Bug 835830 (CVE-2013-4249) - VUL-1: CVE-2013-4249: python-django: multiple XSS vulnerabilities
Summary: VUL-1: CVE-2013-4249: python-django: multiple XSS vulnerabilities
Status: RESOLVED FIXED
: 843847 (view as bug list)
Alias: CVE-2013-4249
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-21 08:45 UTC by Matthias Weckbecker
Modified: 2014-03-19 12:43 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2013-08-21 08:45:17 UTC 
A new release of Django mentions [1] two security issues:

  1) Issue: Cross-site scripting (XSS) in admin interface
  2) Issue: Possible XSS via is_safe_url

[1] https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
Comment 1 Sascha Peilicke 2013-09-06 11:44:37 UTC 
Fixed packages added to Cloud:OpenStack:Master/:Grizzly and Devel:Cloud:2.0. Submitted to SUSE:SLE-11-SP3:GA:Products:Test (sr#28685).
Comment 2 Marcus Meissner 2013-10-04 09:31:59 UTC 
Package is on CD sle11-sp2-cloud-1.0.x86_64

do we need an online update for cloud 1.0?
Comment 3 Marcus Meissner 2013-10-04 09:37:36 UTC 
*** Bug 843847 has been marked as a duplicate of this bug. ***
Comment 4 Sascha Peilicke 2013-10-21 09:06:34 UTC 
(In reply to comment #2)
> Package is on CD sle11-sp2-cloud-1.0.x86_64
> 
> do we need an online update for cloud 1.0?

I don't think it's worth it, our PM basically marked 1.0 as dead. But I don't know when that will be official. Since 1.4.8 is now in SP2:Update:Test, I wonder when it's going to be released.
Comment 5 Marcus Meissner 2014-03-19 12:43:51 UTC 
cloud 1.0 is EOLed,  Cloud 2 and on are fixed ... opensuse is also fixed