Christian Kampka: 1 main/django: security fix CVE-2015-8213 2 files changed, 82 insertions(+), 5 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.alpinelinux.org/~alpine/aports/patches/1796/mbox | git am -3Learn more about email & git
Fixed a settings leak possibility in the date template filter. --- main/py-django/APKBUILD | 24 ++++++++++++--- main/py-django/CVE-2015-8213.patch | 63 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 5 deletions(-) create mode 100644 main/py-django/CVE-2015-8213.patch diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD index 222b1c8..b348f8f 100644 --- a/main/py-django/APKBUILD +++ b/main/py-django/APKBUILD @@ -3,7 +3,7 @@ pkgname=py-django _pkgname=Django pkgver=1.8.3 -pkgrel=0 +pkgrel=1 pkgdesc="A high-level Python Web framework" url="http://djangoproject.com/" arch="noarch" @@ -13,7 +13,18 @@ depends_dev="" makedepends="python-dev py-setuptools" install="" subpackages="" -source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz" +source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz + CVE-2015-8213.patch +" + +prepare() { + cd "$srcdir"/Django-$pkgver + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} _builddir="$srcdir"/$_pkgname-$pkgver build() { @@ -26,6 +37,9 @@ package() { python setup.py install --root "$pkgdir" || return 1 } -md5sums="31760322115c3ae51fbd8ac85c9ac428 Django-1.8.3.tar.gz" -sha256sums="2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290daf2305bba Django-1.8.3.tar.gz" -sha512sums="17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e Django-1.8.3.tar.gz" +md5sums="31760322115c3ae51fbd8ac85c9ac428 Django-1.8.3.tar.gz +782f8609cee5028ce7b16e7fc397a319 CVE-2015-8213.patch" +sha256sums="2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290daf2305bba Django-1.8.3.tar.gz +02b1a2642dc252b06672af0becffbf6a6184f434132c5394cedf54730b0208c9 CVE-2015-8213.patch" +sha512sums="17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e Django-1.8.3.tar.gz +b5f32137c382c2c8240fe6a8d4f06a8ab37012bb5e0b82d6bb0df7ae9dd9f595c0e9bd15f23d360978f395b86eade859617279dfb91f5c303c8ccdd3accfeb06 CVE-2015-8213.patch" diff --git a/main/py-django/CVE-2015-8213.patch b/main/py-django/CVE-2015-8213.patch new file mode 100644 index 0000000..392e198 --- /dev/null +++ b/main/py-django/CVE-2015-8213.patch @@ -0,0 +1,63 @@ +From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001 +From: Florian Apolloner <florian@apolloner.eu> +Date: Wed, 11 Nov 2015 20:10:55 +0100 +Subject: [PATCH] Fixed a settings leak possibility in the date template + filter. + +This is a security fix. +--- + django/utils/formats.py | 20 ++++++++++++++++++++ + tests/i18n/tests.py | 3 +++ + 4 files changed, 51 insertions(+), 2 deletions(-) + +diff --git a/django/utils/formats.py b/django/utils/formats.py +index d2bdda4..8334682 100644 +--- a/django/utils/formats.py ++++ b/django/utils/formats.py +@@ -30,6 +30,24 @@ + } + + ++FORMAT_SETTINGS = frozenset([ ++ 'DECIMAL_SEPARATOR', ++ 'THOUSAND_SEPARATOR', ++ 'NUMBER_GROUPING', ++ 'FIRST_DAY_OF_WEEK', ++ 'MONTH_DAY_FORMAT', ++ 'TIME_FORMAT', ++ 'DATE_FORMAT', ++ 'DATETIME_FORMAT', ++ 'SHORT_DATE_FORMAT', ++ 'SHORT_DATETIME_FORMAT', ++ 'YEAR_MONTH_FORMAT', ++ 'DATE_INPUT_FORMATS', ++ 'TIME_INPUT_FORMATS', ++ 'DATETIME_INPUT_FORMATS', ++]) ++ ++ + def reset_format_cache(): + """Clear any cached formats. + +@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None): + be localized (or not), overriding the value of settings.USE_L10N. + """ + format_type = force_str(format_type) ++ if format_type not in FORMAT_SETTINGS: ++ return format_type + if use_l10n or (use_l10n is None and settings.USE_L10N): + if lang is None: + lang = get_language() +diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py +index 1de7b11..fd332c5 100644 +--- a/tests/i18n/tests.py ++++ b/tests/i18n/tests.py +@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self): + '<input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />' + ) + ++ def test_format_arbitrary_settings(self): ++ self.assertEqual(get_format('DEBUG'), 'DEBUG') ++ + + class MiscTests(SimpleTestCase): -- 2.6.2 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---
Christian Kampka <christian@kampka.net>FYI, this is a patch against 3.2-stable. Christian Kampka <christian@kampka.net> schrieb am So., 29. Nov. 2015 um 10:22 Uhr: