Date: Thu, 25 Oct 2012 10:12:42 +0000 (UTC) From: Ruslan Mahmatkhanov <rm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r306376 - in head: security/vuxml www/py-django www/py-django13 Message-ID: <201210251012.q9PACg7i028771@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rm Date: Thu Oct 25 10:12:42 2012 New Revision: 306376 URL: http://svn.freebsd.org/changeset/ports/306376 Log: - update django ports to 1.3.4 and 1.4.2, that fixing couple of security issues. All users are encouraged to upgrade immediately. - add vuxml entry changes common for both ports: - trim Makefile header - strict python version to 2.x only - utilize options framework multiple choice feature to let user to choose database backends needed. Make SQLITE option default - shorten description of HTMLDOCS_DESC to make it fit into dialog screen - SITELIBDIR -> PKGNAMEPREFIX change in dependencies - convert NOPORTDOCS condition to optionsng - tab -> space change in pkg-descr PR: 173017 Submitted by: rm (myself) Approved by: lwhsu (maintainer, by mail) Security: 5f326d75-1db9-11e2-bc8f-d0df9acfd7e5 Feature safe: yes Modified: head/security/vuxml/vuln.xml head/www/py-django/Makefile head/www/py-django/distinfo head/www/py-django/pkg-descr head/www/py-django/pkg-plist head/www/py-django13/Makefile head/www/py-django13/distinfo head/www/py-django13/pkg-descr Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Oct 25 09:45:12 2012 (r306375) +++ head/security/vuxml/vuln.xml Thu Oct 25 10:12:42 2012 (r306376) @@ -51,6 +51,69 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="5f326d75-1db9-11e2-bc8f-d0df9acfd7e5"> + <topic>django -- multiple vulnerabilities</topic> + <affects> + <package> + <name>django</name> + <range><lt>1.4.2</lt></range> + </package> + <package> + <name>django13</name> + <range><lt>1.3.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Django Project reports:</p> + <blockquote cite="https://www.djangoproject.com/weblog/2012/oct/17/security/">; + <ol> + <li> + <p>Host header poisoning</p> + <p>Some parts of Django -- independent of end-user-written applications + -- make use of full URLs, including domain name, which are generated + from the HTTP Host header. Some attacks against this are beyond Django's + ability to control, and require the web server to be properly configured; + Django's documentation has for some time contained notes advising users + on such configuration.</p> + <p>Django's own built-in parsing of the Host header is, however, still + vulnerable, as was reported to us recently. The Host header parsing + in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() + -- was incorrectly handling username/password information in the header. + Thus, for example, the following Host header would be accepted by Django when + running on "validsite.com":</p> + <p>Host: validsite.com:random@evilsite.com</p> + <p>Using this, an attacker can cause parts of Django -- particularly the + password-reset mechanism -- to generate and display arbitrary URLs to users.</p> + <p>To remedy this, the parsing in HttpRequest.get_host() is being modified; Host + headers which contain potentially dangerous content (such as username/password + pairs) now raise the exception django.core.exceptions.SuspiciousOperation.</p> + </li> + <li> + <p>Documentation of HttpOnly cookie option</p> + <p>As of Django 1.4, session cookies are always sent with the HttpOnly flag, which + provides some additional protection from cross-site scripting attacks by denying + client-side scripts access to the session cookie.</p> + <p>Though not directly a security issue in Django, it has been reported that the + Django 1.4 documentation incorrectly described this change, by claiming that this + was now the default for all cookies set by the HttpResponse.set_cookie() method.</p> + <p>The Django documentation has been updated to reflect that this only applies to the + session cookie. Users of Django are encouraged to review their use of set_cookie() + to ensure that the HttpOnly flag is being set or unset appropriately.