From owner-svn-ports-head@FreeBSD.ORG Thu Oct 25 10:12:43 2012 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A0029C2C; Thu, 25 Oct 2012 10:12:43 +0000 (UTC) (envelope-from rm@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 8655B8FC08; Thu, 25 Oct 2012 10:12:43 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q9PAChJ9028782; Thu, 25 Oct 2012 10:12:43 GMT (envelope-from rm@svn.freebsd.org) Received: (from rm@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q9PACg7i028771; Thu, 25 Oct 2012 10:12:42 GMT (envelope-from rm@svn.freebsd.org) Message-Id: <201210251012.q9PACg7i028771@svn.freebsd.org> From: Ruslan Mahmatkhanov Date: Thu, 25 Oct 2012 10:12:42 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r306376 - in head: security/vuxml www/py-django www/py-django13 X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2012 10:12:43 -0000 Author: rm Date: Thu Oct 25 10:12:42 2012 New Revision: 306376 URL: http://svn.freebsd.org/changeset/ports/306376 Log: - update django ports to 1.3.4 and 1.4.2, that fixing couple of security issues. All users are encouraged to upgrade immediately. - add vuxml entry changes common for both ports: - trim Makefile header - strict python version to 2.x only - utilize options framework multiple choice feature to let user to choose database backends needed. Make SQLITE option default - shorten description of HTMLDOCS_DESC to make it fit into dialog screen - SITELIBDIR -> PKGNAMEPREFIX change in dependencies - convert NOPORTDOCS condition to optionsng - tab -> space change in pkg-descr PR: 173017 Submitted by: rm (myself) Approved by: lwhsu (maintainer, by mail) Security: 5f326d75-1db9-11e2-bc8f-d0df9acfd7e5 Feature safe: yes Modified: head/security/vuxml/vuln.xml head/www/py-django/Makefile head/www/py-django/distinfo head/www/py-django/pkg-descr head/www/py-django/pkg-plist head/www/py-django13/Makefile head/www/py-django13/distinfo head/www/py-django13/pkg-descr Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Oct 25 09:45:12 2012 (r306375) +++ head/security/vuxml/vuln.xml Thu Oct 25 10:12:42 2012 (r306376) @@ -51,6 +51,69 @@ Note: Please add new entries to the beg --> + + django -- multiple vulnerabilities + + + django + 1.4.2 + + + django13 + 1.3.4 + + + + +

The Django Project reports:

+
+
    +
  1. +

    Host header poisoning

    +

    Some parts of Django -- independent of end-user-written applications + -- make use of full URLs, including domain name, which are generated + from the HTTP Host header. Some attacks against this are beyond Django's + ability to control, and require the web server to be properly configured; + Django's documentation has for some time contained notes advising users + on such configuration.

    +

    Django's own built-in parsing of the Host header is, however, still + vulnerable, as was reported to us recently. The Host header parsing + in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() + -- was incorrectly handling username/password information in the header. + Thus, for example, the following Host header would be accepted by Django when + running on "validsite.com":

    +

    Host: validsite.com:random@evilsite.com

    +

    Using this, an attacker can cause parts of Django -- particularly the + password-reset mechanism -- to generate and display arbitrary URLs to users.

    +

    To remedy this, the parsing in HttpRequest.get_host() is being modified; Host + headers which contain potentially dangerous content (such as username/password + pairs) now raise the exception django.core.exceptions.SuspiciousOperation.

    +
    2. +
  2. +

    Documentation of HttpOnly cookie option

    +

    As of Django 1.4, session cookies are always sent with the HttpOnly flag, which + provides some additional protection from cross-site scripting attacks by denying + client-side scripts access to the session cookie.

    +

    Though not directly a security issue in Django, it has been reported that the + Django 1.4 documentation incorrectly described this change, by claiming that this + was now the default for all cookies set by the HttpResponse.set_cookie() method.

    +

    The Django documentation has been updated to reflect that this only applies to the + session cookie. Users of Django are encouraged to review their use of set_cookie() + to ensure that the HttpOnly flag is being set or unset appropriately.

