Debian Bug report logs -
#929927
python-django: CVE-2019-12308: AdminURLFieldWidget XSS
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 3 Jun 2019 12:36:02 UTC
Severity: important
Tags: security, upstream
Found in versions python-django/1:1.11.20-1, python-django/2:2.2.1-1
Fixed in version python-django/1:1.11.21-1
Done: Luke W Faraone <lfaraone@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#929927; Package src:python-django.
(Mon, 03 Jun 2019 12:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Mon, 03 Jun 2019 12:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-django
Version: 1:1.11.20-1
Severity: important
Tags: security upstream
Control: found -1 2:2.2.1-1
Hi,
The following vulnerability was published for python-django.
CVE-2019-12308[0]:
AdminURLFieldWidget XSS
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308
[1] https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions python-django/2:2.2.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 03 Jun 2019 12:36:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#929927; Package src:python-django.
(Tue, 04 Jun 2019 10:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 04 Jun 2019 10:15:05 GMT) (full text, mbox, link).
Message #12 received at 929927@bugs.debian.org (full text, mbox, reply):
[Adding lfaraone@debian.org to CC]
Salvatore Bonaccorso wrote
> CVE-2019-12308[0]:
> AdminURLFieldWidget XSS
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-12308
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308
> [1] https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
Luke, do you still plan to take this as discussed during the embargo? I
might have some bandwidth the next day or so if not, but let me know.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#929927; Package src:python-django.
(Tue, 04 Jun 2019 16:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Luke Faraone <lfaraone@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 04 Jun 2019 16:21:04 GMT) (full text, mbox, link).
Message #17 received at 929927@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Yep, planning on tackling this evening. (PDT)
Per discussion with Security Team a DSA isn't warranted for this issue.
On Tue, 4 Jun 2019 at 10:11, Chris Lamb <lamby@debian.org> wrote:
> [Adding lfaraone@debian.org to CC]
>
> Salvatore Bonaccorso wrote
>
> > CVE-2019-12308[0]:
> > AdminURLFieldWidget XSS
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2019-12308
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308
> > [1] https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
>
> Luke, do you still plan to take this as discussed during the embargo? I
> might have some bandwidth the next day or so if not, but let me know.
>
>
> Regards,
>
> --
> ,''`.
> : :' : Chris Lamb
> `. `'` lamby@debian.org 🍥 chris-lamb.co.uk
> `-
>
--
Luke Faraone;; Debian & Ubuntu Developer; Sugar Labs; MIT SIPB
lfaraone on irc.[freenode,oftc].net -- https://luke.wf/ohhello
PGP fprint: 8C82 3DED 10AA 8041 639E 1210 5ACE 8D6E 0C14 A470
[Message part 2 (text/html, inline)]
Reply sent
to Luke W Faraone <lfaraone@debian.org>:
You have taken responsibility.
(Wed, 05 Jun 2019 00:54:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 05 Jun 2019 00:54:04 GMT) (full text, mbox, link).
Message #22 received at 929927-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1:1.11.21-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929927@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luke W Faraone <lfaraone@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 05 Jun 2019 00:07:07 +0000
Source: python-django
Binary: python-django python-django-common python-django-doc python3-django
Architecture: source all
Version: 1:1.11.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Luke W Faraone <lfaraone@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 929927
Changes:
python-django (1:1.11.21-1) unstable; urgency=medium
.
* New upstream security release.