</p> + </li> + </ol> + </blockquote> + </body> + </description> + <references> + <url>https://www.djangoproject.com/weblog/2012/oct/17/security/</url>; + </references> + <dates> + <discovery>2012-10-17</discovery> + <entry>2012-10-24</entry> + </dates> + </vuln> + <vuln vid="a7706414-1be7-11e2-9aad-902b343deec9"> <topic>Wireshark -- Multiple Vulnerabilities</topic> <affects> Modified: head/www/py-django/Makefile ============================================================================== --- head/www/py-django/Makefile Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django/Makefile Thu Oct 25 10:12:42 2012 (r306376) @@ -1,12 +1,8 @@ -# New ports collection makefile for: django -# Date created: 2005-11-19 -# Whom: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe> -# +# Created by: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe> # $FreeBSD$ -# PORTNAME= django -PORTVERSION= 1.4.1 +PORTVERSION= 1.4.2 CATEGORIES= www python MASTER_SITES= https://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \ CHEESESHOP @@ -20,7 +16,7 @@ COMMENT= High-level Python Web framework LICENSE= BSD USE_GETTEXT= yes -USE_PYTHON= yes +USE_PYTHON= -2.7 USE_PYDISTUTILS= yes PYDISTUTILS_PKGNAME= Django @@ -28,20 +24,20 @@ CONFLICTS= py2[0-9]-django-devel-[0-9]* DOCSDIR= ${PREFIX}/share/doc/py-django -OPTIONS_DEFINE= PGSQL MYSQL SQLITE FASTCGI HTMLDOCS -OPTIONS_DEFAULT= - -HTMLDOCS_DESC= Build and install the HTML documentation (requires Sphinx) - -MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 - # bypass infrastructure bug OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options +OPTIONS_DEFINE= FASTCGI HTMLDOCS +OPTIONS_DEFAULT=SQLITE +OPTIONS_MULTI= DATABASE +OPTIONS_MULTI_DATABASE= PGSQL MYSQL SQLITE +HTMLDOCS_DESC= Install the HTML documentation (requires Sphinx) + +MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 -.include <bsd.port.pre.mk> +.include <bsd.port.options.mk> .if ${PORT_OPTIONS:MPGSQL} -RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2 +RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2 .endif .if ${PORT_OPTIONS:MMYSQL} @@ -49,7 +45,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}MyS .endif .if ${PORT_OPTIONS:MSQLITE} -RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3 +RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3 .endif .if ${PORT_OPTIONS:MFASTCGI} @@ -57,7 +53,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}flu .endif .if ${PORT_OPTIONS:MHTMLDOCS} -. if defined(NOPORTDOCS) +. if empty(PORT_OPTIONS:MDOCS) IGNORE= you cannot build documentation while setting NOPORTDOCS . endif BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx @@ -79,4 +75,4 @@ post-install: ${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR} .endif -.include <bsd.port.post.mk> +.include <bsd.port.mk> Modified: head/www/py-django/distinfo ============================================================================== --- head/www/py-django/distinfo Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django/distinfo Thu Oct 25 10:12:42 2012 (r306376) @@ -1,2 +1,2 @@ -SHA256 (python/Django-1.4.1.tar.gz) = 4d8d20eba350d3d29613cc5a6302d5c23730c7f9e150985bc58b3175b755409b -SIZE (python/Django-1.4.1.tar.gz) = 7656756 +SHA256 (python/Django-1.4.2.tar.gz) = edfd8733f45bbaa524cee25bcac3080ce28c21242c27227464eae3fa6b3d80e7 +SIZE (python/Django-1.4.2.tar.gz) = 7722026 Modified: head/www/py-django/pkg-descr ============================================================================== --- head/www/py-django/pkg-descr Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django/pkg-descr Thu Oct 25 10:12:42 2012 (r306376) @@ -7,4 +7,4 @@ intensive deadlines of a newsroom and th Web developers. It has convenient niceties for developing content-management systems, but it's an excellent tool for building any Web site. -WWW: http://www.djangoproject.com/ +WWW: http://www.djangoproject.com/ Modified: head/www/py-django/pkg-plist ============================================================================== --- head/www/py-django/pkg-plist Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django/pkg-plist Thu Oct 25 10:12:42 2012 (r306376) @@ -5294,6 +5294,9 @@ bin/django-admin.py %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.py %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyc %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyo +%%PYTHON_SITELIBDIR%%/django/utils/six.py +%%PYTHON_SITELIBDIR%%/django/utils/six.pyc +%%PYTHON_SITELIBDIR%%/django/utils/six.pyo %%PYTHON_SITELIBDIR%%/django/utils/synch.py %%PYTHON_SITELIBDIR%%/django/utils/synch.pyc %%PYTHON_SITELIBDIR%%/django/utils/synch.pyo Modified: head/www/py-django13/Makefile ============================================================================== --- head/www/py-django13/Makefile Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django13/Makefile Thu Oct 25 10:12:42 2012 (r306376) @@ -1,12 +1,8 @@ -# New ports collection makefile for: django -# Date created: 2005-11-19 -# Whom: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe> -# +# Created by: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe> # $FreeBSD$ -# PORTNAME= django -PORTVERSION= 1.3.3 +PORTVERSION= 1.3.4 CATEGORIES= www python MASTER_SITES= http://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \ CHEESESHOP @@ -22,7 +18,7 @@ LICENSE= BSD LATEST_LINK= ${PYTHON_PKGNAMEPREFIX}django13 USE_GETTEXT= yes -USE_PYTHON= yes +USE_PYTHON= -2.7 USE_PYDISTUTILS= yes PYDISTUTILS_PKGNAME= Django @@ -30,20 +26,20 @@ CONFLICTS= py2[0-9]-django-devel-[0-9]* DOCSDIR= ${PREFIX}/share/doc/py-django -OPTIONS_DEFINE= PGSQL MYSQL SQLITE FASTCGI HTMLDOCS -OPTIONS_DEFAULT= - -HTMLDOCS_DESC= Build and install the HTML documentation (requires Sphinx) - -MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 - # bypass infrastructure bug OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options +OPTIONS_DEFINE= FASTCGI HTMLDOCS +OPTIONS_DEFAULT=SQLITE +OPTIONS_MULTI= DATABASE +OPTIONS_MULTI_DATABASE= PGSQL MYSQL SQLITE +HTMLDOCS_DESC= Install the HTML documentation (requires Sphinx) + +MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1 -.include <bsd.port.pre.mk> +.include <bsd.port.options.mk> .if ${PORT_OPTIONS:MPGSQL} -RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2 +RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2 EXTRA_PATCHES+= ${FILESDIR}/extra-patch-changeset_16520.diff .endif @@ -52,7 +48,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}MyS .endif .if ${PORT_OPTIONS:MSQLITE} -RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3 +RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3 .endif .if ${PORT_OPTIONS:MFASTCGI} @@ -60,7 +56,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}flu .endif .if ${PORT_OPTIONS:MHTMLDOCS} -. if defined(NOPORTDOCS) +. if empty(PORT_OPTIONS:MDOCS) IGNORE= you cannot build documentation while setting NOPORTDOCS . endif BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx @@ -83,4 +79,4 @@ post-install: ${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR} .endif -.include <bsd.port.post.mk> +.include <bsd.port.mk> Modified: head/www/py-django13/distinfo ============================================================================== --- head/www/py-django13/distinfo Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django13/distinfo Thu Oct 25 10:12:42 2012 (r306376) @@ -1,2 +1,2 @@ -SHA256 (python/Django-1.3.3.tar.gz) = 8ef44cfd89dee0331018ec56a2ed27dc14ae8d65feb664c10e128b3437cbd46a -SIZE (python/Django-1.3.3.tar.gz) = 6507280 +SHA256 (python/Django-1.3.4.tar.gz) = 2626e6b216e1bdef887bd923f00d94d94b4d4e75fc2e336c6f156d842d10a607 +SIZE (python/Django-1.3.4.tar.gz) = 6507771 Modified: head/www/py-django13/pkg-descr ============================================================================== --- head/www/py-django13/pkg-descr Thu Oct 25 09:45:12 2012 (r306375) +++ head/www/py-django13/pkg-descr Thu Oct 25 10:12:42 2012 (r306376) @@ -7,4 +7,4 @@ intensive deadlines of a newsroom and th Web developers. It has convenient niceties for developing content-management systems, but it's an excellent tool for building any Web site. -WWW: http://www.djangoproject.com/ +WWW: http://www.djangoproject.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210251012.q9PACg7i028771>