    +
    3. +
+
+ + + + https://www.djangoproject.com/weblog/2012/oct/17/security/ + + + 2012-10-17 + 2012-10-24 + + + Wireshark -- Multiple Vulnerabilities Modified: head/www/py-django/Makefile ============================================================================== --- head/www/py-django/Makefile Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django/Makefile Thu Oct 25 10:12:42 2012 (r306376) @@ -1,12 +1,8 @@ -# New ports collection makefile for: django -# Date created: 2005-11-19 -# Whom: Jose Alonso Cardenas Marquez -# +# Created by: Jose Alonso Cardenas Marquez # $FreeBSD$ -# PORTNAME= django -PORTVERSION= 1.4.1 +PORTVERSION= 1.4.2 CATEGORIES= www python MASTER_SITES= https://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \ CHEESESHOP @@ -20,7 +16,7 @@ COMMENT= High-level Python Web framework LICENSE= BSD USE_GETTEXT= yes -USE_PYTHON= yes +USE_PYTHON= -2.7 USE_PYDISTUTILS= yes PYDISTUTILS_PKGNAME= Django @@ -28,20 +24,20 @@ CONFLICTS= py2[0-9]-django-devel-[0-9]* DOCSDIR= ${PREFIX}/share/doc/py-django -OPTIONS_DEFINE= PGSQL MYSQL SQLITE FASTCGI HTMLDOCS -OPTIONS_DEFAULT= - -HTMLDOCS_DESC= Build and install the HTML documentation (requires Sphinx) - -MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 - # bypass infrastructure bug OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options +OPTIONS_DEFINE= FASTCGI HTMLDOCS +OPTIONS_DEFAULT=SQLITE +OPTIONS_MULTI= DATABASE +OPTIONS_MULTI_DATABASE= PGSQL MYSQL SQLITE +HTMLDOCS_DESC= Install the HTML documentation (requires Sphinx) + +MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 -.include +.include .if ${PORT_OPTIONS:MPGSQL} -RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2 +RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2 .endif .if ${PORT_OPTIONS:MMYSQL} @@ -49,7 +45,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}MyS .endif .if ${PORT_OPTIONS:MSQLITE} -RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3 +RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3 .endif .if ${PORT_OPTIONS:MFASTCGI} @@ -57,7 +53,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}flu .endif .if ${PORT_OPTIONS:MHTMLDOCS} -. if defined(NOPORTDOCS) +. if empty(PORT_OPTIONS:MDOCS) IGNORE= you cannot build documentation while setting NOPORTDOCS . endif BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx @@ -79,4 +75,4 @@ post-install: ${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR} .endif -.include +.include Modified: head/www/py-django/distinfo ============================================================================== --- head/www/py-django/distinfo Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django/distinfo Thu Oct 25 10:12:42 2012 (r306376) @@ -1,2 +1,2 @@ -SHA256 (python/Django-1.4.1.tar.gz) = 4d8d20eba350d3d29613cc5a6302d5c23730c7f9e150985bc58b3175b755409b -SIZE (python/Django-1.4.1.tar.gz) = 7656756 +SHA256 (python/Django-1.4.2.tar.gz) = edfd8733f45bbaa524cee25bcac3080ce28c21242c27227464eae3fa6b3d80e7 +SIZE (python/Django-1.4.2.tar.gz) = 7722026 Modified: head/www/py-django/pkg-descr ============================================================================== --- head/www/py-django/pkg-descr Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django/pkg-descr Thu Oct 25 10:12:42 2012 (r306376) @@ -7,4 +7,4 @@ intensive deadlines of a newsroom and th Web developers. It has convenient niceties for developing content-management systems, but it's an excellent tool for building any Web site. -WWW: http://www.djangoproject.com/ +WWW: http://www.djangoproject.com/ Modified: head/www/py-django/pkg-plist ============================================================================== --- head/www/py-django/pkg-plist Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django/pkg-plist Thu Oct 25 10:12:42 2012 (r306376) @@ -5294,6 +5294,9 @@ bin/django-admin.py %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.py %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyc %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyo +%%PYTHON_SITELIBDIR%%/django/utils/six.py +%%PYTHON_SITELIBDIR%%/django/utils/six.pyc +%%PYTHON_SITELIBDIR%%/django/utils/six.pyo %%PYTHON_SITELIBDIR%%/django/utils/synch.py %%PYTHON_SITELIBDIR%%/django/utils/synch.pyc %%PYTHON_SITELIBDIR%%/django/utils/synch.pyo Modified: head/www/py-django13/Makefile ============================================================================== --- head/www/py-django13/Makefile Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django13/Makefile Thu Oct 25 10:12:42 2012 (r306376) @@ -1,12 +1,8 @@ -# New ports collection makefile for: django -# Date created: 2005-11-19 -# Whom: Jose Alonso Cardenas Marquez -# +# Created by: Jose Alonso Cardenas Marquez # $FreeBSD$ -# PORTNAME= django -PORTVERSION= 1.3.3 +PORTVERSION= 1.3.4 CATEGORIES= www python MASTER_SITES= http://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \ CHEESESHOP @@ -22,7 +18,7 @@ LICENSE= BSD LATEST_LINK= ${PYTHON_PKGNAMEPREFIX}django13 USE_GETTEXT= yes -USE_PYTHON= yes +USE_PYTHON= -2.7 USE_PYDISTUTILS= yes PYDISTUTILS_PKGNAME= Django @@ -30,20 +26,20 @@ CONFLICTS= py2[0-9]-django-devel-[0-9]* DOCSDIR= ${PREFIX}/share/doc/py-django -OPTIONS_DEFINE= PGSQL MYSQL SQLITE FASTCGI HTMLDOCS -OPTIONS_DEFAULT= - -HTMLDOCS_DESC= Build and install the HTML documentation (requires Sphinx) - -MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 - # bypass infrastructure bug OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options +OPTIONS_DEFINE= FASTCGI HTMLDOCS +OPTIONS_DEFAULT=SQLITE +OPTIONS_MULTI= DATABASE +OPTIONS_MULTI_DATABASE= PGSQL MYSQL SQLITE +HTMLDOCS_DESC= Install the HTML documentation (requires Sphinx) + +MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 -.include +.include .if ${PORT_OPTIONS:MPGSQL} -RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2 +RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2 EXTRA_PATCHES+= ${FILESDIR}/extra-patch-changeset_16520.diff .endif @@ -52,7 +48,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}MyS .endif .if ${PORT_OPTIONS:MSQLITE} -RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3 +RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3 .endif .if ${PORT_OPTIONS:MFASTCGI} @@ -60,7 +56,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}flu .endif .if ${PORT_OPTIONS:MHTMLDOCS} -. if defined(NOPORTDOCS) +. if empty(PORT_OPTIONS:MDOCS) IGNORE= you cannot build documentation while setting NOPORTDOCS . endif BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx @@ -83,4 +79,4 @@ post-install: ${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR} .endif -.include +.include Modified: head/www/py-django13/distinfo ============================================================================== --- head/www/py-django13/distinfo Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django13/distinfo Thu Oct 25 10:12:42 2012 (r306376) @@ -1,2 +1,2 @@ -SHA256 (python/Django-1.3.3.tar.gz) = 8ef44cfd89dee0331018ec56a2ed27dc14ae8d65feb664c10e128b3437cbd46a -SIZE (python/Django-1.3.3.tar.gz) = 6507280 +SHA256 (python/Django-1.3.4.tar.gz) = 2626e6b216e1bdef887bd923f00d94d94b4d4e75fc2e336c6f156d842d10a607 +SIZE (python/Django-1.3.4.tar.gz) = 6507771 Modified: head/www/py-django13/pkg-descr ============================================================================== --- head/www/py-django13/pkg-descr Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django13/pkg-descr Thu Oct 25 10:12:42 2012 (r306376) @@ -7,4 +7,4 @@ intensive deadlines of a newsroom and th Web developers. It has convenient niceties for developing content-management systems, but it's an excellent tool for building any Web site. -WWW: http://www.djangoproject.com/ +WWW: http://www.djangoproject.com/