[SECURITY] Fedora 12 Update: python-paste-1.7.4-1.fc12

updates at fedoraproject.org updates at fedoraproject.org
Tue Jun 29 15:32:15 UTC 2010

Fedora Update Notification
2010-06-25 17:05:06

Name        : python-paste
Product     : Fedora 12
Version     : 1.7.4
Release     : 1.fc12
URL         : http://pythonpaste.org
Summary     : Tools for using a Web Server Gateway Interface stack
Description :
These provide several pieces of "middleware" (or filters) that can be nested
to build web applications.  Each piece of middleware uses the WSGI (PEP 333)
interface, and should be compatible with other middleware based on those

Update Information:

***1.7.4***    * The only real change is to paste.httpexceptions, which was
using insecure quoting of some parameters and allowed an XSS hole, most
specifically with its 404 messages.  The most notably WSGI application using
this is paste.urlparse.StaticURLParser and PkgResourcesParser.  By directing
someone to an appropriately formed URL an attacker can execute arbitrary
Javascript on the victim's client.  paste.urlmap.URLMap is also affected, but
only if you have no application attached to /.  Other applications using
paste.httpexceptions may be effected (especially HTTPNotFound).
WebOb/webob.exc.HTTPNotFound is not affected.    ***1.7.3***    * Fix
paste.httpserver on Python 2.6.  * Fix paste.auth.cookie, which would insert
newlines for long cookies.  * paste.util.mimeparse parses a single * in Accept
headers (sent by IE 6).  * Fix some problems with the wdg_validate middleware.
* Improvements to paste.auth.auth_tkt: add httponly support, don’t always
aggressively set cookies without the wildcard_cookie option. Also on logout,
make cookies expire.  * In paste.proxy.Proxy handle Content-Length of -1.  * In
paste.httpexceptions avoid some unicode errors.  * In paste.httpserver handle
.read() from 100 Continue properly (because of a typo it was doing a readline).
* Update paste.util.mimeparse from upstream.    http://pythonpaste.org/news.html

* Thu Jun 24 2010 Luke Macken <lmacken at redhat.com> - 1.7.4-1
- 1.7.4 security release

This update can be installed with the "yum" update program.  Use 
su -c 'yum update python-paste' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list