X-Original-To: alpine-aports@mail.alpinelinux.org
Delivered-To: alpine-aports@mail.alpinelinux.org
Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1])
	by mail.alpinelinux.org (Postfix) with ESMTP id 4D5FDDCA334
	for <alpine-aports@mail.alpinelinux.org>; Sun, 29 Nov 2015 09:36:45 +0000 (UTC)
Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id F1279DC146B
	for <alpine-aports@lists.alpinelinux.org>; Sun, 29 Nov 2015 09:36:44 +0000 (UTC)
Received: by wmec201 with SMTP id c201so117353546wme.0
        for <alpine-aports@lists.alpinelinux.org>; Sun, 29 Nov 2015 01:36:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kampka-net.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id;
        bh=Ih6PodGKkCs9HpteyDXYJCBsxeG8uFYBZsvZ9kyz9t4=;
        b=xYhC1bEysAjaW0t0ZEP7jC6Srdnd79Mkwt3J9UnMrfrUEY3Em0cAH2PyhGcIF+M7/3
         6PCHHbP1155N8vnVL92cm4PrLPBNp+bTxM9CfSRq16KGtntc5U3lEdg3i5xMWwDmtHYO
         d8M3fUL4ZRORKznLdghbpkRgA0PfG+ohPSLQxFeJvSyAHMJC24a6lnf9ZDwk3e2cMQ5l
         UHyhk/K4EV1p+5jRNYJvD7Z43+qwAb5e+JcYd7dTWMa5Qc7RkKNrZvEEwWiAp7XcqYMZ
         HTuUnehdWLujOUU84hKv8/ncBCwZR8WCgP7BuKCtfsicoKU26k5h5cG6HuUX6aRz9XP9
         5UfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=Ih6PodGKkCs9HpteyDXYJCBsxeG8uFYBZsvZ9kyz9t4=;
        b=dv6w0i251o1BMZQNLGCROL0G2PqRzuyj9xTUL8oy75Q+s5+gfQZ1nT5IiP1lDaZv+c
         VhDBUELD44K3Qq7J/oo6mJ9+Q5VEPyDNb6WDP60kJpQR3HbpGCfXhpqPq8/i6SrhmQ3c
         m0q0oIZAMnxbVVLqW4aYG7IIMY/hO0fctnWl0YHqiFMe/UG1rTeU9l3C0i3GL1txPZCD
         RQfUI2bI2uJDIvMpOhSOU/s+5YRS5mDyDw9AV9VDBUqK+tZRpfSzU9itqFy6O17PDnqN
         PfNdCHyE5C6+jaherPN3bdC5IL1lB27qSSuY0J1R1N2uFcyO0O7QZDhGDqkyI+bSi3fh
         rg3A==
X-Gm-Message-State: ALoCoQk9FlIi9uQ6w1hZ9frXsOjKVj2RLeRadT4KPzYwnPC+/mfgzzVT8E8KnestP1N9HcRn0CCp
X-Received: by 10.28.73.11 with SMTP id w11mr20021663wma.44.1448789803407;
        Sun, 29 Nov 2015 01:36:43 -0800 (PST)
Received: from localhost (pD95780D1.dip0.t-ipconnect.de. [217.87.128.209])
        by smtp.gmail.com with ESMTPSA id w203sm15867684wmg.15.2015.11.29.01.36.42
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 29 Nov 2015 01:36:42 -0800 (PST)
From: Christian Kampka <christian@kampka.net>
To: alpine-aports@lists.alpinelinux.org
Cc: Christian Kampka <christian@kampka.net>
Subject: [alpine-aports] [PATCH] 3.1-stable/main/django1.5: security fix CVE-2015-8213
Date: Sun, 29 Nov 2015 10:36:39 +0100
Message-Id: <1448789799-2260-1-git-send-email-christian@kampka.net>
X-Mailer: git-send-email 2.6.2
X-Virus-Scanned: ClamAV using ClamSMTP
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

