From owner-svn-ports-head@FreeBSD.ORG  Sun Jan  6 18:14:24 2013
Return-Path: <owner-svn-ports-head@FreeBSD.ORG>
Delivered-To: svn-ports-head@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 8CDB7890;
 Sun,  6 Jan 2013 18:14:24 +0000 (UTC)
 (envelope-from lwhsu@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id 7A07D1184;
 Sun,  6 Jan 2013 18:14:24 +0000 (UTC)
Received: from svn.freebsd.org (svn.FreeBSD.org [8.8.178.70])
 by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r06IEOX9027076;
 Sun, 6 Jan 2013 18:14:24 GMT (envelope-from lwhsu@svn.freebsd.org)
Received: (from lwhsu@localhost)
 by svn.freebsd.org (8.14.5/8.14.5/Submit) id r06IEOCt027075;
 Sun, 6 Jan 2013 18:14:24 GMT (envelope-from lwhsu@svn.freebsd.org)
Message-Id: <201301061814.r06IEOCt027075@svn.freebsd.org>
From: Li-Wen Hsu <lwhsu@FreeBSD.org>
Date: Sun, 6 Jan 2013 18:14:24 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r310004 - head/security/vuxml
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jan 2013 18:14:24 -0000

Author: lwhsu
Date: Sun Jan  6 18:14:23 2013
New Revision: 310004
URL: http://svnweb.freebsd.org/changeset/ports/310004

Log:
  Document Django 2012-12-10 vulnerabilty

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Jan  6 17:42:35 2013	(r310003)
+++ head/security/vuxml/vuln.xml	Sun Jan  6 18:14:23 2013	(r310004)
@@ -51,6 +51,80 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="1b769b72-582b-11e2-b66b-00e0814cab4e">
+    <topic>django -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+        <name>django</name>
+        <range><lt>1.4.3</lt></range>
+      </package>
+      <package>
+        <name>django13</name>
+        <range><lt>1.3.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>The Django Project reports:</p>
+	<blockquote cite="https://www.djangoproject.com/weblog/2012/dec/10/security/">
+        <ol>
+          <li>
+          <p>Host header poisoning</p>
+	  <p>Several earlier Django security releases focused on the issue of
+	      poisoning the HTTP Host header, causing Django to generate URLs
+	      pointing to arbitrary, potentially-malicious domains.</p>
+	  <p>In response to further input received and reports of continuing
+	      issues following the previous release, we're taking additional
+	      steps to tighten Host header validation. Rather than attempt to
+	      accommodate all features HTTP supports here, Django's Host header
+	      validation attempts to support a smaller, but far more common, subset:</p>
+	    <ul>
+		<li>Hostnames must consist of characters [A-Za-z0-9] plus hyphen
+		    ('-') or dot ('.').</li>
+		<li>IP addresses -- both IPv4 and IPv6 -- are permitted.</li>
+		<li>Port, if specified, is numeric.</li>
+	    </ul>
+	  <p>Any deviation from this will now be rejected, raising the exception
+	      django.core.exceptions.SuspiciousOperation.</p>
+          </li>
+          <li>
+          <p>Redirect poisoning</p>
+	  <p>Also following up on a previous issue: in July of this year, we made
+	      changes to Django's HTTP redirect classes, performing additional
+	      validation of the scheme of the URL to redirect to (since, both
+	      within Django's own supplied applications and many third-party
+	      applications, accepting a user-supplied redirect target is a common
+	      pattern).</p>
+	  <p>Since then, two independent audits of the code turned up further
+	      potential problems. So, similar to the Host-header issue, we are
+	      taking steps to provide tighter validation in response to reported
+	      problems (primarily with third-party applications, but to a certain
+	      extent also within Django itself). This comes in two parts:</p>
+	    <ol>
+		<li>A new utility function, django.utils.http.is_safe_url, is
+		    added; this function takes a URL and a hostname, and checks
+		    that the URL is either relative, or if absolute matches the
+		    supplied hostname. This function is intended for use whenever
+		    user-supplied redirect targets are accepted, to ensure that
+		    such redirects cannot lead to arbitrary third-party sites.</li>
+		<li>All of Django's own built-in views -- primarily in the
+		    authentication system -- which allow user-supplied redirect
+		    targets now use is_safe_url to validate the supplied URL.</li>
+	    </ol>
+          </li>
+          </ol>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+	<url>https://www.djangoproject.com/weblog/2012/dec/10/security/</url>
+    </references>
+    <dates>
+      <discovery>2012-12-10</discovery>
+      <entry>2013-01-06</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="1ae613c3-5728-11e2-9483-14dae938ec40">
     <topic>freetype -- Multiple vulnerabilities</topic>
     <affects>