Security issue (no CVE yet)

another security issue in the package: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646517

precise can be synced when it is uploaded to debian, we don't need the diff anymore

Subscribing ubuntu-security-sponsors

0.2.2-2 is in Precise, which contains the fix.

Thanks for your patches! A few notes:

CVE-2011-4103 has been assigned to this issue, so I added it to the changelogs.

The maverick debdiff did not apply because the UDD tree you pulled from did not include the changes made to the maverick-updates package. I have applied your changes and created a new package for maverick-security.

The oneiric and natty patches number the patches you added to debian/patches, but they aren't applied in numerical order in the series file. I have adjusted this.

03-fix-pickle-load.diff doesn't list an upstream commit in the DEP-3, and it looks to be an exact patch of what came from Debian. I have added 'patch thanks to Debian' to the changelog.

I fixed some trailing whitespace and non-standard indentation in the changelogs.

With the above changes, I have uploaded updated source packages to the security PPA and will push out once they are built. Thanks again.

This bug was fixed in the package python-django-piston - 0.2.2-1ubuntu1.11.10.1

---------------
python-django-piston (0.2.2-1ubuntu1.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: remote code execution vulnerability. LP: #884910
    - 02-fix-yaml-load.diff: use yaml.safe_load
    - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3, patch
      thanks to Debian
    - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
    - CVE-2011-4103
 -- Julian Taylor <email address hidden> Wed, 02 Nov 2011 19:18:12 +0100

This bug was fixed in the package python-django-piston - 0.2.2-1ubuntu1.11.04.1

---------------
python-django-piston (0.2.2-1ubuntu1.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: remote code execution vulnerability. LP: #884910
    - 02-fix-yaml-load.diff: use yaml.safe_load
    - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3, patch
      thanks to Debian
    - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
    - CVE-2011-4103
 -- Julian Taylor <email address hidden> Wed, 02 Nov 2011 19:18:12 +0100

This bug was fixed in the package python-django-piston - 0.2.2-1ubuntu0.2

---------------
python-django-piston (0.2.2-1ubuntu0.2) maverick-security; urgency=low

  * SECURITY UPDATE: remote code execution vulnerability. LP: #884910
    - 02-fix-yaml-load.diff: use yaml.safe_load
    - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3, patch
      thanks to Debian
    - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
    - Ubuntu patch thanks to Julian Taylor <email address hidden>
    - CVE-2011-4103
 -- Jamie Strandboge <email address hidden> Wed, 09 Nov 2011 10:04:28 -0600