Debian Bug report logs -
#683364
CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Reported by: Henri Salo <henri@nerv.fi>
Date: Tue, 31 Jul 2012 06:03:02 UTC
Severity: grave
Tags: security
Found in versions python-django/1.4-1, python-django/1.2.3-3+squeeze2
Fixed in versions python-django/1.4.1-1, python-django/1.2.3-3+squeeze3
Done: Raphaël Hertzog <hertzog@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Tue, 31 Jul 2012 06:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
New Bug report received and forwarded. Copy sent to Chris Lamb <lamby@debian.org>
.
(Tue, 31 Jul 2012 06:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1.4-1
Severity: important
Tags: security
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
http://www.openwall.com/lists/oss-security/2012/07/31/1
http://www.openwall.com/lists/oss-security/2012/07/31/2
- Henri Salo
Marked as found in versions python-django/1.2.3-3+squeeze2.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Tue, 31 Jul 2012 06:15:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Wed, 01 Aug 2012 18:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to James Bennett <james@b-list.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Wed, 01 Aug 2012 18:12:06 GMT) (full text, mbox, link).
Message #12 received at 683364@bugs.debian.org (full text, mbox, reply):
As a heads-up: a bug affecting Python 2.4 compatibility was found in the
1.3.2 package, and we will be issuing a 1.3.3 release based on that. The
relevant commit is visible here:
https://github.com/django/django/commit/d0d5dc6cd76f01c8a71b677357ad2f702cb54416
And the 1.3.3 release will likely occur within 24 hours.
Added tag(s) pending.
Request was from hertzog@users.alioth.debian.org
to control@bugs.debian.org
.
(Thu, 02 Aug 2012 08:54:03 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Raphaël Hertzog <hertzog@debian.org>
to control@bugs.debian.org
.
(Thu, 02 Aug 2012 09:15:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Thu, 02 Aug 2012 09:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Thu, 02 Aug 2012 09:57:06 GMT) (full text, mbox, link).
Message #21 received at 683364@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Tue, 31 Jul 2012, Henri Salo wrote:
> https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
I wanted to quickly upload 1.4.1 to sid but the test suite fails with
many errors every time that it has to parse some HTML (at least when
building with sbuild). I suspect that the the problem might be external to
Django... but it still needs to be resolved. If anyone has the time to
look into it, it would be appreciated.
http://people.debian.org/~hertzog/packages/python-django_1.4.1-1.dsc
(it's in svn too)
If the problem is indeed not in Django, then we can temporarily disable
the test suite and upload the package.
I attach my failed build log for reference. Now I'll go prepare the stable
upload in the mean time.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
[build-log.txt.gz (application/octet-stream, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Thu, 02 Aug 2012 10:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Thu, 02 Aug 2012 10:24:06 GMT) (full text, mbox, link).
Message #26 received at 683364@bugs.debian.org (full text, mbox, reply):
On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> If the problem is indeed not in Django, then we can temporarily disable
> the test suite and upload the package.
I just tried to build the current python-django 1.4-1 in Debian Sid and it
also failed. So this tends to confirm that something else broke Django's
test suite (since the test suite worked when I uploaded 1.4-1 to sid).
Now we need to find the culprit (and fix it or work-around it).
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Thu, 02 Aug 2012 10:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Thu, 02 Aug 2012 10:45:03 GMT) (full text, mbox, link).
Message #31 received at 683364@bugs.debian.org (full text, mbox, reply):
Hi,
On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> I attach my failed build log for reference. Now I'll go prepare the stable
> upload in the mean time.
The stable update is ready here. Henri, please test it and report back
whether it works well for you.
http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze3_i386.changes
I'm ccing the release team to let them know about this security update.
Here are the relevant infos:
- stable is affected (fix in 1.2.3-3+squeeze3)
- wheezy/unstable is affected (fix in 1.4.1-1)
Please let me know whether I can proceed with the upload (once Henri
confirmed that it worked well for him).
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Reply sent
to Raphaël Hertzog <hertzog@debian.org>
:
You have taken responsibility.
(Thu, 02 Aug 2012 12:06:08 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Thu, 02 Aug 2012 12:06:08 GMT) (full text, mbox, link).
Message #36 received at 683364-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1.4.1-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683364@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 02 Aug 2012 10:44:02 +0200
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.4.1-1
Distribution: unstable
Urgency: low
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
python-django - High-level Python web development framework
python-django-doc - High-level Python web development framework (documentation)
Closes: 683364
Changes:
python-django (1.4.1-1) unstable; urgency=low
.
* New upstream security and maintenance release. Closes: #683364
Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
* Drop 01_disable_broken_test.diff and 04_hyphen-manpage.diff which
have been merged upstream.
Checksums-Sha1:
ab994c2ba489e01de15d53cf6c835ce2af12b988 2227 python-django_1.4.1-1.dsc
992e0e9c6c3b9167b29946bfe3956406fc747ef4 7656756 python-django_1.4.1.orig.tar.gz
fd1d5ae9d906d607d6665ed8d6ec73227283701e 19420 python-django_1.4.1-1.debian.tar.gz
b72079fe43d9af25549e2bb022092dc9e7a4cec6 5371932 python-django_1.4.1-1_all.deb
96594fb596b850dbbe8c758281f4ab63756f0a31 2357188 python-django-doc_1.4.1-1_all.deb
Checksums-Sha256:
1a121d36c924b0619bc35948939ba542040f6d25afb69e9ec489526e4d34ca5d 2227 python-django_1.4.1-1.dsc
4d8d20eba350d3d29613cc5a6302d5c23730c7f9e150985bc58b3175b755409b 7656756 python-django_1.4.1.orig.tar.gz
5bcd52903554a8e0fd3c7eb9f39683cc04efbea2e9918edb2d8b6767aadff67c 19420 python-django_1.4.1-1.debian.tar.gz
9f15218df361ac6e5e75c196f703fe9a805c3d1d7a7635a789ce2b32cfde1f8e 5371932 python-django_1.4.1-1_all.deb
7c508c2fabde676e189d8c9050c78f4ab7ff21013e8cdad4b17b590605a58660 2357188 python-django-doc_1.4.1-1_all.deb
Files:
164d33704691bfb3b4dd2abe537b0f77 2227 python optional python-django_1.4.1-1.dsc
e345268dacff12876ae4e45de0a61b7d 7656756 python optional python-django_1.4.1.orig.tar.gz
2565371f2e1bfd9ec10c23c7d1b066c4 19420 python optional python-django_1.4.1-1.debian.tar.gz
3577195af4b14ce717decc44677a50dc 5371932 python optional python-django_1.4.1-1_all.deb
8869956447d1de3366618b15196ac859 2357188 doc optional python-django-doc_1.4.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog
iQIcBAEBCAAGBQJQGmd8AAoJEOYZBF3yrHKaXDEQAIqoQqo8aq3UDAmvnzkvZmtd
+sme0xMBIQdum+d7tPxQxRtUuvK1yZeJCY78I35lJLglO/hrnEgWx2efpr5zrJ9A
S1gggGbY2XfKJ52kHLH3jKiLfvZxsxYcDNJBHKu7Qj/R3h44c/nEzLLC/9BK4OGj
zwU9FRxs+zATQQe8YjpO5KEMl+u1IBehmE9ECHUveLez5bOm3Tp0KGyYJFX0XPB5
PGlhk3oKURf5pzxfGYvdmwikouMOuvDNr3V3Mk+jfUZRxIeh469qDFm+uA7tg1NU
IL8hWf1xMNS096ey1GSUMpetIR+F7sdqdGIziNLmYUjVxgz+NCsgyVgctuF4zd/g
/VITtpmgzfG9jOnvnLldn/JpndFpYmYiQQA6nLdj8x3sb2+SgTUrJACyI3+gTGSP
4pVzSAkCInaQOsqX1zb6L7qQxppDWv1vIukWNl8zfoj15lytr915B1EDMmFMbU8W
6PlLpYFk3FsijzFzo2B5vC/j29AZxvsQIYmSsei5Vu1hqY2h4WrqmAW5HuBG659Y
V/7eMmsGfZ7nmShABaq3JxL1ZejYNk3FXadRb1A7a9hnIx9aK0y9EWgcQZc727Aw
4bk2NrRWdyBZLvj/I2mvif+SRqh66eitTv0I60g5Vb27weVQL5c+AD/y69j+dSmZ
0OZt9UkUpfMCVmeMT3ks
=i0eu
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Thu, 02 Aug 2012 12:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Thu, 02 Aug 2012 12:12:03 GMT) (full text, mbox, link).
