X-Original-To: alpine-aports@mail.alpinelinux.org Delivered-To: alpine-aports@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 8A7DADCA334 for ; Sun, 29 Nov 2015 09:36:11 +0000 (UTC) Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 2C8EADC146B for ; Sun, 29 Nov 2015 09:36:10 +0000 (UTC) Received: by wmww144 with SMTP id w144so96155371wmw.1 for ; Sun, 29 Nov 2015 01:36:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kampka-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=WxbTsXqf9C83HraNaOmX5P8sHGlDUkXDq878WyNUU3Q=; b=KXJ09+aBiyCw5piil5Z28wyEHhGzV3E9TQ5XU7n6IS+nYDFdgOoNY9DMOzPLRmnG9P eBrvaQYKInqcXXJLj3EIz8Eec2g6b55LDpoV9t2fivqf6fuuoE1D0MMZD8oYQxjWEQmt kS4er+S70CUcASuSOskWI638vc3ef9yKgneSsW+A4YV4VCkR/LMZ2I226NKaoc9tsSSX zlzsndUyn+fRhLTQ8a93I+Bvn3txVT+FT1BG5oyv0MIiQo155VoFn7nIzocc4TlLfuQu RqJgkQQZCB1AZZJo2w0saUeTM0CIPIWlRu95TFnzE0u9ASwqW8I5/rTj+/kw2LX+ZCdO QDwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=WxbTsXqf9C83HraNaOmX5P8sHGlDUkXDq878WyNUU3Q=; b=flOgmbKqLfRh9E6n9MM6oCzNjX6cZ26TNfvbQ7v6eCZBP2qt5IOe73Kmb87eDUj0pJ 0JIgN4CFXxibMRn6CUvjZJTSnHapw1okiKw6a8fCjj1HGaXpuyELvyIwqmi2VNvT1FKo M4VDZBI5pVpWEtZWCIGb52TVoDgoWKmj0rbeWEQQsGcfW8njPIeEuCVEZGwgiVIRDL1I zga8b54awlAxJ7SOxsjqyqe8rTZF37EghgX5WL3tdl6+Mn6vPVeJdZQzmqD9whY4SPIv 8WSb5PPIZQ9wNNXOOAu+2a4653cihS3RKpTKIrC/aWN4UCin3FBX/La1MGwagerFimWT rO6g== X-Gm-Message-State: ALoCoQnFsDxkACogWau1ejGsxMlPRy2VR3sY5rCzJOqBoOETy/SQJ8ALSo92q6L1pFCvFzq3aKzm X-Received: by 10.28.7.138 with SMTP id 132mr22307410wmh.100.1448789769616; Sun, 29 Nov 2015 01:36:09 -0800 (PST) Received: from localhost (pD95780D1.dip0.t-ipconnect.de. [217.87.128.209]) by smtp.gmail.com with ESMTPSA id h4sm41392745wjx.41.2015.11.29.01.36.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 29 Nov 2015 01:36:08 -0800 (PST) From: Christian Kampka To: alpine-aports@lists.alpinelinux.org Cc: Christian Kampka Subject: [alpine-aports] [PATCH] 3.1-stable/main/django: security fix CVE-2015-8213 Date: Sun, 29 Nov 2015 10:36:04 +0100 Message-Id: <1448789764-1921-1-git-send-email-christian@kampka.net> X-Mailer: git-send-email 2.6.2 X-Virus-Scanned: ClamAV using ClamSMTP X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Fixed a settings leak possibility in the date template filter. --- main/py-django/APKBUILD | 25 ++++++++++++--- main/py-django/CVE-2015-8213.patch | 63 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 5 deletions(-) create mode 100644 main/py-django/CVE-2015-8213.patch diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD index 74dd243..6c77db4 100644 --- a/main/py-django/APKBUILD +++ b/main/py-django/APKBUILD @@ -3,7 +3,7 @@ pkgname=py-django _pkgname=Django pkgver=1.7.9 -pkgrel=0 +pkgrel=1 pkgdesc="A high-level Python Web framework" url="http://djangoproject.com/" arch="noarch" @@ -13,7 +13,19 @@ depends_dev="" makedepends="python-dev py-setuptools" install="" subpackages="" -source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz" +source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz + CVE-2015-8213.patch +" + +prepare() { + cd "$srcdir"/Django-$pkgver + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + _builddir="$srcdir"/$_pkgname-$pkgver build() { @@ -26,6 +38,9 @@ package() { python setup.py install --root "$pkgdir" || return 1 } -md5sums="6ea69f3ebb73755bd2a4c9e3743f17c8 Django-1.7.9.tar.gz" -sha256sums="4f3f9fe4e5d20ff8ed6a90b5d2f2df2d8fc054e478cdcc3db81c6b29bd217860 Django-1.7.9.tar.gz" -sha512sums="349f6950ec7cb37c8ae44a5fc9b924ef0d02e244c834a65bbdbe84d8a993474c6e94f82ac0df5bd08594c8cc6f72bf9413b7b30091319dbb5c018f211d3e9e67 Django-1.7.9.tar.gz" +md5sums="6ea69f3ebb73755bd2a4c9e3743f17c8 Django-1.7.9.tar.gz +ad2a4a3fa3694e11293085600d787093 CVE-2015-8213.patch" +sha256sums="4f3f9fe4e5d20ff8ed6a90b5d2f2df2d8fc054e478cdcc3db81c6b29bd217860 Django-1.7.9.tar.gz +fe5e611b6b958eee50af2594588feb6c3e442d7b736c9bb87b47f78b588585aa CVE-2015-8213.patch" +sha512sums="349f6950ec7cb37c8ae44a5fc9b924ef0d02e244c834a65bbdbe84d8a993474c6e94f82ac0df5bd08594c8cc6f72bf9413b7b30091319dbb5c018f211d3e9e67 Django-1.7.9.tar.gz +1c4e77e05492eff7dead5141e81bbfd049334d05e643a34d2e662df492bc38bce2e7ec55e3032193821f3ba9267809bc3d25f77c0ec8ee0b3ee20e046694a3a2 CVE-2015-8213.patch" diff --git a/main/py-django/CVE-2015-8213.patch b/main/py-django/CVE-2015-8213.patch new file mode 100644 index 0000000..45796c4 --- /dev/null +++ b/main/py-django/CVE-2015-8213.patch @@ -0,0 +1,63 @@ +From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001 +From: Florian Apolloner +Date: Wed, 11 Nov 2015 20:10:55 +0100 +Subject: [PATCH] Fixed a settings leak possibility in the date template + filter. + +This is a security fix. +--- + django/utils/formats.py | 20 ++++++++++++++++++++ + tests/i18n/tests.py | 3 +++ + 2 files changed, 23 insertions(+), 0 deletions(-) + +diff --git a/django/utils/formats.py b/django/utils/formats.py +index d2bdda4..8334682 100644 +--- a/django/utils/formats.py ++++ b/django/utils/formats.py +@@ -30,6 +30,24 @@ + } + + ++FORMAT_SETTINGS = frozenset([ ++ 'DECIMAL_SEPARATOR', ++ 'THOUSAND_SEPARATOR', ++ 'NUMBER_GROUPING', ++ 'FIRST_DAY_OF_WEEK', ++ 'MONTH_DAY_FORMAT', ++ 'TIME_FORMAT', ++ 'DATE_FORMAT', ++ 'DATETIME_FORMAT', ++ 'SHORT_DATE_FORMAT', ++ 'SHORT_DATETIME_FORMAT', ++ 'YEAR_MONTH_FORMAT', ++ 'DATE_INPUT_FORMATS', ++ 'TIME_INPUT_FORMATS', ++ 'DATETIME_INPUT_FORMATS', ++]) ++ ++ + def reset_format_cache(): + """Clear any cached formats. + +@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None): + be localized (or not), overriding the value of settings.USE_L10N. + """ + format_type = force_str(format_type) ++ if format_type not in FORMAT_SETTINGS: ++ return format_type + if use_l10n or (use_l10n is None and settings.USE_L10N): + if lang is None: + lang = get_language() +diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py +index 1de7b11..fd332c5 100644 +--- a/tests/i18n/tests.py ++++ b/tests/i18n/tests.py +@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self): + '' + ) + ++ def test_format_arbitrary_settings(self): ++ self.assertEqual(get_format('DEBUG'), 'DEBUG') ++ + + class MiscTests(SimpleTestCase): -- 2.6.2 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---