Fixed a settings leak possibility in the date template filter.
---
 main/py-django1.5/APKBUILD            | 25 +++++++++++++-----
 main/py-django1.5/CVE-2015-8213.patch | 49 +++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 6 deletions(-)
 create mode 100644 main/py-django1.5/CVE-2015-8213.patch

diff --git a/main/py-django1.5/APKBUILD b/main/py-django1.5/APKBUILD
index 98fa863..8026840 100644
--- a/main/py-django1.5/APKBUILD
+++ b/main/py-django1.5/APKBUILD
@@ -3,7 +3,7 @@
 pkgname=py-django1.5
 _pkgname=Django
 pkgver=1.5.10
-pkgrel=0
+pkgrel=1
 pkgdesc="A high-level Python Web framework"
 url="http://djangoproject.com/"
 arch="noarch"
@@ -13,7 +13,18 @@ depends_dev=""
 makedepends="python-dev py-setuptools"
 install=""
 subpackages=""
-source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz"
+source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
+	CVE-2015-8213.patch
+	"
+
+prepare() {
+	cd "$srcdir"/Django-$pkgver
+	for i in $source; do
+	case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+}
 
 _builddir="$srcdir"/$_pkgname-$pkgver
 build() {
@@ -25,7 +36,9 @@ package() {
 	cd "$_builddir"
 	python setup.py install --root "$pkgdir" || return 1
 }
-
-md5sums="b055361f04c0b8e862f8e8ffbb44e464  Django-1.5.10.tar.gz"
-sha256sums="7cb4217e740f7d5d6d74617dbb9d960f9c09e8269c6762fe68c6e762219f4018  Django-1.5.10.tar.gz"
-sha512sums="5357116870370f7fd06f77e5bfad98f89c6bb131eb2828ded524422d0690d8842c3106e4e92614c374ab2549d205e77c98e4071894f0625dfe69a382171b1834  Django-1.5.10.tar.gz"
+md5sums="b055361f04c0b8e862f8e8ffbb44e464  Django-1.5.10.tar.gz
+b8697fd93d0b76ae660314b45b65621a  CVE-2015-8213.patch"
+sha256sums="7cb4217e740f7d5d6d74617dbb9d960f9c09e8269c6762fe68c6e762219f4018  Django-1.5.10.tar.gz
+0a7e614cc5efac9edaebaad06dce4ad45bf670ab24aceb168ee5c6735f8c8231  CVE-2015-8213.patch"
+sha512sums="5357116870370f7fd06f77e5bfad98f89c6bb131eb2828ded524422d0690d8842c3106e4e92614c374ab2549d205e77c98e4071894f0625dfe69a382171b1834  Django-1.5.10.tar.gz
+15598c2de79bcc1f2e0f48ef95ec294b38f9c11affad4cfd6401825daa6be4a4e5eef5af54bab05824b1155b6dd9203c5fde294dbb7ce83b847b0d2315251909  CVE-2015-8213.patch"
diff --git a/main/py-django1.5/CVE-2015-8213.patch b/main/py-django1.5/CVE-2015-8213.patch
new file mode 100644
index 0000000..54fe8c2
--- /dev/null
+++ b/main/py-django1.5/CVE-2015-8213.patch
@@ -0,0 +1,49 @@
+From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001
+From: Florian Apolloner <florian@apolloner.eu>
+Date: Wed, 11 Nov 2015 20:10:55 +0100
+Subject: [PATCH] Fixed a settings leak possibility in the date template
+ filter.
+
+This is a security fix.
+---
+ django/utils/formats.py  | 20 ++++++++++++++++++++
+ 1 files changed, 20 insertions(+), 0 deletions(-)
+
+diff --git a/django/utils/formats.py b/django/utils/formats.py
+index d2bdda4..8334682 100644
+--- a/django/utils/formats.py
++++ b/django/utils/formats.py
+@@ -30,6 +30,24 @@
+ }
+
+
++FORMAT_SETTINGS = frozenset([
++    'DECIMAL_SEPARATOR',
++    'THOUSAND_SEPARATOR',
++    'NUMBER_GROUPING',
++    'FIRST_DAY_OF_WEEK',
++    'MONTH_DAY_FORMAT',
++    'TIME_FORMAT',
++    'DATE_FORMAT',
++    'DATETIME_FORMAT',
++    'SHORT_DATE_FORMAT',
++    'SHORT_DATETIME_FORMAT',
++    'YEAR_MONTH_FORMAT',
++    'DATE_INPUT_FORMATS',
++    'TIME_INPUT_FORMATS',
++    'DATETIME_INPUT_FORMATS',
++])
++
++
+ def reset_format_cache():
+     """Clear any cached formats.
+
+@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
+     be localized (or not), overriding the value of settings.USE_L10N.
+     """
+     format_type = force_str(format_type)
++    if format_type not in FORMAT_SETTINGS:
++        return format_type
+     if use_l10n or (use_l10n is None and settings.USE_L10N):
+         if lang is None:
+             lang = get_language()
-- 
2.6.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---