Message #41 received at 683364@bugs.debian.org (full text, mbox, reply):
On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> > If the problem is indeed not in Django, then we can temporarily disable
> > the test suite and upload the package.
>
> I just tried to build the current python-django 1.4-1 in Debian Sid and it
> also failed. So this tends to confirm that something else broke Django's
> test suite (since the test suite worked when I uploaded 1.4-1 to sid).
>
> Now we need to find the culprit (and fix it or work-around it).
Apparently the build works fine in wheezy so I have built it in wheezy and
uploaded it in sid.
sid and wheezy differ in their python2.7 version: 2.7.3-2 vs 2.7.3~rc2-2.1
So the regression might be between those two versions.
Doko, python-django test suite fails in sid but not in wheezy. The failure
looks like a HTMLParser regression. Do you know of any possible regression
in python 2.7.3 about this?
I see in the upstream changelog a “- Issue #14538: HTMLParser can now
parse correctly start tags that contain a bare '/'.” maybe this could be
related?
I also found https://code.djangoproject.com/ticket/18239 which might imply
that Django is relying on some internals of HTMLParser so it would
actually be a bug in Django in that case...
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Thu, 02 Aug 2012 12:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to David Watson <david@planetwatson.co.uk>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Thu, 02 Aug 2012 12:21:03 GMT) (full text, mbox, link).
Message #46 received at 683364@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 2 August 2012 13:08, Raphael Hertzog <hertzog@debian.org> wrote:
> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> > On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> > > If the problem is indeed not in Django, then we can temporarily disable
> > > the test suite and upload the package.
> >
> > I just tried to build the current python-django 1.4-1 in Debian Sid and
> it
> > also failed. So this tends to confirm that something else broke Django's
> > test suite (since the test suite worked when I uploaded 1.4-1 to sid).
> >
> > Now we need to find the culprit (and fix it or work-around it).
>
> Apparently the build works fine in wheezy so I have built it in wheezy and
> uploaded it in sid.
>
> sid and wheezy differ in their python2.7 version: 2.7.3-2 vs 2.7.3~rc2-2.1
>
> So the regression might be between those two versions.
>
> Doko, python-django test suite fails in sid but not in wheezy. The failure
> looks like a HTMLParser regression. Do you know of any possible regression
> in python 2.7.3 about this?
>
> I see in the upstream changelog a “- Issue #14538: HTMLParser can now
> parse correctly start tags that contain a bare '/'.” maybe this could be
> related?
>
> I also found https://code.djangoproject.com/ticket/18239 which might imply
> that Django is relying on some internals of HTMLParser so it would
> actually be a bug in Django in that case...
>
> I was just looking into this and these are the changes in HTMLParser.py
diff ../HTMLParser.py-old ../HTMLParser.py
25c25
< tagfind = re.compile('[a-zA-Z][-.a-zA-Z0-9:_]*')
---
> tagfind = re.compile('([a-zA-Z][-.a-zA-Z0-9:_]*)(?:\s|/(?!>))*')
31c31
< r'[\s/]*((?<=[\'"\s/])[^\s/>][^\s/=>]*)(\s*=+\s*'
---
> r'((?<=[\'"\s/])[^\s/>][^\s/=>]*)(\s*=+\s*'
292c292
< self.lasttag = tag = rawdata[i+1:k].lower()
---
> self.lasttag = tag = match.group(1).lower()
--
David Watson
dwatson@debian.org
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Thu, 02 Aug 2012 14:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to David Watson <david@planetwatson.co.uk>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Thu, 02 Aug 2012 14:00:03 GMT) (full text, mbox, link).
