Debian Bug report logs -
#969367
python-django: CVE-2020-24583 CVE-2020-24584
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 1 Sep 2020 11:21:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions 2:2.2.15-2, python-django/1:1.10.7-2+deb9u9
Fixed in versions python-django/2:2.2.16-1, python-django/2:3.1.1-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#969367; Package python-django.
(Tue, 01 Sep 2020 11:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 01 Sep 2020 11:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.10.7-2+deb9u9
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django.
CVE-2020-24583
CVE-2020-24584
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-24583
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24583
[1] https://security-tracker.debian.org/tracker/CVE-2020-24584
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24584
[2] https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Marked as found in versions 2:2.2.15-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Sep 2020 11:27:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Sep 2020 11:27:05 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 01 Sep 2020 11:39:03 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 01 Sep 2020 11:39:03 GMT) (full text, mbox, link).
Message #14 received at 969367-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:2.2.16-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 969367@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 Sep 2020 12:21:39 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.16-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 969367
Changes:
python-django (2:2.2.16-1) unstable; urgency=medium
.
* New upstream security release to address CVE-2020-24583, CVE-2020-24584.
(Closes: #969367)
<https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>
Checksums-Sha1:
ca620919036ea465375331400f17f53fdc5b6a15 2798 python-django_2.2.16-1.dsc
db3c05849bd966b427c8af05aff2035811bf383f 8884774 python-django_2.2.16.orig.tar.gz
9230b7251d0230ff1cc394a33ac4e13a02e409bd 26224 python-django_2.2.16-1.debian.tar.xz
0f9e339e32f35f1da4f40e2e51a7f8f2259b2afd 7336 python-django_2.2.16-1_amd64.buildinfo
Checksums-Sha256:
57ab06f1743a3e092e67cfc74010e62059911364861c4b3cb84b9026f9db73e7 2798 python-django_2.2.16-1.dsc
62cf45e5ee425c52e411c0742e641a6588b7e8af0d2c274a27940931b2786594 8884774 python-django_2.2.16.orig.tar.gz
89ecc2c0425236e52bed87c61cccc8ed1426d203003c80e6c95b912e4719373d 26224 python-django_2.2.16-1.debian.tar.xz
b0269cf7533ab51cb8a622a78a1028b47c753da5a1d17f3f459b039a7d34c312 7336 python-django_2.2.16-1_amd64.buildinfo
Files:
7468b5356cf792262db06c72d7400c1c 2798 python optional python-django_2.2.16-1.dsc
93faf5bbd54a19ea49f4932a813b9758 8884774 python optional python-django_2.2.16.orig.tar.gz
6f27af4a83fc99a3c59450a1a0ff6047 26224 python optional python-django_2.2.16-1.debian.tar.xz
f39f4d14e93c1a1ac7ff8acb2b1fbbdc 7336 python optional python-django_2.2.16-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl9OL58ACgkQHpU+J9Qx
Hlitrg/9FhzHiWB6V/y81kyA6cCGF0gterGwYqvfzm9FAU1IvWYgQewKYeNpCnSk
Ip1tz310ry7SJJKUy1foyVvFbkHlyS3FsiMHCj+3U7et+4mKpK9JU8m4Jp/5yq72
Ye1ZMftyIqudYbIvakYRpTAUZkJedVh4G7dhwZmwnZwPZCjkX6KZnDlwpS8Z1Z6q
QapXqecXnIwEGLXjOgI62rvjvVbjueSiHcvIDh4Rd2nISjqWV2qL/wZ3djm1DnoX
/fQPJXq2gOLk92rSGwOu/X4VQY/6KZYseyd/sdHfn84DbsMDNYZnelAJlWrqFLxN
cTEN5bws+9k/xSnCE1jL34Rz4WEP0yU815QYdjNQ+OgpapJC/EX1yIdwNXgmChJV
QQlHOT0BdLQnFg5K3D+HQ84++Q69jjz8TlLCjrSIdGWCKC1+AaBqeywlEf2NaVRq
GwFgntLzgOiPFaWWgHF0V4LKnz74Ms266SzAYu2+yj5lIOskGijw1NNX1dTZk7Kf
SHLHK+sjp3chcGQmfAbteBVafbJWgKmPllIp76HVJOj8rIKKXAgHnSqAIckq93/V
I4ul42a4htIor2NnrBw9BGAkFeMaHBVt8h/LO8fsg4TYSYNBenMBQKVywmXx/63V
9G+HTSGqU/LJs2y7NytRO6JgMlX3hySpwIt53DedXeR3j11rN0A=
=KhAE
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 01 Sep 2020 15:03:02 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 01 Sep 2020 15:03:02 GMT) (full text, mbox, link).
Message #19 received at 969367-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:3.1.1-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 969367@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 Sep 2020 12:32:23 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.1.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 969367
Changes:
python-django (2:3.1.1-1) experimental; urgency=medium
.
* New upstream security release to address CVE-2020-24583, CVE-2020-24584.
(Closes: #969367)
<https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>
Checksums-Sha1:
99ed953314e9851ae4aa50ff134ccfe7246694ff 2798 python-django_3.1.1-1.dsc
85b27794ddeea5b127563ba6cae0f35b59d78289 9250616 python-django_3.1.1.orig.tar.gz
db9518b45038070bb1ff74d8d1196ec14c7f3702 26128 python-django_3.1.1-1.debian.tar.xz
5383a86cf9f867b62fbbf90d4f8118c4b54f189c 7204 python-django_3.1.1-1_amd64.buildinfo
Checksums-Sha256:
354278fc690b70fc898a80144e951bce0ea3eda56c300bf53e211ea4761a8c63 2798 python-django_3.1.1-1.dsc
59c8125ca873ed3bdae9c12b146fbbd6ed8d0f743e4cf5f5817af50c51f1fc2f 9250616 python-django_3.1.1.orig.tar.gz
f935b9af5649edde7c801a64a9d8a66a8ff1eaaca873c858948846649ce4f764 26128 python-django_3.1.1-1.debian.tar.xz
b8a1a6ac14078821ae4f4daf17bfb9872c09f278f89cc15126dd637c9f85cb78 7204 python-django_3.1.1-1_amd64.buildinfo
Files:
f5c722c5c84276dbbcd97b38749190c1 2798 python optional python-django_3.1.1-1.dsc
d5e894fb3c46064e84e9dc68a08a46d0 9250616 python optional python-django_3.1.1.orig.tar.gz
730b5244bc333cad7687b3f68f326c4b 26128 python optional python-django_3.1.1-1.debian.tar.xz
941e99aad510f269a00287bdb5547f09 7204 python optional python-django_3.1.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl9OUegACgkQHpU+J9Qx
Hlgocw//Qd6sK0sgHQg1k5cRGy080KoCju9oHCsvBjYcHv22es82E9DGoeHXfW7J
Cqw5lNhGdCqIeLtlvRtQTiY9v0iKaMUjp6UdQggDYnN5MUFJspeRf4HFhST1YL4L
m9KyjcHhrYujg6LtmB9bI0082E2dPqAdynj57Hnal8L5mFt6lBTSF9DVfuQC/y1V
hvBW4JUQfHs/f2bT9AjZMF30Rq4vevrEVsr688kPVCJlqFk2Vu0O0SdQf77tGUB3
egK4YlE54b1HGTIa1s3hBrMJAAqjULHT5Atcr9SNuM46lUO4tB1SdhciFYTV3s/w
wo3VdWI/sTDH3z2SfkEzIsGtF7AFkexq+gHBPzTuHj/uEdJ+1dgsl8J1730jEMhk
7Rb4H4zIdX7JSh4gX83Glv+VzPAstquau1A+DsWjzo2T6zh4q82PtxeZqg/z54wc
TxdUJGrj+6woX6YxrngQA1sROtM6KUqaMdM+YzM5zr+SfWHGJEX5Th+A/TbDsLWz
kIlFR1wpKYFN6twR77KqavP3iiETlBvwSyiFrYKvkBomJ/pBAlpWNBpunCYGrub6
NzkncuaqFrQ5l975bxLRjTbHhbpOZLRLQZXgQ/q8Iz09MQpBgNX1SWtzMBQIQAZP
SK/L8lF1u9LKgvw/8pSF3f6KV+BH2uHSYXJNqaVwmgi2co1L4us=
=Pj8T
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Sep 2 05:34:13 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon