p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[1.3.x] Don't characterize XML vulnerabilities as DoS-only.

This commit is contained in:
Carl Meyer 2013-02-19 18:23:25 -07:00
parent 747d3f0d03
commit 2378c31430
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/releases/1.3.6.txt
View File

@ -39,12 +39,11 @@ XML deserialization
------------------- -------------------
The XML parser in the Python standard library is vulnerable to a number of The XML parser in the Python standard library is vulnerable to a number of
denial-of-service attacks via external entities and entity expansion. Django attacks via external entities and entity expansion. Django uses this parser for
uses this parser for deserializing XML-formatted database fixtures. The fixture deserializing XML-formatted database fixtures. The fixture deserializer is not
deserializer is not intended for use with untrusted data, but in order to err intended for use with untrusted data, but in order to err on the side of safety
on the side of safety in Django 1.3.6 the XML deserializer refuses to parse an in Django 1.3.6 the XML deserializer refuses to parse an XML document with a
XML document with a DTD (DOCTYPE definition), which closes off these attack DTD (DOCTYPE definition), which closes off these attack avenues.
avenues.
These issues in the Python standard library are CVE-2013-1664 and These issues in the Python standard library are CVE-2013-1664 and
CVE-2013-1665. More information available `from the Python security team`_. CVE-2013-1665. More information available `from the Python security team`_.