aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRuslan Makhmatkhanov <rm@FreeBSD.org>2012-10-25 10:12:42 +0000
committerRuslan Makhmatkhanov <rm@FreeBSD.org>2012-10-25 10:12:42 +0000
commit600314693a8a147f27249d9b75f0a3620ece78f8 (patch)
treef35761640d61a2fd2cd6db9bf24ec26f662a3366
parent7f04abe72990577bfc998f62c68091bbe126100e (diff)
- update django ports to 1.3.4 and 1.4.2, that fixing couple of security issues.
All users are encouraged to upgrade immediately. - add vuxml entry changes common for both ports: - trim Makefile header - strict python version to 2.x only - utilize options framework multiple choice feature to let user to choose database backends needed. Make SQLITE option default - shorten description of HTMLDOCS_DESC to make it fit into dialog screen - SITELIBDIR -> PKGNAMEPREFIX change in dependencies - convert NOPORTDOCS condition to optionsng - tab -> space change in pkg-descr PR: 173017 Submitted by: rm (myself) Approved by: lwhsu (maintainer, by mail) Security: 5f326d75-1db9-11e2-bc8f-d0df9acfd7e5 Feature safe: yes
Notes
Notes: svn path=/head/; revision=306376
-rw-r--r--security/vuxml/vuln.xml63
-rw-r--r--www/py-django/Makefile34
-rw-r--r--www/py-django/distinfo4
-rw-r--r--www/py-django/pkg-descr2
-rw-r--r--www/py-django/pkg-plist3
-rw-r--r--www/py-django13/Makefile34
-rw-r--r--www/py-django13/distinfo4
-rw-r--r--www/py-django13/pkg-descr2
8 files changed, 102 insertions, 44 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index f7b879be0830..c74b067aa0f6 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,69 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="5f326d75-1db9-11e2-bc8f-d0df9acfd7e5">
+ <topic>django -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>django</name>
+ <range><lt>1.4.2</lt></range>
+ </package>
+ <package>
+ <name>django13</name>
+ <range><lt>1.3.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Django Project reports:</p>
+ <blockquote cite="https://www.djangoproject.com/weblog/2012/oct/17/security/">
+ <ol>
+ <li>
+ <p>Host header poisoning</p>
+ <p>Some parts of Django -- independent of end-user-written applications
+ -- make use of full URLs, including domain name, which are generated
+ from the HTTP Host header. Some attacks against this are beyond Django's
+ ability to control, and require the web server to be properly configured;
+ Django's documentation has for some time contained notes advising users
+ on such configuration.</p>
+ <p>Django's own built-in parsing of the Host header is, however, still
+ vulnerable, as was reported to us recently. The Host header parsing
+ in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host()
+ -- was incorrectly handling username/password information in the header.
+ Thus, for example, the following Host header would be accepted by Django when
+ running on "validsite.com":</p>
+ <p>Host: validsite.com:random@evilsite.com</p>
+ <p>Using this, an attacker can cause parts of Django -- particularly the
+ password-reset mechanism -- to generate and display arbitrary URLs to users.</p>
+ <p>To remedy this, the parsing in HttpRequest.get_host() is being modified; Host
+ headers which contain potentially dangerous content (such as username/password
+ pairs) now raise the exception django.core.exceptions.SuspiciousOperation.</p>
+ </li>
+ <li>
+ <p>Documentation of HttpOnly cookie option</p>
+ <p>As of Django 1.4, session cookies are always sent with the HttpOnly flag, which
+ provides some additional protection from cross-site scripting attacks by denying
+ client-side scripts access to the session cookie.</p>
+ <p>Though not directly a security issue in Django, it has been reported that the
+ Django 1.4 documentation incorrectly described this change, by claiming that this
+ was now the default for all cookies set by the HttpResponse.set_cookie() method.</p>
