(RHSA-2013:1521) Moderate: python-django security update

Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don’t Repeat Yourself) principle.

It was discovered that the django.utils.http.is_safe_url() function
considered any URL that used a scheme other than HTTP or HTTPS (for
example, “javascript:”) as safe. An attacker could potentially use this
flaw to perform cross-site scripting (XSS) attacks. (CVE-2013-6044)

A directory traversal flaw was found in Django’s “ssi” template tag, which
takes a file path as input and outputs that file’s contents. An attacker
able to alter templates that made use of the “ssi” tag on a site could use
this flaw to access any local files accessible to Django. (CVE-2013-4315)

Red Hat would like to thank James Bennett of Django for reporting
CVE-2013-4315.

All python-django users are advised to upgrade to these updated packages,
which contain a backported patch to correct these issues.