Debian Bug report logs -
#931316
python-django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 1 Jul 2019 18:39:01 UTC
Severity: grave
Tags: security, upstream
Found in versions python-django/2:2.2.1-1, python-django/1:1.10.7-1, python-django/1:1.10.7-2+deb9u4, python-django/1:1.11.21-1
Fixed in versions python-django/1:1.11.22-1, python-django/2:2.2.3-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#931316; Package src:python-django.
(Mon, 01 Jul 2019 18:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Mon, 01 Jul 2019 18:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-django
Version: 1:1.11.21-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 2:2.2.1-1
Control: found -1 1:1.10.7-2+deb9u4
Control: found -1 1:1.10.7-1
Hi,
The following vulnerability was published for python-django.
CVE-2019-12308[0]:
| An issue was discovered in Django 1.11 before 1.11.21, 2.1 before
| 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed
| by the AdminURLFieldWidget displays the provided value without
| validating it as a safe URL. Thus, an unvalidated value stored in the
| database, or a value provided as a URL query parameter payload, could
| result in an clickable JavaScript link.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308
[1] https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions python-django/2:2.2.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 01 Jul 2019 18:39:04 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.10.7-2+deb9u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 01 Jul 2019 18:39:05 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.10.7-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 01 Jul 2019 18:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#931316; Package src:python-django.
(Mon, 01 Jul 2019 18:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Mon, 01 Jul 2019 18:45:06 GMT) (full text, mbox, link).
Message #16 received at 931316@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 python-django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
On Mon, Jul 01, 2019 at 08:36:06PM +0200, Salvatore Bonaccorso wrote:
> Source: python-django
> Version: 1:1.11.21-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 2:2.2.1-1
> Control: found -1 1:1.10.7-2+deb9u4
> Control: found -1 1:1.10.7-1
This is correct.
> CVE-2019-12308[0]:
> | An issue was discovered in Django 1.11 before 1.11.21, 2.1 before
> | 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed
> | by the AdminURLFieldWidget displays the provided value without
> | validating it as a safe URL. Thus, an unvalidated value stored in the
> | database, or a value provided as a URL query parameter payload, could
> | result in an clickable JavaScript link.
This was plain wrong for this bugreport, apologies for that. This bug
is meant to track the following CVE:
CVE-2019-12781[0]
| Incorrect HTTP detection with reverse-proxy connecting via HTTPS
as per [1].
[0] https://security-tracker.debian.org/tracker/CVE-2019-12781
[1] https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
Please do ignore the above CVE description which belongs to another
issue already fixed for python-django.
Regards,
Salvatore
Changed Bug title to 'python-django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS' from 'python-django: CVE-2019-12308: Incorrect HTTP detection with reverse-proxy connecting via HTTPS'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 931316-submit@bugs.debian.org.
(Mon, 01 Jul 2019 18:45:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#931316.
(Mon, 01 Jul 2019 20:06:02 GMT) (full text, mbox, link).
Message #21 received at 931316-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #931316 in python-django reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/python-team/modules/python-django/commit/f3e2052b9d09d5f0743b7a90f00ced366f934602
------------------------------------------------------------------------
New upstream security release. <https://www.djangoproject.com/weblog/2019/jul/01/security-releases/> (Closes: #931316)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/931316
Added tag(s) pending.
Request was from Chris Lamb <lamby@debian.org>
to 931316-submitter@bugs.debian.org.
(Mon, 01 Jul 2019 20:06:02 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Mon, 01 Jul 2019 20:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 01 Jul 2019 20:36:05 GMT) (full text, mbox, link).
Message #28 received at 931316-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1:1.11.22-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 931316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 01 Jul 2019 17:09:52 -0300
Source: python-django
Binary: python-django python-django-common python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 1:1.11.22-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 931316
Changes:
python-django (1:1.11.22-1) unstable; urgency=medium
.