+ <p>The Django documentation has been updated to reflect that this only applies to the
+ session cookie. Users of Django are encouraged to review their use of set_cookie()
+ to ensure that the HttpOnly flag is being set or unset appropriately.</p>
+ </li>
+ </ol>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.djangoproject.com/weblog/2012/oct/17/security/</url>
+ </references>
+ <dates>
+ <discovery>2012-10-17</discovery>
+ <entry>2012-10-24</entry>
+ </dates>
+ </vuln>
+
<vuln vid="a7706414-1be7-11e2-9aad-902b343deec9">
<topic>Wireshark -- Multiple Vulnerabilities</topic>
<affects>
diff --git a/www/py-django/Makefile b/www/py-django/Makefile
index a460610fd5b7..d02fb35479e3 100644
--- a/www/py-django/Makefile
+++ b/www/py-django/Makefile
@@ -1,12 +1,8 @@
-# New ports collection makefile for: django
-# Date created: 2005-11-19
-# Whom: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
-#
+# Created by: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
# $FreeBSD$
-#
PORTNAME= django
-PORTVERSION= 1.4.1
+PORTVERSION= 1.4.2
CATEGORIES= www python
MASTER_SITES= https://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \
CHEESESHOP
@@ -20,7 +16,7 @@ COMMENT= High-level Python Web framework
LICENSE= BSD
USE_GETTEXT= yes
-USE_PYTHON= yes
+USE_PYTHON= -2.7
USE_PYDISTUTILS= yes
PYDISTUTILS_PKGNAME= Django
@@ -28,20 +24,20 @@ CONFLICTS= py2[0-9]-django-devel-[0-9]* py2[0-9]-django-1.[23].*
DOCSDIR= ${PREFIX}/share/doc/py-django
-OPTIONS_DEFINE= PGSQL MYSQL SQLITE FASTCGI HTMLDOCS
-OPTIONS_DEFAULT=
-
-HTMLDOCS_DESC= Build and install the HTML documentation (requires Sphinx)
-
-MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1
-
# bypass infrastructure bug
OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options
+OPTIONS_DEFINE= FASTCGI HTMLDOCS
+OPTIONS_DEFAULT=SQLITE
+OPTIONS_MULTI= DATABASE
+OPTIONS_MULTI_DATABASE= PGSQL MYSQL SQLITE
+HTMLDOCS_DESC= Install the HTML documentation (requires Sphinx)
+
+MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1
-.include <bsd.port.pre.mk>
+.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MPGSQL}
-RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2
+RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2
.endif
.if ${PORT_OPTIONS:MMYSQL}
@@ -49,7 +45,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}MySQLdb>=1.2.2:${PORTSDIR}/databases/py-MyS
.endif
.if ${PORT_OPTIONS:MSQLITE}
-RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3
+RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3
.endif
.if ${PORT_OPTIONS:MFASTCGI}
@@ -57,7 +53,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}flup>0:${PORTSDIR}/www/py-flup
.endif
.if ${PORT_OPTIONS:MHTMLDOCS}
-. if defined(NOPORTDOCS)
+. if empty(PORT_OPTIONS:MDOCS)
IGNORE= you cannot build documentation while setting NOPORTDOCS
. endif
BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx
@@ -79,4 +75,4 @@ post-install:
${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR}
.endif
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff --git a/www/py-django/distinfo b/www/py-django/distinfo
index 3958193eddfa..a4b32b90039f 100644
--- a/www/py-django/distinfo
+++ b/www/py-django/distinfo
@@ -1,2 +1,2 @@
-SHA256 (python/Django-1.4.1.tar.gz) = 4d8d20eba350d3d29613cc5a6302d5c23730c7f9e150985bc58b3175b755409b
-SIZE (python/Django-1.4.1.tar.gz) = 7656756
+SHA256 (python/Django-1.4.2.tar.gz) = edfd8733f45bbaa524cee25bcac3080ce28c21242c27227464eae3fa6b3d80e7
+SIZE (python/Django-1.4.2.tar.gz) = 7722026
diff --git a/www/py-django/pkg-descr b/www/py-django/pkg-descr
index 4356d5ad924d..1eefec3fb492 100644
--- a/www/py-django/pkg-descr
+++ b/www/py-django/pkg-descr
@@ -7,4 +7,4 @@ intensive deadlines of a newsroom and the stringent requirements of experienced
Web developers. It has convenient niceties for developing content-management
systems, but it's an excellent tool for building any Web site.
