LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora alert FEDORA-2012-11668 (python-djblets)



From:
    	      updates@fedoraproject.org 


To:
    	      package-announce@lists.fedoraproject.org 


Subject:
    	      [SECURITY] Fedora 17 Update: python-djblets-0.7.1-3.fc17 


Date:
    	      Sat, 18 Aug 2012 01:26:15 +0000


Message-ID:
    	      <20120818012615.42229211C0@bastion01.phx2.fedoraproject.org>


Archive-link:
    	      Article, Thread
              


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-11668
2012-08-09 22:17:53
--------------------------------------------------------------------------------

Name        : python-djblets
Product     : Fedora 17
Version     : 0.7.1
Release     : 3.fc17
URL         : http://www.review-board.org
Summary     : A collection of useful classes and functions for Django
Description :
A collection of useful classes and functions for Django

--------------------------------------------------------------------------------
Update Information:

Previous version of python-djblets contained embedded / own copy of python-feedparser
(BUILD/Djblets-0.6.22/djblets/feedview feedparser.py) code, which is vulnerable to numerous
security flaws (CVE-2009-5065, CVE-2011-1156, CVE-2011-1157, and CVE-2011-1158 to mention some of
them).

This package modifies Djblets to use the system copy of feedparser.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Aug  8 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.7.1-3
- Use the system feedparser.py
- Resolves: rhbz#846759 - Current version of python-djblets in Fedora 17
  contains embeded copy of python-feedparser, vulnerable to CVE-2009-5065,
  CVE-2011-1156, CVE-2011-1157, and CVE-2011-1158
* Fri Aug  3 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.7.1-1
- New upstream release 0.7.1
- Support for ReviewBoard 1.7beta1
- General:
-     Djblets now requires Django 1.4.1+
-     Added localized timezone awareness
-     Djblets now uses Django's standard static media support
- djblets.datagrid:
-     DateTimeColumn and DateTimeSinceColumn are now timezone-aware
- djblets.extensions:
-     Added a framework for supporting loadable, configurable extensions in
      Django-based sites
- djblets.util:
-     ModificationTimestampField, http_date, and the the ageid filter have
      been made timezone-aware
* Tue Jul 31 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.6.22-1
- New upstream releae 0.6.22
- Fixes to support Review Board 1.6.11
- djblets.datagrid:
-     Improved performance of the datagrids
- djblets.util:
-     The ifuserorperm template tag now accepts both IDs and User
      objects, allowing comparisons to be made without fetching the
      User
-     Fixed a bug with ifuserorperm and non-int IDs
-     User and AnonymousUser are no longer imported globally in
      the djblets_utils templatetags. This fixes some breakages in
      apps that imported this file to get access to filters, but weren't
      running in a Django settings environment
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6.19-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Tue Jun 12 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.6.19-1
- New upstream release 0.6.19
- JavaScript:
-     inlineEditor no longer bubbles keypress events up
* Tue Jun  5 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.6.18-1
- New upstream release 0.6.18
- djblets.siteconfig:
-     Settings form rows in the template now have IDs indicating the row and
      CSS class names
-     Help text for fields are now marked as safe, so that the contents
      aren't escaped
-     The form's disabled_reasons is no longer assumed to be populated
-     The initial field values are now always set
- djblets.util:
-     Added a json_dumps filter, which serialized a value to JSON
* Wed Apr 25 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.6.17-2
- Fix Django requirement for F18+
- Guarantee rebuild of egg-info
* Wed Apr 25 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.6.17-1
- New upstream release 0.6.17
- djblets.gravatars:
-     Gravatars are no longer hard-coded to be jpegs. This was breaking some
      gravatars.
- JavaScript:
-     inlineEditor now has a showRequiredFlag option for indicating if a field
      is required.
-     inlineEditor now indicates when its dirty state changes
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #846759 - Current version of python-djblets in Fedora-17 contains embeded copy of
python-feedparser, vulnerable to CVE-2009-5065, CVE-2011-1156, CVE-2011-1157, and CVE-2011-1158
        https://bugzilla.redhat.com/show_bug.cgi?id=846759
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update python-djblets' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds