|
|
Subscribe / Log in / New account

Mageia alert MGASA-2014-0462 (python-djblets)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2014-0462: Updated python-djblets packages fix security vulnerabilities 


Date:
    	      Fri, 21 Nov 2014 13:44:43 +0100


Message-ID:
    	      <20141121124443.333FA5D7A9@valstar.mageia.org>


MGASA-2014-0462 - Updated python-djblets packages fix security vulnerabilities

Publication date: 21 Nov 2014
URL: http://advisories.mageia.org/MGASA-2014-0462.html

Type: security
Affected Mageia releases: 4
CVE: CVE-2014-3994,
     CVE-2014-3995

Description:
Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py
in Djblets before 0.7.30 for Django, as used in Review Board, allows remote
attackers to inject arbitrary web script or HTML via a JSON object, as
demonstrated by the name field when changing a user name (CVE-2014-3994).

Cross-site scripting (XSS) vulnerability in
gravatars/templatetags/gravatars.py in Djblets before 0.7.30 Django allows
remote attackers to inject arbitrary web script or HTML via a user display
name (CVE-2014-3995).

References:
- https://bugs.mageia.org/show_bug.cgi?id=13504

- https://lists.fedoraproject.org/pipermail/package-announc...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3994

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3995


SRPMS:
- 4/core/python-djblets-0.7.30-1.1.mga4
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds