[Python-modules-team] python-django 1.6.5-1~bpo70+1
Uwe Kleine-König
u.kleine-koenig at pengutronix.de
Mon May 26 21:20:53 UTC 2014
Hello,
I noticed today that the version of python-django in wheezy-backports is
quite old. It's at 1.5.2-1~bpo70+1, while upstream is at 1.5.8 in the
1.5 series and jessie already has 1.6.5-1.
There are at least 5 security relevant fixes in 1.5.8 since 1.5.2
(according to https://docs.djangoproject.com/en/1.5/releases/security/,
1.5.2 was released in August 2013 and contains fixes for the two XSS
issues. So the later problems still exist.)
Just taking the python-django source from jessie, putting a backport
changelog entry in place, including the old one and building it in a
wheezy chroot works fine for me. (That's exactly how 1.5.2-1~bpo70+1
was created.)
I uploaded my test build to mentors. Up to now it seems unhandled, but I
expect it to appear under
https://mentors.debian.net/package/python-django. (I'm not sure that
using a NMU-Version is correct, but otherwise I would have had to adapt
debian/control, too. Please advice.) I cannot promise that I can handle
further updates to follow jessie quickly. If backporting stays that
simple though, I should be capable to not take more than half a year for
an update (that's the age of DSA-2755-1 which is still open for
1.5.2-1~bpo70+1).
I wouldn't be ill-tempered if someone else would be faster than me
though. So picking an NMU version feels good here ;-)
Also a security announcement would be in order, corresponding to the
following CVEs / DSAs:
CVE-2013-4315 / DSA-2755-1
CVE-2013-1443 / DSA-2758-1
CVE-2014-0472 + CVE-2014-0473 + CVE-2014-0474 + CVE-2014-1418 + CVE-2014-3730 / DSA-2934-1
How can we proceed from here?
Best regards
Uwe
--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | http://www.pengutronix.de/ |
More information about the Python-modules-team
mailing list