- CVE-2019-12308: XSS in Django admin via AdminURLFieldWidget
(Closes: #929927)
Checksums-Sha1:
7b84a02a9bd9deab51093027e43e89905c730e5f 3235 python-django_1.11.21-1.dsc
2b2f2c26835c641ccc313bd5330418237e587741 7847136 python-django_1.11.21.orig.tar.gz
255a8f7e96123f150d6a31d130fafd94ac6c02a6 26188 python-django_1.11.21-1.debian.tar.xz
9f16441e7790202198779b5206ca53f13dcf99bb 1536340 python-django-common_1.11.21-1_all.deb
9d917527f892b489d36bd8b47b86105cb4aa5f05 2685008 python-django-doc_1.11.21-1_all.deb
1b0b16da5da6dd5c6e14b12e616b2ceade933537 916368 python-django_1.11.21-1_all.deb
125ebc20750c3d51cf6c0a771751206d53bdfa8c 13776 python-django_1.11.21-1_amd64.buildinfo
9b05b02a125f11a4ba5b54ff9b07099c4114afab 916136 python3-django_1.11.21-1_all.deb
Checksums-Sha256:
bf5f6714ca5bb2076a999f58f49ee8fef8d4472d7a3cf45e8c79762f819421ea 3235 python-django_1.11.21-1.dsc
ba723e524facffa2a9d8c2e9116db871e16b9207e648e1d3e4af8aae1167b029 7847136 python-django_1.11.21.orig.tar.gz
600ae7aa9a7d542bd818a2dc696fb7811b7782e1cbe22f55ec60a87c9ce1c628 26188 python-django_1.11.21-1.debian.tar.xz
506104e6713b396d3e03562a07fe342cf80b33901976594025d90b7b28297e42 1536340 python-django-common_1.11.21-1_all.deb
445b167589fec481b1b49d0e2aec1c377eaeb1b16aea15a9ae82a0017b1c114b 2685008 python-django-doc_1.11.21-1_all.deb
5bd3b0ac635e4dd8ae4da3522a5d9e1ce8e6e6c4ff5ab5bf34f9bb54ac589a3a 916368 python-django_1.11.21-1_all.deb
c77894b22826caaa6e26420ac3eef967e3ac58f4ec2a37550e6a1bba73833088 13776 python-django_1.11.21-1_amd64.buildinfo
45b832a76ab0dbf4ce5ca2eba0c784152ce1b8446b666945af68d1af7b74892a 916136 python3-django_1.11.21-1_all.deb
Files:
084e79799137c7d3bc4dc8b81b95f1da 3235 python optional python-django_1.11.21-1.dsc
9a659a9dd9f5900fe75c7fbc4ce1b6a3 7847136 python optional python-django_1.11.21.orig.tar.gz
da85f331f8deac819ed6a20630a141dd 26188 python optional python-django_1.11.21-1.debian.tar.xz
469da4828fe5a4e17f1c32c85385ea01 1536340 python optional python-django-common_1.11.21-1_all.deb
409062e337177e98f4899c6061e50066 2685008 doc optional python-django-doc_1.11.21-1_all.deb
2e5171874ac9b2e444f7a7bb94f53073 916368 python optional python-django_1.11.21-1_all.deb
27998b34604e8bf51d61ab0ef0f4ae9b 13776 python optional python-django_1.11.21-1_amd64.buildinfo
8cc2f2f84059098171c99fea33aed78a 916136 python optional python3-django_1.11.21-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEp5Z36UkZY7aVRcsPGs7Z5M9HbGwFAlz3DyMACgkQGs7Z5M9H
bGwAgA//VlMYgybJZUSGzmw5/T05uffUburCogovJxE/AF1vfkS83g1ysnbzJSEY
sJ3CK6bWJpHoY819e/JFz0FXPeS2xT7DKnDUZ4s7OxX+Xo6Ja+wRZKLGmwQx3dSn
ipYy/iN2JWIJrzKeXGcL4afY2Nq2b4LVMhERvnHLdh+r571/aawfLsukzrRZ924O
n4mkPnaoK0Sldpi67TM63YK8QxfmlJ1BDOXv+iXXYyPLHP5cFieKDMLQttRyBcky
Ed5n/YAdSslEn8LfK4jvh0/ORw80JZoVzS085slX77ImnlbJjLglQN6Brarp5A3a
mng4lh74j/cUvlQCEZ/0NKWbd6ZmM0QBxLy6/R16WosPHU1OiAdVyuuH/YYvl/a5
vaa7AAElvuZy3kgVaY8/Zq9EJ8c1C7EhJtSWvX2233YXMy6W0MCiGal4EBf2UhB7
jktvDuP0H5C5fAVKojOim0565S3CUVQ3oKUDg80veoA3aL/CLyj+sEeT7wBbqQP4
WoS+i1W5YUohzVYXNqAbMzJxHNN2cL0hY/gWstLsvvNvyK8Nd9fFZm0PGHZGiwCS
kUYZG5cjCx0bHEmy8+Xizv9HUWz64lVX2q0adZPxzvin+OdVpTLTakDiL9STN1PB
IwjeIsGjoySuSL4QUTfJGt20Z9A+rpxOLuE5qBpq3NPzUE1x2Ps=
=wb2W
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:07:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon