[SECURITY] Fedora 11 Update: python-paste-1.7.4-1.fc11
updates at fedoraproject.org
updates at fedoraproject.org
Fri Jun 25 18:18:37 UTC 2010
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-10400
2010-06-25 17:05:54
--------------------------------------------------------------------------------
Name : python-paste
Product : Fedora 11
Version : 1.7.4
Release : 1.fc11
URL : http://pythonpaste.org
Summary : Tools for using a Web Server Gateway Interface stack
Description :
These provide several pieces of "middleware" (or filters) that can be nested
to build web applications. Each piece of middleware uses the WSGI (PEP 333)
interface, and should be compatible with other middleware based on those
interfaces.
--------------------------------------------------------------------------------
Update Information:
***1.7.4*** * The only real change is to paste.httpexceptions, which was
using insecure quoting of some parameters and allowed an XSS hole, most
specifically with its 404 messages. The most notably WSGI application using
this is paste.urlparse.StaticURLParser and PkgResourcesParser. By directing
someone to an appropriately formed URL an attacker can execute arbitrary
Javascript on the victim's client. paste.urlmap.URLMap is also affected, but
only if you have no application attached to /. Other applications using
paste.httpexceptions may be effected (especially HTTPNotFound).
WebOb/webob.exc.HTTPNotFound is not affected. ***1.7.3*** * Fix
paste.httpserver on Python 2.6. * Fix paste.auth.cookie, which would insert
newlines for long cookies. * paste.util.mimeparse parses a single * in Accept
headers (sent by IE 6). * Fix some problems with the wdg_validate middleware.
* Improvements to paste.auth.auth_tkt: add httponly support, don’t always
aggressively set cookies without the wildcard_cookie option. Also on logout,
make cookies expire. * In paste.proxy.Proxy handle Content-Length of -1. * In
paste.httpexceptions avoid some unicode errors. * In paste.httpserver handle
.read() from 100 Continue properly (because of a typo it was doing a readline).
* Update paste.util.mimeparse from upstream. http://pythonpaste.org/news.html
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jun 24 2010 Luke Macken <lmacken at redhat.com> - 1.7.4-1
- 1.7.4 security release
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.7.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Mon Jun 22 2009 Kyle VanderBeek <kylev at kylev.com> - 1.7.2-3
- Package formerly ghost'ed .pyo files
- Update to current python package methods
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update python-paste' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list