diff options
| author | Carl Meyer <carl@oddbird.net> | 2013-02-19 18:23:25 -0700 |
|---|---|---|
| committer | Carl Meyer <carl@oddbird.net> | 2013-02-19 18:23:25 -0700 |
| commit | 2378c31430a2b441d23efe98c0af32fe4af0fb53 (patch) | |
| tree | 0456161cba2f93adce785cbb1664a3fffb78c1d7 | |
| parent | 747d3f0d0390d1eeae28cb74c310c08c8b4fb58c (diff) | |
[1.3.x] Don't characterize XML vulnerabilities as DoS-only.
| -rw-r--r-- | docs/releases/1.3.6.txt | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/docs/releases/1.3.6.txt b/docs/releases/1.3.6.txt index af17ad3bb0..d55199a882 100644 --- a/docs/releases/1.3.6.txt +++ b/docs/releases/1.3.6.txt @@ -39,12 +39,11 @@ XML deserialization ------------------- The XML parser in the Python standard library is vulnerable to a number of -denial-of-service attacks via external entities and entity expansion. Django -uses this parser for deserializing XML-formatted database fixtures. The fixture -deserializer is not intended for use with untrusted data, but in order to err -on the side of safety in Django 1.3.6 the XML deserializer refuses to parse an -XML document with a DTD (DOCTYPE definition), which closes off these attack -avenues. +attacks via external entities and entity expansion. Django uses this parser for +deserializing XML-formatted database fixtures. The fixture deserializer is not +intended for use with untrusted data, but in order to err on the side of safety +in Django 1.3.6 the XML deserializer refuses to parse an XML document with a +DTD (DOCTYPE definition), which closes off these attack avenues. These issues in the Python standard library are CVE-2013-1664 and CVE-2013-1665. More information available `from the Python security team`_. |
