Debian Bug report logs -
#859516
python-django: CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 4 Apr 2017 15:51:05 UTC
Severity: important
Tags: patch, security, upstream
Found in version python-django/1.7.7-1
Fixed in versions python-django/1:1.10.7-1, python-django/1:1.11-1, python-django/1.7.11-1+deb8u2
Done: Luke W Faraone <lfaraone@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#859516; Package src:python-django.
(Tue, 04 Apr 2017 15:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 04 Apr 2017 15:51:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-django
Version: 1.7.7-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for python-django.
CVE-2017-7234[0]:
Open redirect vulnerability in django.views.static.serve()
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7234
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 04 Apr 2017 16:21:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 04 Apr 2017 16:21:14 GMT) (full text, mbox, link).
Message #10 received at 859516-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1:1.10.7-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859516@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 Apr 2017 17:53:30 +0200
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Built-For-Profiles: nocheck
Architecture: source
Version: 1:1.10.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 859515 859516
Changes:
python-django (1:1.10.7-1) unstable; urgency=medium
.
* New upstream security release:
.
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs.
.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
"on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) "safe" when they shouldn't be.
.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack. (Closes: #859515)
.
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve().
.
A maliciously crafted URL to a Django site using the
django.views.static.serve() view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known,
useful functionality.
.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a development
aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516)
Checksums-Sha1:
d406edb4c81726a0b444782d049eb21a771d2a6c 2776 python-django_1.10.7-1.dsc
5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz
c0fe41bec64979d747cce197aa1e55e3833b3eb1 25376 python-django_1.10.7-1.debian.tar.xz
11694d5548b43df4ff6ffad4b413fe1224bb1ff4 8723 python-django_1.10.7-1_amd64.buildinfo
Checksums-Sha256:
e16cb37402b30421fecc2241e51c148cdedb724312c5c669cd703078cce1bdb4 2776 python-django_1.10.7-1.dsc
593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz
a0c646be8d148c8dd00849b7cc712d06267e551f320da39d5e3f58aa3f549f04 25376 python-django_1.10.7-1.debian.tar.xz
81783deada27b44fde2a387e375a139c2c5f61a86d0535b1183a8aa281340354 8723 python-django_1.10.7-1_amd64.buildinfo
Files:
113fb9a8538eff5ce750b8775f8e9b15 2776 python optional python-django_1.10.7-1.dsc
693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz
46c5ed3063181c29f9f280097850bc4a 25376 python optional python-django_1.10.7-1.debian.tar.xz
9a0df9dc3e696e19514347411699da20 8723 python optional python-django_1.10.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljjwngACgkQHpU+J9Qx
Hlj62xAAtZS1+jZHdH8b+MAbJvxmwYMMkrhk/COwtHSHzbreOoiTUSr5hAKTRXlK
mvQPvnwjlhKqSY6513GMkHFwQk6HCnzZgPpQkqn+7sBW4hZIkKlPMOx+jT5AlyVX
o7qAUuTpzxQRZ++mo6BKglAtw9Iu8t8b6BnsW3jY7kTKmGYMIuQldumkfxLi1dyN
f6Vm1vVLp0caTz3I4x2W7UCLzFO5K5jnJHYjwfXJdBkjltifZuCUDvX8/6lPK67d
EvcuAqsCmH6MHPI91G9QDdycpyIBFND2o5EXntS1Ldx4w6/ucbtCuU8bUB4njT/v
thlz5RYgX3dKkPRaaWZ3d4H3ynD+KuUMtVgQYhT6pc79q6G7dUHEzzSpvkCqmnw0
jkUCycY8+7RIu0n/393EsxEdNCZwVCpQAZOGKuatKP8qshCi1QXkmBXIJxE+SyY4
mEbtmmSKUG+8FHDrtJJtkT95yixfEp9DPqPHKR6wuLkWWxux2vZ5q1POLf7g4VhJ
1icuh9YTrOeMPEN+v6TRSg4nc82hJb6tDNFKzP1ArxpUeQVb4fsMIQ+foEQsVgjb
p031KMDi2e7LdYNPW8SICyu9c+PE/U6PcuaQl78V+sR15tdpwuaFgfthhbJe8PIa
os7qiuQrsSNw6dnbVx0jKGTpIzI7jECU3XvygphS8FebwgnvhpM=
=Tv/P
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Wed, 05 Apr 2017 08:57:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 05 Apr 2017 08:57:06 GMT) (full text, mbox, link).
Message #15 received at 859516-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1:1.11-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859516@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Apr 2017 09:54:00 +0200
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source
Version: 1:1.11-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 859515 859516
Changes:
python-django (1:1.11-1) experimental; urgency=medium
.
* New upstream stable release. (Closes: #859515, #859516)
Checksums-Sha1:
de4c98b053b41673d9028611fa936d31d473a875 2762 python-django_1.11-1.dsc
7f6f1f8c7275cd503058cd847b80ffad9321f7d4 7853479 python-django_1.11.orig.tar.gz
10f5882c78e20059887028cdd93055772795278f 25832 python-django_1.11-1.debian.tar.xz
527a5d17c5cf2961d7ee20c475b95ad5bfc7244b 8677 python-django_1.11-1_amd64.buildinfo
Checksums-Sha256:
6c997306b542c1bd2b6fbc39b29e838fb84ab334a58c0fa9391e05c394cd5491 2762 python-django_1.11-1.dsc
b6f3b864944276b4fd1d099952112696558f78b77b39188ac92b6c5e80152c30 7853479 python-django_1.11.orig.tar.gz
39ac23a2e67ec6f0b6f236a15b7a21abb1c6cc3b6ea5bdaf2174943e05c91460 25832 python-django_1.11-1.debian.tar.xz
fff976f9320e747ff4fc662a65281aec247fc4a63e504a5546113c2fc4e767dc 8677 python-django_1.11-1_amd64.buildinfo
Files:
dbaab8bdbf83b34f3fde788d8eabcf31 2762 python optional python-django_1.11-1.dsc
5008d266f198c2fe761916139162a0c2 7853479 python optional python-django_1.11.orig.tar.gz
81ef877fd852b45f42384e01ec130b70 25832 python optional python-django_1.11-1.debian.tar.xz
2eabe2ab12a4ca51dc3cd58e681883fb 8677 python optional python-django_1.11-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljkp0EACgkQHpU+J9Qx
HlhasQ//Y0j1wWgDqygtTPh8xcJp4E+erDvo1K9qSc0dfetJTBdsujQ7MZq07BMf
Bj6FrRLtGTmHe0SEEI5akxpcTeGHFzqcq04ST3pKB+mQJiFeYN/KkZOE6lRjJCfa
tOEDZjkOyGkg4NDjr3EXXku8GoE6NVE0/m2SIW9agD7QXk93VzHMsckLODDagMaf
GzMncMY1jAMPwt2qaX+Tl6XQ4+J24nXGu0Npmrl9cME4GmsKVFcPF9wUN+KkgvbT
Nht3tA3deZnRdLf2ZSynQl56IUcg3HwwtQWn3loWIa6koGtbrVJkBJk/krreJtxF
XLjvDeCZACPpIZ/ISBVOETlMn5xI4eAxc5E96wkBv4l6MzrrqTURbYNgsZxG5RH5
YJw64Lq+tKDotXNgZvnC7ax9jw3X9sLXXvJcd55yLQxHklTYMVh4zUIUdSkd8kkB
t4UPvsBS6FvGppBQpa9/b1Pq5+fXfWPbBEQkaCBjQ27rudCtQBaoKvYP2B5UG07V
7HSNypeZYCV+UwLFUoCditHOGdaltwbAbvHaANoZ2sO9kN/i2FDCFoYTEEAXjCgf
2NiDT8DYLBidczBW71mz0OfnXsAmUh46CPxwSajToV/hsBIZoudzwBgeNaSFoGW7
i9zE9AI1UHfWRqzT8LUGiFKL33trnwNHkNmOppEso7PJua9tMVk=
=Z61O
-----END PGP SIGNATURE-----
Reply sent
to Luke W Faraone <lfaraone@debian.org>:
You have taken responsibility.
(Fri, 28 Apr 2017 10:36:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 28 Apr 2017 10:36:09 GMT) (full text, mbox, link).
Message #20 received at 859516-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1.7.11-1+deb8u2
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859516@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luke W Faraone <lfaraone@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 23 Apr 2017 20:52:55 +0000
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1.7.11-1+deb8u2
Distribution: stable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Luke W Faraone <lfaraone@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 842856 859515 859516
Changes:
python-django (1.7.11-1+deb8u2) jessie-security; urgency=high
.
* SECURITY UPDATE:
- CVE-2016-9013: User with hardcoded password created when running tests on
Oracle
- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True
(Closes: #842856)
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs (Closes: #859515)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()
(Closes: #859516)
Checksums-Sha1:
284789efbe64cd5c85da22ca0a8442c664f21958 2713 python-django_1.7.11-1+deb8u2.dsc
5dfa550c5fd4a666371e63056f9b8b4e1688c28a 35356 python-django_1.7.11-1+deb8u2.debian.tar.xz
2da960925b1ea9c513ed151dd9465e85b6b7517c 994342 python-django_1.7.11-1+deb8u2_all.deb
09c35a9948a584808213c0623272360fe4062aca 978076 python3-django_1.7.11-1+deb8u2_all.deb
15a96f0657c0bdf04d1b9437fae384df729bf42d 1503460 python-django-common_1.7.11-1+deb8u2_all.deb
731d1528e7975ebfe3a200fa4609be03b8496eb6 2493184 python-django-doc_1.7.11-1+deb8u2_all.deb
Checksums-Sha256:
d238c7ab55ade686db92c64dcd01cf5241a5705f5262552ec9e9a4a41028296a 2713 python-django_1.7.11-1+deb8u2.dsc
f39cf99d63fc94ccb1eeca51505785ee3d85c8ff376225036e9c08929d4ba521 35356 python-django_1.7.11-1+deb8u2.debian.tar.xz
52ae8d17cc99b175d77292ee449377f7139519fa85e588605ea264aae2d04f20 994342 python-django_1.7.11-1+deb8u2_all.deb
f96e381d52a974fb476904a53ce0ad7c35b952bb505c4c6316271a5e894e975d 978076 python3-django_1.7.11-1+deb8u2_all.deb
09db2448b7a0413b18ae737d23d9d9abe856d748ce7c73d1591649e084785b66 1503460 python-django-common_1.7.11-1+deb8u2_all.deb
765e13af0467296c28356a94c9f30838e5ca3565c42b2495f3d89ac4a2c2b1a3 2493184 python-django-doc_1.7.11-1+deb8u2_all.deb
Files:
c1e975d0dd687959fb35b7efa27d0902 2713 python optional python-django_1.7.11-1+deb8u2.dsc
7fec8261ab9b449073c389142e524497 35356 python optional python-django_1.7.11-1+deb8u2.debian.tar.xz
e0007128e55e4da01e66db324dd3ebab 994342 python optional python-django_1.7.11-1+deb8u2_all.deb
33540a04897acce631852c3b759c44c7 978076 python optional python3-django_1.7.11-1+deb8u2_all.deb
75a2f62e80f61e331daf42675bbb7998 1503460 python optional python-django-common_1.7.11-1+deb8u2_all.deb
6b2245d7c89250de5256966e15814a81 2493184 doc optional python-django-doc_1.7.11-1+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQItBAEBCAAXBQJY/TU4EBxsdWtlQGZhcmFvbmUuY2MACgkQ2Ov4wRG5tSCkrhAA
ilI9+NIuP2Zr1tiOYnKoGLx0n+RpGAHzWshXV38XciTftN3sHHKeaAA9rhXYd0+3
JK7dYAtYl/uIMmtYkQsNg41GS0fEnRO486rLaip+thB8Pq+M0UTLXnWugQuTtNSP
/5+v5gA7vOBdgCkEqE77HnbsFqnJna/jNZswk5W3UOqSPAKESrwpYS9XZT0eSzcP
T8o9Cfwwu5xATaGM0YS0B9RsrGVh+5s+1uNQf1PBzcR/wi7d45FN+INevtSDePe1
1V6LmDkOLqH9R76ifVr3ZmJqp110lwz4Ki27+8K2lT4/w2LB473TjD1m+OTboI6i
AVKMBS0Oq9KMyCvy5Vf1JTA9BBcFNZdO6fjwLUHPQhhJsIa8Li/mj5lSBwer6pzR
mi7zl7oZ8XujMMVx/ls5+6EuFNKYdN5uJDuYpwcl2r0vHskpYTwaJ7PoezSSj9DY
nrcMuKvGv3jDzUWwVeHa5eVLGe4M8V/aG5qG2G6EET/uOGLJHob8KPEp5gD4tpjg
BgsS17V9ti7/tGvz0f6bIvwS0jge6+6vMM43OEiMRrOD8eXs1y+gpuEFIdwAMkht
IF05yRRoUB/k2fVVXY06OFLlHW1hy1eq2HGUrVcslxQ7bw2IF+KqGKG+srcr4FKm
y9gAFO63KVMY9md7ibBsdQVbwpXa0NyjKjRcBNO2Wjc=
=5h4u
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 27 May 2017 07:26:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:55:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon