jun 6 2014 Stephen Gallagher <sgallagh@redhat.com> 0.7.30-1 - New upstream security release 0.7.30 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.30.NEWS * Wed Apr 9 2014 Stephen Gallagher <sgallagh@redhat.com> 0.7.29-1 - New upstream release 0.7.29 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.29.NEWS * Fri Feb 21 2014 Stephen Gallagher <sgallagh@redhat.com> 0.7.28-2 - Generate requires.txt with values appropriate for Fedora * Thu Jan 2 2014 Stephen Gallagher <sgallagh@redhat.com> - 0.7.28-1 - New upstream release 0.7.28 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.28.NEWS * djblets.auth: * Fixed HTTP 500 errors when failing to save the registration form * Thu Dec 12 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.27-1 - New upstream release 0.7.27 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.25.NEWS * djblets.auth: * Added some human-readable labels for RegistrationForm. * RegistrationForm subclasses that make use of fields that normalize to non-strings no longer fail to save. * djblets.webapi: * Usernames with plus signs in them are now matched in the API. - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.26.NEWS * djblets.util.fields: * Fixed JSONField in the administration UI. * djblets.webapi: * Added support for web API authentication backends. - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.27.NEWS * Fixed a regression with the new webapi auth backend support * Wed Nov 27 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.24-1 - New upstream release 0.7.24 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.24.NEWS * djblets.util.http: * Fixed ETag matching * Tue Nov 5 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.23-1 - New upstream release 0.7.23 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.21.NEWS * djblets.webapi: * Added a has_list_access_permissions function, which is used to determine access to a list resource. - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.22.NEWS * djblets.extensions: * AJAX_SERIAL is updated when extensions are enabled/disabled or their configuration changes, allowing templates using AJAX_SERIAL as part of their cache to invalidate. * djblets.siteconfig: * Reduced query counts for installs using siteconfig. * djblets.webapi: * Reduced query counts when returning payloads for list resources with no entries. * Common attribute lookups on WebAPIResource are now cached. - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.23.NEWS * djblets.extensions: * Fix URL errors when configuring extensions with a custom SITE_ROOT. * djblets.util.fields: * JSONFields can now be safely edited through the administration UI, complete with validation. * jquery.gravy: * Fixed hiding the pencil icons on an inlineEditor when disabled. * Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 0.7.21-1 - New upstream bugfix release 0.7.21 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.21.NEWS - Added a has_list_access_permissions function, which is used to determine access to a list resource. * Fri Oct 11 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.20-1 - New upstream bugfix release 0.7.20 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.20.NEWS - Fixed regression with pagination on the datagrid * Thu Oct 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.19-1 - New upstream security release 0.7.19 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.19.NEWS - Resolves: CVE-2013-4409 - Resolves unsanitized eval() vulnerability * Mon Sep 23 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.18-1 - New upstream security release 0.7.18 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.18.NEWS - Web API resource lists are now more careful about access permissions. * Thu Aug 15 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.17-1 - New upstream release 0.7.17 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.17.NEWS * Mon Jul 29 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.16-1 - New upstream release 0.7.16 - This release contains security fixes in the datagrid - JavaScript: * autoSizeTextArea now cleans up its hidden proxy elements when destroyed. * inlineEditor can be told not to focus a textarea by default by setting 'focusOnOpen' to false. * modalBox can place itself in an element other than <body> by setting the 'container' option to the element. * modalBox takes a 'boxID' option that, if specified, will set the ID of the modalBox element. * funcQueue now takes an optional context parameter for callback functions. - djblets.datagrid: * Data pulled from the database and rendered into cells are always escaped now. * Columns can now specify an image_class instead of an image_url. * Added a JavaScript reload() function that can be called on a datagrid element to trigger a dynamic reload from the server. - djblets.extensions: * Extensions can now specify their list of app directories. * Extensions can now specify the author's URL. * Improved the look and feel for extension configuration. * Improved the functionality for extension configuration. * Improved the list of available extensions. ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #1106845 - CVE-2014-3994 python-djblets: XSS Vulnerability in Djblets json_dumps() https://bugzilla.redhat.com/show_bug.cgi?id=1106845 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update python-djblets' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|