Debian Bug report logs -
#816434
CVE-2016-2512 and CVE-2016-2513
Reported by: Luke Faraone <lfaraone@debian.org>
Date: Tue, 1 Mar 2016 20:09:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions python-django/1.9.2-1, python-django/1.4.5-1
Fixed in version python-django/1.9.4-1
Done: Luke Faraone <lfaraone@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, lfaraone@debian.org, team@security.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#816434; Package src:python-django.
(Tue, 01 Mar 2016 20:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Luke Faraone <lfaraone@debian.org>:
New Bug report received and forwarded. Copy sent to lfaraone@debian.org, team@security.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 01 Mar 2016 20:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-django
Version: 1.9.2-1
Severity: important
Tags: security
Today Django published an advisory for 1.9.3 and 1.8.10.
I am investigating whether stable is affected; it is likely.
https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
CVE-2016-2512
> Malicious redirect and possible XSS attack via user-supplied redirect URLs
> containing basic auth
CVE-2016-2513
> User enumeration through timing difference on password hasher work factor
> upgrade
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Mar 2016 20:18:05 GMT) (full text, mbox, link).
Marked as found in versions python-django/1.4.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Mar 2016 22:03:09 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Luke Faraone <lfaraone@debian.org>
to control@bugs.debian.org.
(Sat, 05 Mar 2016 21:12:08 GMT) (full text, mbox, link).
Reply sent
to Luke Faraone <lfaraone@debian.org>:
You have taken responsibility.
(Mon, 07 Mar 2016 19:06:04 GMT) (full text, mbox, link).
Notification sent
to Luke Faraone <lfaraone@debian.org>:
Bug acknowledged by developer.
(Mon, 07 Mar 2016 19:06:05 GMT) (full text, mbox, link).
Message #16 received at 816434-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1.9.4-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 816434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luke Faraone <lfaraone@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 07 Mar 2016 17:09:54 +0000
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1.9.4-1
Distribution: unstable
Urgency: high
Maintainer: Luke Faraone <lfaraone@debian.org>
Changed-By: Luke Faraone <lfaraone@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 816434
Changes:
python-django (1.9.4-1) unstable; urgency=high
.
[ Luke Faraone ]
* New upstream security release:
https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- CVE-2016-2512: Malicious redirect and possible XSS via user-supplied
redirect URLs containing basic auth
- CVE-2016-2513: User enumeration through timing difference on password
hasher work factor upgrade
Closes: #816434
.
[ Raphaël Hertzog ]
* Fix rules file to no longer mess with *_templates directories. They no
longer contain invalid .py files but only *-tpl template files that are
instantiated at runtime.
Checksums-Sha1:
66237011758e1edf04a441a6234089c6b335ecba 2763 python-django_1.9.4-1.dsc
30848b412df1f07b35ef280545900864d4d61cc7 7426995 python-django_1.9.4.orig.tar.gz
4c0947d679ecaf5f210b8f3086afa8fa664057b3 25596 python-django_1.9.4-1.debian.tar.xz
8410a1a28e2c17f58e3f949edb4a9fa8bf1afa51 1463874 python-django-common_1.9.4-1_all.deb
60e017d5d17bd99b5197d22411b014acedd4c3d6 2444434 python-django-doc_1.9.4-1_all.deb
2a3c62a63f6640a786e9fc9835c560cd6240bc75 893294 python-django_1.9.4-1_all.deb
120edfd2bdb3352f1883d6c03430f181983a2c29 875210 python3-django_1.9.4-1_all.deb
Checksums-Sha256:
a607b3739d3e4489c1f17cae89edd8d51955472d6c17c42d60db5161dc318bbc 2763 python-django_1.9.4-1.dsc
ada8e7aa697e47c94b5660291cc0a14bb555385e0898da0a119d8f4b648fbde9 7426995 python-django_1.9.4.orig.tar.gz
c6427eeff6cccfdc2bb2295accd1acaa1d45af829e697d95a8aaa63e067b8450 25596 python-django_1.9.4-1.debian.tar.xz
33f53ba12f1d804d78bae7c83954c1422aa32abd0d32308db590bdcc2d738760 1463874 python-django-common_1.9.4-1_all.deb
eb2ccd55ed989fe0d941a299918b5eb0081d251b693dcfbcb7f398cc996c21a5 2444434 python-django-doc_1.9.4-1_all.deb
19845d92076548d47999585891d5c85d1b2543344b7ffb41a4145437f194f047 893294 python-django_1.9.4-1_all.deb
d197ed5d15b2ccff9e1bf5710bd7654bd18a756b270d4007d70dbeccd98dee9c 875210 python3-django_1.9.4-1_all.deb
Files:
88c40d9ae82a26ed73e5e47b4876e7fb 2763 python optional python-django_1.9.4-1.dsc
e8d389532e248174a9859f2987be6a04 7426995 python optional python-django_1.9.4.orig.tar.gz
e33f818635d2022eb263439ef61d5906 25596 python optional python-django_1.9.4-1.debian.tar.xz
2830c271e6f8df238c0c5f6f11ea2ce2 1463874 python optional python-django-common_1.9.4-1_all.deb
e45b78a081c39abd83b7cc65b378d650 2444434 doc optional python-django-doc_1.9.4-1_all.deb
685687b2cfcf4cd7d11ebdf5b6da3c72 893294 python optional python-django_1.9.4-1_all.deb
404308e7e851436c6e80f70c1891c714 875210 python optional python3-django_1.9.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJW3cWDAAoJENjr+MERubUguUUP+wbCtajt2xsyKKkZZp6AgjZF
r8A/gF4C0FiBvOKpq26I4gZClX3TijsHtJXQ87TftugnYyF4WXOBFLM4uW18NmaS
WJuE2YJxS35qG1Tho/2dUgX984WluyuDQX/Xurh6KCCWvTDcwYDTV9Y6BETl4+S1
uWUPKGOowqGDDqY/hSL9iEo7VFFnlXzGD6s3O86Z9ZiYnnF9/SI5XrZEzBsT9zWI
k0l40OxEqLGEJs6XrVLmeJ8BkvB9PggFzvdYzWUsJO8BxfDP79CvoaLIJeFNQgkj
Nlim6EZ2Xri3o0+tBQr5wNybBmEYETaaTgVzvtIMF+/wQH979BxWE3rmVe1ySDjn
C6/wImNKBDoLBUCtWEhXxa4UXep6n1sElLVSnqTmPg/msq49fIBMOWldocC+KwQl
M7dLe8RZHwNaauYhfCxG88EOiu5+nELeWHnSCABFrbJY5PAPAI0+caXfKP92atm4
8BKD57wv6ZH6vzEbLYAn+9fmCTbuooO+olhgHquo1YkPadl9nhaJZjylBbEyQxDP
UhExkgnfjf5WBaO3RSUxRbdKTgI1uo15ElfIVjHoVQm0UZOL6Q9Af/LnR7Zj909q
OQngNPfzFOEOmvDOGwsIbSKO22WyTBslAidfKAK3V29xp1ewaTBX164QEhp8Zdc9
xBfZtr0rRLTYA4o8viNL
=94vo
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 07 Apr 2016 07:32:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:01:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon