Debian Bug report logs -
#448838
CVE-2007-5712 remote denial of service
Reported by: Nico Golde <nion@debian.org>
Date: Thu, 1 Nov 2007 11:27:02 UTC
Severity: important
Tags: patch, security
Fixed in versions python-django/0.96.1-1, python-django/0.97~svn6668-1, python-django/0.96-1.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#448838; Package python-django.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: python-django
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for python-django.
CVE-2007-5712[0]:
| The internationalization (i18n) framework in Django 0.91, 0.95,
| 0.95.1, and 0.96, when the USE_I18N option and the i18n component are
| enabled, allows remote attackers to cause a denial of service (memory
| consumption) via many HTTP requests with large Accept-Language
| headers.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5712
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#448838; Package python-django.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>.
(full text, mbox, link).
Message #10 received at 448838@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
patches can be found on:
http://media.djangoproject.com/patches/2007-10-26-security-fix/
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Thu, 01 Nov 2007 12:06:17 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#448838; Package python-django.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>.
(full text, mbox, link).
Message #17 received at 448838@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
attached is an NMU proposal to fix this bug.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/python-django-0.96-1_0.96-1.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[python-django-0.96-1_0.96-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#448838; Package python-django.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>.
(full text, mbox, link).
Message #22 received at 448838@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
uploading NMU with maintainers permission.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Brett Parker <iDunno@sommitrealweird.co.uk>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #27 received at 448838-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 0.96.1-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:
python-django_0.96.1-1.diff.gz
to pool/main/p/python-django/python-django_0.96.1-1.diff.gz
python-django_0.96.1-1.dsc
to pool/main/p/python-django/python-django_0.96.1-1.dsc
python-django_0.96.1-1_all.deb
to pool/main/p/python-django/python-django_0.96.1-1_all.deb
python-django_0.96.1.orig.tar.gz
to pool/main/p/python-django/python-django_0.96.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 448838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brett Parker <iDunno@sommitrealweird.co.uk> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 10 Nov 2007 13:51:07 +0000
Source: python-django
Binary: python-django
Architecture: source all
Version: 0.96.1-1
Distribution: unstable
Urgency: low
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Brett Parker <iDunno@sommitrealweird.co.uk>
Description:
python-django - A high-level Python Web framework
Closes: 448838 450659
Changes:
python-django (0.96.1-1) unstable; urgency=low
.
* New upstream release with security fix for CVE-2007-5712
Closes: #448838
* Add note for upstream sources to copyright file
Closes: #450659
Files:
cb04d23dea2e8df1f7e6c3a1fb8b83c8 886 python optional python-django_0.96.1-1.dsc
10aa32e58969c4efeb00ef42ba192b17 1746455 python optional python-django_0.96.1.orig.tar.gz
e8926bc55ec73e430f916c36f015949a 6468 python optional python-django_0.96.1-1.diff.gz
5d57ac645a9e51e55e9c7fa45fdd7d5a 1700246 python optional python-django_0.96.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHNeD8vPbGD26BadIRArgzAJ92H+jT4EOhOYze3YjPRx7eHMFpZACgo6hW
VHwYf0j6CeS6dTZS54umI+c=
=M5iQ
-----END PGP SIGNATURE-----
Reply sent to Brett Parker <iDunno@sommitrealweird.co.uk>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #32 received at 448838-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 0.97~svn6668-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:
python-django_0.97~svn6668-1.diff.gz
to pool/main/p/python-django/python-django_0.97~svn6668-1.diff.gz
python-django_0.97~svn6668-1.dsc
to pool/main/p/python-django/python-django_0.97~svn6668-1.dsc
python-django_0.97~svn6668-1_all.deb
to pool/main/p/python-django/python-django_0.97~svn6668-1_all.deb
python-django_0.97~svn6668.orig.tar.gz
to pool/main/p/python-django/python-django_0.97~svn6668.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 448838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brett Parker <iDunno@sommitrealweird.co.uk> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 11 Nov 2007 10:15:55 +0000
Source: python-django
Binary: python-django
Architecture: source all
Version: 0.97~svn6668-1
Distribution: experimental
Urgency: low
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Brett Parker <iDunno@sommitrealweird.co.uk>
Description:
python-django - A high-level Python Web framework
Closes: 448838 450659
Changes:
python-django (0.97~svn6668-1) experimental; urgency=low
.
* New SVN snapshot (rev 6668)
- Auth system delegations
- Apps can now have thier own management commands
- Fix for CVE-2007-5712 remote denial of service
Closes: #448838
* Fix missing upstream info in changelog
Closes: #450659
Files:
fc81d040d93bc7530187a497037d8d19 1030 python optional python-django_0.97~svn6668-1.dsc
526e2f61974128a527bec452829d7f24 2404765 python optional python-django_0.97~svn6668.orig.tar.gz
4233ac73d649387168fd8585494ebc11 7213 python optional python-django_0.97~svn6668-1.diff.gz
a69a111e3193fc192412912ea8584fd1 2327632 python optional python-django_0.97~svn6668-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHNuY1vPbGD26BadIRAiG2AJ9W5/1UImxHX6XdB5/fMFHt4E2DqQCghqle
8lsIUswyJpDRl1oTm29prTg=
=yXZ2
-----END PGP SIGNATURE-----
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #37 received at 448838-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 0.96-1.1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:
python-django_0.96-1.1.diff.gz
to pool/main/p/python-django/python-django_0.96-1.1.diff.gz
python-django_0.96-1.1.dsc
to pool/main/p/python-django/python-django_0.96-1.1.dsc
python-django_0.96-1.1_all.deb
to pool/main/p/python-django/python-django_0.96-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 448838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 04 Nov 2007 13:56:02 +0100
Source: python-django
Binary: python-django
Architecture: source all
Version: 0.96-1.1
Distribution: unstable
Urgency: high
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Nico Golde <nion@debian.org>
Description:
python-django - A high-level Python Web framework
Closes: 448838
Changes:
python-django (0.96-1.1) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Added patch to fix remote denial of service via multiple crafted HTTP
requests (CVE-2007-5712) (Closes: #448838).
Files:
0c96a51daea7da3fd0d219bd3d0dce61 884 python optional python-django_0.96-1.1.dsc
1d8b65ce4a8d2f4cb9e45df71deccf2f 8369 python optional python-django_0.96-1.1.diff.gz
a465721068c26206b43401962f094e64 1728296 python optional python-django_0.96-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHNt9AHYflSXNkfP8RAtWGAJ9kHwHJBYnEKy6kX+JUNPR38LHofACdEPsN
8x2TdOiGsR3SoCvJaKkuxtk=
=reLZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 17 Dec 2007 07:37:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:39:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon