Security vulnerability announcement

24 views
Skip to first unread message

Kai Diefenbach

unread,
Mar 8, 2012, 5:05:43 AM3/8/12
to djang...@googlegroups.com

This is an announcement of a security vulnerability of LFS.


We are publishing multiple releases for all affected versions now. All users of LFS are urged to upgrade immediately.


Versions affected


0.5.x, 0.6.x, 0.7.x


Resolution


Patches will be applied to the tip of all version branches. Releases for all affected version will be provided.


Installation


The installation should be straightforward. Just replace your current version of django-lfs with the new release and restart your instance. This can be done in several ways dependent on your current installation. For instance you can just update the version of django-lfs within buildout.cfg and re-run the buildout or you can install a complete new instance and point it to your current database and media files. Make sure that you are using the correct version branch.


You can find the different installers here:


   * http://pypi.python.org/pypi/django-lfs/0.5.0

   * http://pypi.python.org/pypi/django-lfs/0.6.9

   * http://pypi.python.org/pypi/django-lfs/0.7.0b2


If you have questions, don't hesitate to get in contact:


   * http://groups.google.com/group/django-lfs

   * irc://irc.freenode.net/django-lfs

   * secu...@getlfs.com


If you need professional support, please look here:


   * http://www.getlfs.com/service-providers


Credit


Thanks to Maciej Wiśniowski (natcam.pl) who found the issue handled it a most responsible way and helped to provide the patches.


General


If you find a security relevant issue, please report in via private mail to secu...@getlfs.com


Matuscheck

unread,
Mar 8, 2012, 7:48:07 AM3/8/12
to djang...@googlegroups.com
On Thu, 8 Mar 2012 02:05:43 -0800 (PST)
Kai Diefenbach <kai.die...@iqpp.de> wrote:

> For
> instance you can just update the version of django-lfs within
> buildout.cfg and re-run the buildout

Hello Kai,

thanks for the security upgrade procedure. For anyone upgrading a
0.5.x site they might be hit by a change in djangorecipe[1] as I was.
It is easy to fix: edit buildout.cfg and under the [buildout] section
add
versions = versions
then add a new section
[versions]
django = 1.1
django-lfs = 0.5.0
and finally comment out the original "version =" info

Then run buildout -v

After that the upgrade went smoothly.

Regards,
M.

[1]
http://pypi.python.org/pypi/djangorecipe/0.99

Kai Diefenbach

unread,
Mar 8, 2012, 8:56:58 AM3/8/12
to djang...@googlegroups.com
Hi Matuschek,

AFAIK this should work as djangorecipe should be pinned to 0.23.1 in 0.5.0's buildout.cfg and therefore it should take the Django version given in the django section. Would be interesting to know, whether this is the case in your buildout.

Anyway, thanks for your hint!

Cheers
Kai


--
You received this message because you are subscribed to the Google Groups "django-lfs" group.
To post to this group, send email to djang...@googlegroups.com.
To unsubscribe from this group, send email to django-lfs+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-lfs?hl=en.


--
IQ++
Tel: +49 361 / 6636700
Fax: +49 361 / 6636702
Mail: kai.die...@iqpp.de
Web: http://www.iqpp.de
Skype: kai.diefenbach

Matuscheck

unread,
Mar 8, 2012, 9:24:14 AM3/8/12
to djang...@googlegroups.com
On Thu, 8 Mar 2012 14:56:58 +0100
Kai Diefenbach <kai.die...@iqpp.de> wrote:

> djangorecipe should be pinned to 0.23.1 in 0.5.0's buildout.cfg

There was no pinning in buildout.cfg and the installed djangorecipe
egg was 0.20. The buildout was unchanged, except for port number, and
came from a 0.5.0b6 installation.

Regards,
M.

Kai Diefenbach

unread,
Mar 8, 2012, 9:50:49 AM3/8/12
to djang...@googlegroups.com
I see.

The djangorecipe has been pinned with 0.5.0b8. 

Thanks for the information
Kai
Reply all
Reply to author
Forward
0 new messages