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/jul/01/security-releases/>
(Closes: #931316)
Checksums-Sha1:
df9760ebaa9cab89a15f790c376cc0d8f33ef419 3235 python-django_1.11.22-1.dsc
450a784b288c6ec89a8fedebeeb9c4a2746f3243 7972885 python-django_1.11.22.orig.tar.gz
530489499b6dfbabb327f12efbaf5f3944c8af04 26208 python-django_1.11.22-1.debian.tar.xz
1fc7e7d357e7a3474456054701d8dde0fbceb1d5 1536632 python-django-common_1.11.22-1_all.deb
8f3fe209ed9927efd3c62839d53e08cb128efae9 2640020 python-django-doc_1.11.22-1_all.deb
f9b464e7efeaef0fbbb6e12ed697d516d79831c0 916028 python-django_1.11.22-1_all.deb
d496669d7c617c308d4ecc21f20d93db35312d56 8321 python-django_1.11.22-1_amd64.buildinfo
0d9c078c4528d22cd30f31963c9ff6707389d935 915860 python3-django_1.11.22-1_all.deb
Checksums-Sha256:
604f4964a40f4321ff2d55438caf14438c9409c3c2dd081a2c6a386d143a2f7e 3235 python-django_1.11.22-1.dsc
830d5d40a1705089502bba70605ab3246831440ffc16d1501dfeeef5f4b9c845 7972885 python-django_1.11.22.orig.tar.gz
1e94d156a57222e933f61617a70cc802de992bf2fe59fdd6dfd66099891488cd 26208 python-django_1.11.22-1.debian.tar.xz
9d195260f8a07512eae940b2334a4c2439909278975dfec77c347c55502b7a6b 1536632 python-django-common_1.11.22-1_all.deb
38d409c7e052346bdfe0fae1e90c1851c3daa2a740d0869c21e50b661a686490 2640020 python-django-doc_1.11.22-1_all.deb
fc104654d5cc5b7e7d3ac8f9e16d4407052b5d503af4f5e325bd49bd228de386 916028 python-django_1.11.22-1_all.deb
66c39214963ecd9ae159a0c06ec84899acb518d9eca23ee5fafb851b0a63426d 8321 python-django_1.11.22-1_amd64.buildinfo
ee3e019b94effebbd8e9e24a312edc3091759c5d8b966b13b2add2127478407d 915860 python3-django_1.11.22-1_all.deb
Files:
4087dac9b8572802cafcf1bd7febc5d2 3235 python optional python-django_1.11.22-1.dsc
d3a20b27a0cfb562bac46a06605b29af 7972885 python optional python-django_1.11.22.orig.tar.gz
0376d25ffa47c310cb0074a51403819d 26208 python optional python-django_1.11.22-1.debian.tar.xz
e3c1c30c53f8499059f4681bc23b01e9 1536632 python optional python-django-common_1.11.22-1_all.deb
035910102b11f403739945d8b64d0b46 2640020 doc optional python-django-doc_1.11.22-1_all.deb
072c722958857ee40a8f243f99583ba8 916028 python optional python-django_1.11.22-1_all.deb
f174cdc7581f26f22bfd90ffc5659cac 8321 python optional python-django_1.11.22-1_amd64.buildinfo
0306122c4a943a6bf4328d528e791450 915860 python optional python3-django_1.11.22-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0aac8ACgkQHpU+J9Qx
HljLMhAAoeISl8O3B9BrJsTEPE7aI8/kaPyPQ/6Y3RjztiJdpcbvrslLeyCVy3Tm
uTpDWjhpwUbu3btqVmld7n1LWxxjL8ilil4x37qn4TzzxIaLAq1BoPh4HcKMtFBx
WEjSJyB96tSOpQkadrNbH+T82KbaKXnh8BR87Lf5MUxu4DMAxBwp9KFuf1EcqMkU
8EAHTQs0LoQ8ULBRwjP1YSdgfVGsYQTnBDsSdXSet/Oj1I4SdhCDM3icTP/Bmc2N
wP01U0pivEJQVmKE3a6nIqfOSX6DTlGwOBTWgx/6FSWZ0rBFpeNjqFOqTiVszvHh
4xrAjkWKlzLP4N8Z6mnZQ8g18CWP8/aatoiZIr8eaCUJognmYJcBiAczxlrn+xlB
Y1VP0n+RSwc0ssUKsCc6xXSOU0VH6P5yjhyirvvEDMH9MeieEENPTld5THgruz+0
2hl9VXFEBbfaD5BOfs0ZFV/G85dAP8JfDEa4ddWvZj+6L7tQNBTNv6eDp03EdVPz
acA2Pl3SJZx+UHJr2wRsRJLDVVBuIzJQO4EtHlrkGMhK9cxiXVm7rWQVAP026JBm
ApPMV8xRNiFxp3LXCDx4t+giSNe/yzfWfIp/Kk9ivhCJiuh0LlVd+t7cuBhYoDOv
61K6ITWHjyol9CfbqT9dEqkzfhpYSDm8zvvqQekg7zlpVBaJSoA=
=ziuq
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Mon, 01 Jul 2019 20:36:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 01 Jul 2019 20:36:07 GMT) (full text, mbox, link).
Message #33 received at 931316-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:2.2.3-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 931316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 01 Jul 2019 16:56:16 -0300
Source: python-django
Binary: python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 2:2.2.3-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 931316
Changes:
python-django (2:2.2.3-1) experimental; urgency=medium
.
