Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in python-djblets
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in python-djblets
ID: FEDORA-2013-18931
Distribution: Fedora
Plattformen: Fedora 19
Datum: Di, 29. Oktober 2013, 08:49
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4411
Applikationen: python-djblets

Originalnachricht

Name        : python-djblets
Product : Fedora 19
Version : 0.7.21
Release : 1.fc19
URL : http://www.review-board.org
Summary : A collection of useful classes and functions for Django
Description :
A collection of useful classes and functions for Django

-------------------------------------------------------------------------------
-
Update Information:

Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could
access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible).

These issues do not affect most of the installations out there, but we strongly
recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase.

There are also some other bug fixes, and important changes needed for
extensions that provide their own REST APIs.
-------------------------------------------------------------------------------
-
ChangeLog:

* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 0.7.21-1
- New upstream bugfix release 0.7.21
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.21.NEWS
- Added a has_list_access_permissions function, which is used to
determine access to a list resource.
* Fri Oct 11 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.20-1
- New upstream bugfix release 0.7.20
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.20.NEWS
- Fixed regression with pagination on the datagrid
* Thu Oct 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.19-1
- New upstream security release 0.7.19
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.19.NEWS
- Resolves: CVE-2013-4409
- Resolves unsanitized eval() vulnerability
* Mon Sep 23 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.18-1
- New upstream security release 0.7.18
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.18.NEWS
- Web API resource lists are now more careful about access permissions.
* Thu Aug 15 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.17-1
- New upstream release 0.7.17
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.17.NEWS
* Mon Jul 29 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.7.16-1
- New upstream release 0.7.16
- This release contains security fixes in the datagrid
- JavaScript:
* autoSizeTextArea now cleans up its hidden proxy elements when destroyed.
* inlineEditor can be told not to focus a textarea by default by setting
'focusOnOpen' to false.
* modalBox can place itself in an element other than <body> by
setting the
'container' option to the element.
* modalBox takes a 'boxID' option that, if specified, will set the
ID of
the modalBox element.
* funcQueue now takes an optional context parameter for callback functions.
- djblets.datagrid:
* Data pulled from the database and rendered into cells are always escaped
now.
* Columns can now specify an image_class instead of an image_url.
* Added a JavaScript reload() function that can be called on a datagrid
element to trigger a dynamic reload from the server.
- djblets.extensions:
* Extensions can now specify their list of app directories.
* Extensions can now specify the author's URL.
* Improved the look and feel for extension configuration.
* Improved the functionality for extension configuration.
* Improved the list of available extensions.
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1016596 - CVE-2013-4410 ReviewBoard: access-control problems with
REST API
https://bugzilla.redhat.com/show_bug.cgi?id=1016596
[ 2 ] Bug #1016599 - CVE-2013-4411 ReviewBoard: URL processing allows
unauthorized users to view review lists
https://bugzilla.redhat.com/show_bug.cgi?id=1016599
[ 3 ] Bug #1016601 - CVE-2013-4409 python-djblets: unsanitized eval()
vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1016601
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update python-djblets' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung