FEDORA-EPEL-2010-2977 created by lmacken 11 years ago for Fedora EPEL 5
stable

1.7.4

  • The only real change is to paste.httpexceptions, which was using insecure quoting of some parameters and allowed an XSS hole, most specifically with its 404 messages. The most notably WSGI application using this is paste.urlparse.StaticURLParser and PkgResourcesParser. By directing someone to an appropriately formed URL an attacker can execute arbitrary Javascript on the victim's client. paste.urlmap.URLMap is also affected, but only if you have no application attached to /. Other applications using paste.httpexceptions may be effected (especially HTTPNotFound). WebOb/webob.exc.HTTPNotFound is not affected.

1.7.3

  • Fix paste.httpserver on Python 2.6.
  • Fix paste.auth.cookie, which would insert newlines for long cookies.
  • paste.util.mimeparse parses a single * in Accept headers (sent by IE 6).
  • Fix some problems with the wdg_validate middleware.
  • Improvements to paste.auth.auth_tkt: add httponly support, don’t always aggressively set cookies without the wildcard_cookie option. Also on logout, make cookies expire.
  • In paste.proxy.Proxy handle Content-Length of -1.
  • In paste.httpexceptions avoid some unicode errors.
  • In paste.httpserver handle .read() from 100 Continue properly (because of a typo it was doing a readline).
  • Update paste.util.mimeparse from upstream.

http://pythonpaste.org/news.html

This update has been pushed to testing

11 years ago

This update has reached 43 days in testing and can be pushed to stable now if the maintainer wishes

11 years ago

This update has been submitted for stable by lmacken.

11 years ago

This update has been pushed to stable

11 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
11 years ago
in testing
11 years ago
in stable
11 years ago
modified
11 years ago

Automated Test Results