UbuntuUpdates.org

Package "python-gluon"

Name: python-gluon

Description:

High-level Python web development framework

Latest version: 2.12.3-1ubuntu0.1
Release: xenial (16.04)
Level: updates
Repository: universe
Head package: web2py
Homepage: http://www.web2py.com

Links


Download "python-gluon"


Other versions of "python-gluon" in Xenial

Repository Area Version
base universe 2.12.3-1
security universe 2.12.3-1ubuntu0.1

Changelog

Version: 2.12.3-1ubuntu0.1 2019-06-21 14:07:22 UTC

  web2py (2.12.3-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: remote code execution
   - debian/patches/CVE-2016-3957-1.patch: more secure sessions in
     cookies using json
   - debian/patches/CVE-2016-3957-2.patch: restored pickles in sessions
   - debian/patches/CVE-2016-3957-3.patch: fixed sessions for long keys
   - CVE-2016-3957
   - CVE-2016-3954
   - CVE-2016-3953
  * SECURITY UPDATE: brute force password attack
   - debian/patches/CVE-2016-10321.patch: check if host is denied before
     verifying passwords
   - CVE-2016-10321
  * SECURITY UPDATE: information disclosure
   - debian/patches/CVE-2016-3952-1.patch: do not leak global settings into
     request object
   - debian/patches/CVE-2016-3952-2.patch: adding back cmd_options
   - debian/patches/CVE-2016-3952-3.patch: simplified beautify example
   - debian/patches/CVE-2016-3952-4.patch: fixing error due to removing
     global settings from request
   - debian/patches/CVE-2016-3952-5.patch: fixing typo on previous patch
   - CVE-2016-3952

 -- Emilia Torino <email address hidden> Tue, 18 Jun 2019 14:01:55 -0300

CVE-2016-3957 The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which migh
CVE-2016-3954 web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: t
CVE-2016-3953 The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded en
CVE-2016-10321 web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attack
CVE-2016-3952 web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to exampl



About   -   Send Feedback to @ubuntu_updates