Message #51 received at 683364@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I have just successfully built the package under python 2.7.3 by using the
HTMLParser from python rather than Django's version.
--
David Watson
dwatson@debian.org
On 2 August 2012 13:16, David Watson <david@planetwatson.co.uk> wrote:
> On 2 August 2012 13:08, Raphael Hertzog <hertzog@debian.org> wrote:
>
>> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
>> > On Thu, 02 Aug 2012, Raphael Hertzog wrote:
>> > > If the problem is indeed not in Django, then we can temporarily
>> disable
>> > > the test suite and upload the package.
>> >
>> > I just tried to build the current python-django 1.4-1 in Debian Sid and
>> it
>> > also failed. So this tends to confirm that something else broke Django's
>> > test suite (since the test suite worked when I uploaded 1.4-1 to sid).
>> >
>> > Now we need to find the culprit (and fix it or work-around it).
>>
>> Apparently the build works fine in wheezy so I have built it in wheezy and
>> uploaded it in sid.
>>
>> sid and wheezy differ in their python2.7 version: 2.7.3-2 vs 2.7.3~rc2-2.1
>>
>> So the regression might be between those two versions.
>>
>> Doko, python-django test suite fails in sid but not in wheezy. The failure
>> looks like a HTMLParser regression. Do you know of any possible regression
>> in python 2.7.3 about this?
>>
>> I see in the upstream changelog a “- Issue #14538: HTMLParser can now
>> parse correctly start tags that contain a bare '/'.” maybe this could be
>> related?
>>
>> I also found https://code.djangoproject.com/ticket/18239 which might
>> imply
>> that Django is relying on some internals of HTMLParser so it would
>> actually be a bug in Django in that case...
>>
>> I was just looking into this and these are the changes in HTMLParser.py
>
> diff ../HTMLParser.py-old ../HTMLParser.py
> 25c25
> < tagfind = re.compile('[a-zA-Z][-.a-zA-Z0-9:_]*')
> ---
> > tagfind = re.compile('([a-zA-Z][-.a-zA-Z0-9:_]*)(?:\s|/(?!>))*')
> 31c31
> < r'[\s/]*((?<=[\'"\s/])[^\s/>][^\s/=>]*)(\s*=+\s*'
> ---
> > r'((?<=[\'"\s/])[^\s/>][^\s/=>]*)(\s*=+\s*'
> 292c292
> < self.lasttag = tag = rawdata[i+1:k].lower()
> ---
> > self.lasttag = tag = match.group(1).lower()
>
> --
> David Watson
> dwatson@debian.org
>
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Thu, 02 Aug 2012 14:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Thu, 02 Aug 2012 14:15:03 GMT) (full text, mbox, link).
Message #56 received at 683364@bugs.debian.org (full text, mbox, reply):
clone 683364 -1
retitle -1 Django's HTMLParser incompatible with python 2.7.3
severity -1 serious
tag -1 = sid
reopen -1
thanks
On Thu, 02 Aug 2012, David Watson wrote:
> I have just successfully built the package under python 2.7.3 by using the
> HTMLParser from python rather than Django's version.
OK then let's clone a new bug to track this issue separately.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Bug 683364 cloned as bug 683648
Request was from Raphael Hertzog <hertzog@debian.org>
to control@bugs.debian.org
.
(Thu, 02 Aug 2012 14:15:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Thu, 02 Aug 2012 18:45:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Thu, 02 Aug 2012 18:45:11 GMT) (full text, mbox, link).
Message #63 received at 683364@bugs.debian.org (full text, mbox, reply):
On Thu, Aug 02, 2012 at 12:41:53PM +0200, Raphael Hertzog wrote:
> Hi,
> The stable update is ready here. Henri, please test it and report back
> whether it works well for you.
>
> http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze3_i386.changes
>
> I'm ccing the release team to let them know about this security update.
> Here are the relevant infos:
> - stable is affected (fix in 1.2.3-3+squeeze3)
> - wheezy/unstable is affected (fix in 1.4.1-1)
>
> Please let me know whether I can proceed with the upload (once Henri
> confirmed that it worked well for him).
Hello Raphael,
After applying these patches my applications in Django and Django itself function normally. I did test this with normal amount of traffic. Do you think I should try to reproduce the security-issues? Patches are pretty much 1:1 with Django-patches.
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Thu, 02 Aug 2012 18:45:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Thu, 02 Aug 2012 18:45:13 GMT) (full text, mbox, link).
Message #68 received at 683364@bugs.debian.org (full text, mbox, reply):
Hi,
On Thu, 02 Aug 2012, Henri Salo wrote:
> Hello Raphael,
>
> After applying these patches my applications in Django and Django itself
> function normally. I did test this with normal amount of traffic. Do you
> think I should try to reproduce the security-issues? Patches are pretty
> much 1:1 with Django-patches.
Did you install http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze3_all.deb ?
One of the patches has been manually backported but it was relatively
trivial to do. Still, the underlying version differs greatly so it's still
good to double check that everything works properly.
In this case, it would be good to try to exercise the modified parts. So login
in with a redirect URL, trigger image handling code, etc.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Tue, 14 Aug 2012 11:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Klose <doko@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Tue, 14 Aug 2012 11:36:03 GMT) (full text, mbox, link).
Message #73 received at 683364@bugs.debian.org (full text, mbox, reply):
On 02.08.2012 14:08, Raphael Hertzog wrote:
> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
>> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
>>> If the problem is indeed not in Django, then we can temporarily disable
>>> the test suite and upload the package.
>>
>> I just tried to build the current python-django 1.4-1 in Debian Sid and it
>> also failed. So this tends to confirm that something else broke Django's
>> test suite (since the test suite worked when I uploaded 1.4-1 to sid).
>>
>> Now we need to find the culprit (and fix it or work-around it).
>
> Apparently the build works fine in wheezy so I have built it in wheezy and
> uploaded it in sid.
>
> sid and wheezy differ in their python2.7 version: 2.7.3-2 vs 2.7.3~rc2-2.1
>
> So the regression might be between those two versions.
>
> Doko, python-django test suite fails in sid but not in wheezy. The failure
> looks like a HTMLParser regression. Do you know of any possible regression
> in python 2.7.3 about this?
>
> I see in the upstream changelog a “- Issue #14538: HTMLParser can now
> parse correctly start tags that contain a bare '/'.” maybe this could be
> related?
>
> I also found https://code.djangoproject.com/ticket/18239 which might imply
> that Django is relying on some internals of HTMLParser so it would
> actually be a bug in Django in that case...
I see a fix for this in the django upstream issue. Is this still an issue with
the current package in unstable?
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#683364
; Package python-django
.
(Tue, 14 Aug 2012 12:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Tue, 14 Aug 2012 12:33:03 GMT) (full text, mbox, link).
Message #78 received at 683364@bugs.debian.org (full text, mbox, reply):
On Tue, 14 Aug 2012, Matthias Klose wrote:
> > I also found https://code.djangoproject.com/ticket/18239 which might imply
> > that Django is relying on some internals of HTMLParser so it would
> > actually be a bug in Django in that case...
>
> I see a fix for this in the django upstream issue. Is this still an issue with
> the current package in unstable?
No, thanks. It effectively turned to be a django issue.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Reply sent
to Raphaël Hertzog <hertzog@debian.org>
:
You have taken responsibility.
(Fri, 17 Aug 2012 20:42:07 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Fri, 17 Aug 2012 20:42:07 GMT) (full text, mbox, link).
Message #83 received at 683364-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1.2.3-3+squeeze3
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683364@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 02 Aug 2012 11:05:53 +0200
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze3
Distribution: stable-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
python-django - High-level Python web development framework
python-django-doc - High-level Python web development framework (documentation)
Closes: 683364
Changes:
python-django (1.2.3-3+squeeze3) stable-security; urgency=high
.