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/jul/01/security-releases/>
(Closes: #931316)
Checksums-Sha1:
c3c4a0f1e5074819b907b5efb807d3a96aa220de 2741 python-django_2.2.3-1.dsc
1d4eca8884b601e8e7dc06705b9644fb579c57f9 8992109 python-django_2.2.3.orig.tar.gz
d783c7b81d926107ea00e9f084e2c3681a2af7ae 24272 python-django_2.2.3-1.debian.tar.xz
a13b79ce4c3c5d0f86b61b4f0fdfd9248fb2ce6a 3088592 python-django-doc_2.2.3-1_all.deb
2bdd6120156a932366c770ef3ad2d5285f79d074 7157 python-django_2.2.3-1_amd64.buildinfo
a90422b2001f16111fdc1b10ac927997a6a5ff32 2675196 python3-django_2.2.3-1_all.deb
Checksums-Sha256:
56e4a7b4122c17110c5aa666427ddfe2423d8ccb0e84527da7aaf778880a029b 2741 python-django_2.2.3-1.dsc
4d23f61b26892bac785f07401bc38cbf8fa4cec993f400e9cd9ddf28fd51c0ea 8992109 python-django_2.2.3.orig.tar.gz
cfa145b3f883b8337bb26cb932cc4eb08586c4b483ff91ef012069750f538a9d 24272 python-django_2.2.3-1.debian.tar.xz
aef8e30160606d94aa23f999351fed4fe74942e6099cb0e595b3e1f724b373a7 3088592 python-django-doc_2.2.3-1_all.deb
a1670852fe71d09d6d87da60c8f7a023f8cadc447cbcb489f5af48f52242f842 7157 python-django_2.2.3-1_amd64.buildinfo
d1811f3036a4566486a0544a1d7a981de09100645f757d8961901d3bd3676566 2675196 python3-django_2.2.3-1_all.deb
Files:
3d7454634b180a4a59a93b6ed934ffaf 2741 python optional python-django_2.2.3-1.dsc
f152164e77d38460ee06c42c210d2f57 8992109 python optional python-django_2.2.3.orig.tar.gz
c3b3cf69cdae012c8d1d3f04645c5277 24272 python optional python-django_2.2.3-1.debian.tar.xz
fe2153a6efe693f40a31c7726984614e 3088592 doc optional python-django-doc_2.2.3-1_all.deb
1f6eff42b4a31d13d1dab46dbf900d32 7157 python optional python-django_2.2.3-1_amd64.buildinfo
13bfc763d401fa31cc0c51a1df4b8556 2675196 python optional python3-django_2.2.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0aZuQACgkQHpU+J9Qx
HlhnDg/+LpECnQOBYtSXLBjbQWYay7phWwUhM+CmNCzdaU+rakHwFdHgEqhm+dj/
qiIEtW42srLjJs1Lq+MKRCPaxc6Mz1qBwEzHsLxOo/omapzYi1YtSnxHNR9AdciX
iaf+/XlRjImDMqTtC5ZYiYXO4UQB2ej4K6GIWkNaR/YKHlZA3608iwbUcCpSxxyA
7AHGUNbHlipue89QEh4OUosCFPKv+iNOYEFJNcRlRqfpTD+xMOQswDKHPG5ppb52
eveoZtYXYlv1tEgd4B/TUqGAIb26gsYJIpbhjvmMLA73XA7XXc0MdTWaOV9ci1Xe
4uAfrWJTKAuk7I3H4auZiHe/JnPpTL6VqQTlbtxsdUtUvbBZq+iFbJwpTyiHMk4G
zhR+M1Uo0obzWJ+r5F9xrL0xYZx8uy2W73fA69N/mwgEV3Ox/Q/JUVstikUScC9G
3DvGajefz2/mtw5AO2v3JulDUT3Xrz6Rc2QLE/hrw4YEUUegQOBbapTabU/ZV09e
clnT4wtDG/cKwLZePODPB2U9kXNVm7/wGLgADw+ylY/aOtvndB2EkfBekrdBdk+m
QmUPHJw+pUUHJPqH1jqvFj/BcbwYU4omGlyOdq1NbIgqYbBqfmq+vqp6VorHo/G5
86g4A9L6ohUWqCFJzRAU1lGXCZycQe0RZylGGtccvEqycY6TK6s=
=X/nb
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#931316; Package src:python-django.
(Mon, 01 Jul 2019 21:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Mon, 01 Jul 2019 21:00:02 GMT) (full text, mbox, link).
Message #38 received at 931316@bugs.debian.org (full text, mbox, reply):
[Adding team@security.debian.org, to CC]
Hi Salvatore,
> Control: found -1 2:2.2.1-1
> Control: found -1 1:1.10.7-2+deb9u4
> Control: found -1 1:1.10.7-1
I've uploaded fixes to experimental, unstable and to jessie LTS.
Security team (added to CC), would you like an upload for stable?
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jul 2 11:20:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon