[Python-modules-team] Bug#859517: unblock: python-django/1.10.7-1

[Chris Lamb]

Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: python-modules-team at lists.alioth.debian.org

Dear release team,

Please consider unblocking python-django 1.10.7-1 for stretch. The
relevant debian/changelog entry is:

python-django (1:1.10.7-1) unstable; urgency=medium

  * New upstream security release:

    - CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
      numeric redirect URLs.

      Django relies on user input in some cases (e.g.
      django.contrib.auth.views.login() and i18n) to redirect the user to an
      "on success" URL. The security check for these redirects (namely
      django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
      http:999999999) "safe" when they shouldn't be.

      Also, if a developer relies on is_safe_url() to provide safe redirect
      targets and puts such a URL into a link, they could suffer from an XSS
      attack. (Closes: #859515)

    - CVE-2017-7234: Open redirect vulnerability in django.views.static.serve().

      A maliciously crafted URL to a Django site using the
      django.views.static.serve() view could redirect to any other domain. The
      view no longer does any redirects as they don't provide any known,
      useful functionality.

      Note, however, that this view has always carried a warning that it is
      not hardened for production use and should be used only as a development
      aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516)

Debdiff attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk
       `-
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: django_107_debdiff.diff.txt
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20170404/1b9908af/attachment-0001.txt>