* Stable security upload:
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
* Apply/backport the 3 security patches:
- debian/patches/16_fix_cross_site_scripting_in_authentication.diff
- debian/patches/17_fix_dos_in_image_validation.diff
- debian/patches/18_fix_dos_via_get_image_dimensions.diff
Closes: #683364
Checksums-Sha1:
db06de100f0cdc9c764d1ae90bbd7c148cae7c27 2214 python-django_1.2.3-3+squeeze3.dsc
5840c65319e6889984bb33d343778ee524811174 30059 python-django_1.2.3-3+squeeze3.debian.tar.gz
06dde38874023f139ad41a6481254b7a1a82b873 4239072 python-django_1.2.3-3+squeeze3_all.deb
2527f396d2606ae3165490215e9c9d5a0e4bc2cb 1903824 python-django-doc_1.2.3-3+squeeze3_all.deb
Checksums-Sha256:
be216548b799068b8604a56a0cb1b47f68db32f072bb0e4c7e5964f1bd58ac31 2214 python-django_1.2.3-3+squeeze3.dsc
39d24cf22c491fedeb978f93bca3a69e4caa15f4a73e7653a60e1c427139bff1 30059 python-django_1.2.3-3+squeeze3.debian.tar.gz
5addcb469066d34a44281fe07aec301752d860ed3571416d69c1257bcd088054 4239072 python-django_1.2.3-3+squeeze3_all.deb
09859529e501cef1b6a426b52ae0c6feb3fd8a005cbdb0b154ef4573c61734f0 1903824 python-django-doc_1.2.3-3+squeeze3_all.deb
Files:
db76d856e41f2afd3627bd835fbdf211 2214 python optional python-django_1.2.3-3+squeeze3.dsc
03d8d20663be27efb684d4664c5f7cd8 30059 python optional python-django_1.2.3-3+squeeze3.debian.tar.gz
debd8f20a11aa5e0fabf6a6f2c3382f1 4239072 python optional python-django_1.2.3-3+squeeze3_all.deb
b3e52e2447fb48ec6236b702293150f6 1903824 doc optional python-django-doc_1.2.3-3+squeeze3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog
iQIcBAEBCAAGBQJQGlcxAAoJEOYZBF3yrHKaP3MQALXyByLhrIw9Vu6DYqI0AR6t
OU63Y0eQ0BWIvgBhhknjrf7TpdUmQogLwn4UUCgWFamiuBXKYNXc8WoQkRlM6Qq/
jasDemsyWJ/7VmFELbW6KV2phl8ZRHx4KGi9G+p1P7GsLeIf8/oIgWVTwMwcA/Me
cocZ6wiRAZLAwfkM0O7/UQ6IbXbPZvlNiWi2j39LowPSXCmkA4Za4kYVNGqoTJbT
KfJAtjjThHTAZGRH8ucczmxZhv5PMy6IXVwXmNt4DenvbVy4acDbfavky88M/vN2
ReIgQEvJgtcEBNTPkAK8iDZGyK0HJElQ6nD4XuV06wc+DP0EuN7U0g2Mx50IdW9X
Loj2OGpIQXncsOKPEfL2SJeg+mt36Tgofvz+Te8PI2ahMGw9vgadmK5CWvU/+pEE
rGpVgYVNLkndTkMVKjObVfzFCLiJczPplLDRf3M2DlTQ+KhK7yvySoQ3udFROeCZ
Ht+fDPteUFWDMQqa4awmajYGLpYkEpTcd0myOhhoz67DfrqTWhYlS09HrsJlbxUa
c/mTCdvVl7ckjIie+jRmSkTxkVwIyvJBlZy9LVbTDz3+hqgK3xgmwYZgRLXiVGva
WdWJFmDWO1UmvLJ2vAAkBE+9gaNzNIkn8jf3zfMNMscXhk1f2bYBFO9+YjSORJ0f
qR72hm02HVrWHewU6Ywb
=otkq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 30 Sep 2012 07:30:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:07:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.