This is an announcement of a security vulnerability of LFS.
We are publishing multiple releases for all affected versions now. All users of LFS are urged to upgrade immediately.
Versions affected
0.5.x, 0.6.x, 0.7.x
Resolution
Patches will be applied to the tip of all version branches. Releases for all affected version will be provided.
Installation
The installation should be straightforward. Just replace your current version of django-lfs with the new release and restart your instance. This can be done in several ways dependent on your current installation. For instance you can just update the version of django-lfs within buildout.cfg and re-run the buildout or you can install a complete new instance and point it to your current database and media files. Make sure that you are using the correct version branch.
You can find the different installers here:
* http://pypi.python.org/pypi/django-lfs/0.5.0
* http://pypi.python.org/pypi/django-lfs/0.6.9
* http://pypi.python.org/pypi/django-lfs/0.7.0b2
If you have questions, don't hesitate to get in contact:
* http://groups.google.com/group/django-lfs
* irc://irc.freenode.net/django-lfs
If you need professional support, please look here:
* http://www.getlfs.com/service-providers
Credit
Thanks to Maciej Wiśniowski (natcam.pl) who found the issue handled it a most responsible way and helped to provide the patches.
General
If you find a security relevant issue, please report in via private mail to secu...@getlfs.com
> For
> instance you can just update the version of django-lfs within
> buildout.cfg and re-run the buildout
Hello Kai,
thanks for the security upgrade procedure. For anyone upgrading a
0.5.x site they might be hit by a change in djangorecipe[1] as I was.
It is easy to fix: edit buildout.cfg and under the [buildout] section
add
versions = versions
then add a new section
[versions]
django = 1.1
django-lfs = 0.5.0
and finally comment out the original "version =" info
Then run buildout -v
After that the upgrade went smoothly.
Regards,
M.
--
You received this message because you are subscribed to the Google Groups "django-lfs" group.
To post to this group, send email to djang...@googlegroups.com.
To unsubscribe from this group, send email to django-lfs+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-lfs?hl=en.
> djangorecipe should be pinned to 0.23.1 in 0.5.0's buildout.cfg
There was no pinning in buildout.cfg and the installed djangorecipe
egg was 0.20. The buildout was unchanged, except for port number, and
came from a 0.5.0b6 installation.
Regards,
M.