-WWW: http://www.djangoproject.com/
+WWW: http://www.djangoproject.com/
diff --git a/www/py-django/pkg-plist b/www/py-django/pkg-plist
index de460b6bf767..c07c2ed69cb7 100644
--- a/www/py-django/pkg-plist
+++ b/www/py-django/pkg-plist
@@ -5294,6 +5294,9 @@ bin/django-admin.py
%%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.py
%%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyc
%%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyo
+%%PYTHON_SITELIBDIR%%/django/utils/six.py
+%%PYTHON_SITELIBDIR%%/django/utils/six.pyc
+%%PYTHON_SITELIBDIR%%/django/utils/six.pyo
%%PYTHON_SITELIBDIR%%/django/utils/synch.py
%%PYTHON_SITELIBDIR%%/django/utils/synch.pyc
%%PYTHON_SITELIBDIR%%/django/utils/synch.pyo
diff --git a/www/py-django13/Makefile b/www/py-django13/Makefile
index c137e75fbada..5f6acfb8f1f0 100644
--- a/www/py-django13/Makefile
+++ b/www/py-django13/Makefile
@@ -1,12 +1,8 @@
-# New ports collection makefile for: django
-# Date created: 2005-11-19
-# Whom: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
-#
+# Created by: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
# $FreeBSD$
-#
PORTNAME= django
-PORTVERSION= 1.3.3
+PORTVERSION= 1.3.4
CATEGORIES= www python
MASTER_SITES= http://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \
CHEESESHOP
@@ -22,7 +18,7 @@ LICENSE= BSD
LATEST_LINK= ${PYTHON_PKGNAMEPREFIX}django13
USE_GETTEXT= yes
-USE_PYTHON= yes
+USE_PYTHON= -2.7
USE_PYDISTUTILS= yes
PYDISTUTILS_PKGNAME= Django
@@ -30,20 +26,20 @@ CONFLICTS= py2[0-9]-django-devel-[0-9]* py2[0-9]-django-1.[24]*
DOCSDIR= ${PREFIX}/share/doc/py-django
-OPTIONS_DEFINE= PGSQL MYSQL SQLITE FASTCGI HTMLDOCS
-OPTIONS_DEFAULT=
-
-HTMLDOCS_DESC= Build and install the HTML documentation (requires Sphinx)
-
-MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1
-
# bypass infrastructure bug
OPTIONSFILE= ${PORT_DBDIR}/py-${PORTNAME}/options
+OPTIONS_DEFINE= FASTCGI HTMLDOCS
+OPTIONS_DEFAULT=SQLITE
+OPTIONS_MULTI= DATABASE
+OPTIONS_MULTI_DATABASE= PGSQL MYSQL SQLITE
+HTMLDOCS_DESC= Install the HTML documentation (requires Sphinx)
+
+MAN1= daily_cleanup.1 django-admin.1 gather_profile_stats.1
-.include <bsd.port.pre.mk>
+.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MPGSQL}
-RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2
+RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-changeset_16520.diff
.endif
@@ -52,7 +48,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}MySQLdb>=1.2.2:${PORTSDIR}/databases/py-MyS
.endif
.if ${PORT_OPTIONS:MSQLITE}
-RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3
+RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3
.endif
.if ${PORT_OPTIONS:MFASTCGI}
@@ -60,7 +56,7 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}flup>0:${PORTSDIR}/www/py-flup
.endif
.if ${PORT_OPTIONS:MHTMLDOCS}
-. if defined(NOPORTDOCS)
+. if empty(PORT_OPTIONS:MDOCS)
IGNORE= you cannot build documentation while setting NOPORTDOCS
. endif
BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx
@@ -83,4 +79,4 @@ post-install:
${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR}
.endif
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff --git a/www/py-django13/distinfo b/www/py-django13/distinfo
index bec9c2d35805..f35765755656 100644
--- a/www/py-django13/distinfo
+++ b/www/py-django13/distinfo
@@ -1,2 +1,2 @@
-SHA256 (python/Django-1.3.3.tar.gz) = 8ef44cfd89dee0331018ec56a2ed27dc14ae8d65feb664c10e128b3437cbd46a
-SIZE (python/Django-1.3.3.tar.gz) = 6507280
+SHA256 (python/Django-1.3.4.tar.gz) = 2626e6b216e1bdef887bd923f00d94d94b4d4e75fc2e336c6f156d842d10a607
+SIZE (python/Django-1.3.4.tar.gz) = 6507771
diff --git a/www/py-django13/pkg-descr b/www/py-django13/pkg-descr
index 4356d5ad924d..1eefec3fb492 100644
--- a/www/py-django13/pkg-descr
+++ b/www/py-django13/pkg-descr
@@ -7,4 +7,4 @@ intensive deadlines of a newsroom and the stringent requirements of experienced
Web developers. It has convenient niceties for developing content-management
systems, but it's an excellent tool for building any Web site.
-WWW: http://www.djangoproject.com/
+WWW: http://www.djangoproject.com/