summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCarl Meyer <carl@oddbird.net>2013-02-19 18:23:25 -0700
committerCarl Meyer <carl@oddbird.net>2013-02-19 18:23:25 -0700
commit2378c31430a2b441d23efe98c0af32fe4af0fb53 (patch)
tree0456161cba2f93adce785cbb1664a3fffb78c1d7
parent747d3f0d0390d1eeae28cb74c310c08c8b4fb58c (diff)
[1.3.x] Don't characterize XML vulnerabilities as DoS-only.
-rw-r--r--docs/releases/1.3.6.txt11
1 files changed, 5 insertions, 6 deletions
diff --git a/docs/releases/1.3.6.txt b/docs/releases/1.3.6.txt
index af17ad3bb0..d55199a882 100644
--- a/docs/releases/1.3.6.txt
+++ b/docs/releases/1.3.6.txt
@@ -39,12 +39,11 @@ XML deserialization
-------------------
The XML parser in the Python standard library is vulnerable to a number of
-denial-of-service attacks via external entities and entity expansion. Django
-uses this parser for deserializing XML-formatted database fixtures. The fixture
-deserializer is not intended for use with untrusted data, but in order to err
-on the side of safety in Django 1.3.6 the XML deserializer refuses to parse an
-XML document with a DTD (DOCTYPE definition), which closes off these attack
-avenues.
+attacks via external entities and entity expansion. Django uses this parser for
+deserializing XML-formatted database fixtures. The fixture deserializer is not
+intended for use with untrusted data, but in order to err on the side of safety
+in Django 1.3.6 the XML deserializer refuses to parse an XML document with a
+DTD (DOCTYPE definition), which closes off these attack avenues.
These issues in the Python standard library are CVE-2013-1664 and
CVE-2013-1665. More information available `from the Python security team`_.