python-django: CVE-2015-2316: Denial-of-service possibility with strip_tags()

Debian Bug report logs - #780874
python-django: CVE-2015-2316: Denial-of-service possibility with strip_tags()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-django: CVE-2015-2316: Denial-of-service possibility with strip_tags()

Date: Fri, 20 Mar 2015 21:01:58 +0100

Source: python-django
Version: 1.7.6-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for python-django.

CVE-2015-2316[0]:
Denial-of-service possibility with strip_tags()

AFAICS this actually is only a problem if it would be used with Python
< 2.7.7 or < 3.3.5, according to the upstream advisory. So should not
affect (apart source-wise) the package in jessie and sid. Can you
confirm that?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-2316
[1] https://www.djangoproject.com/weblog/2015/mar/18/security-releases/

Regards,
Salvatore

Message #10 received at 780874-submitter@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>

To: 780874-submitter@bugs.debian.org

Subject: Bug#780874 marked as pending

Date: Mon, 23 Mar 2015 20:14:08 +0000

tag 780874 pending
thanks

Hello,

Bug #780874 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=python-modules/packages/python-django.git;a=commitdiff;h=6ba93dc

---
commit 6ba93dcd9c8aaad285753c8d890603f212832728
Author: Raphaël Hertzog <hertzog@debian.org>
Date:   Mon Mar 23 20:52:05 2015 +0100

    New upstream security and bugfix release
    
    https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
    
    It fixes:
    - CVE-2015-2317: possible XSS attack via user-supplied redirect URLs
      Closes: #780873
    - CVE-2015-2316: Denial-of-service possibility with strip_tags()
      Closes: #780874

diff --git a/debian/changelog b/debian/changelog
index ae46600..39822bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+python-django (1.7.7-1) unstable; urgency=high
+
+  * New upstream security and bugfix release:
+    https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
+    It fixes:
+    - CVE-2015-2317: possible XSS attack via user-supplied redirect URLs
+      Closes: #780873
+    - CVE-2015-2316: Denial-of-service possibility with strip_tags()
+      Closes: #780874
+
+ -- Raphaël Hertzog <hertzog@debian.org>  Mon, 23 Mar 2015 20:41:13 +0100
+
 python-django (1.7.6-1) unstable; urgency=high
 
   * New upstream security release:

Message #15 received at 780874-close@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>

To: 780874-close@bugs.debian.org

Subject: Bug#780874: fixed in python-django 1.7.7-1

Date: Mon, 23 Mar 2015 21:20:14 +0000

Source: python-django
Source-Version: 1.7.7-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780874@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 23 Mar 2015 20:41:13 +0100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1.7.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 780873 780874
Changes:
 python-django (1.7.7-1) unstable; urgency=high
 .
   * New upstream security and bugfix release:
     https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
     It fixes:
     - CVE-2015-2317: possible XSS attack via user-supplied redirect URLs
       Closes: #780873
     - CVE-2015-2316: Denial-of-service possibility with strip_tags()
       Closes: #780874
Checksums-Sha1:
 72dc9c90ac92fbf6197b7d7d9e24c70efdadd9ef 2311 python-django_1.7.7-1.dsc
 614cc9f8e1af6630c54300f6bdd88e7b783614c3 7603286 python-django_1.7.7.orig.tar.gz
 c38bc1489f5cecb0f91e05449dbc91fbc96c5c50 21708 python-django_1.7.7-1.debian.tar.xz
 433314c88a5c70f72bd60d0511d974c54cb91da1 984522 python-django_1.7.7-1_all.deb
 c456939fad58b14c67cf5e46f97364205baa6a58 967680 python3-django_1.7.7-1_all.deb
 20b2d250603564453357e3040593f0941fb991c3 1499436 python-django-common_1.7.7-1_all.deb
 ae14434362f0ee1737468d87806afc18c79f02f9 2483758 python-django-doc_1.7.7-1_all.deb
Checksums-Sha256:
 3dfa5c4b949073de775ebd68fa9bbfd622c96442134f9070c8a64fe3574dbdc2 2311 python-django_1.7.7-1.dsc
 4816f892063569ca9a77584fa23cb4995c1b3b954ef875102a8219229cbd2e33 7603286 python-django_1.7.7.orig.tar.gz
 54d56fbaf3b4c93a59e44098c58e6362f45f55f0b3e2592a1288b9b699c067e9 21708 python-django_1.7.7-1.debian.tar.xz
 3408c356d04bbce78cac168d7cff9147d1e19de240f96d1284a5c5169efe6ae7 984522 python-django_1.7.7-1_all.deb
 4eb47b82b0b2ca7428008dbecf41a25e4521f5960a6ce9c0e4661cc97dc2c35d 967680 python3-django_1.7.7-1_all.deb
 93db9200787e66fae474958a7467efa5afe6934b6cd99afcd2c680278f6bee2f 1499436 python-django-common_1.7.7-1_all.deb
 2488226be2f66eb80ba8d14d90900e1b3864f792e9d85a91c5ddd66c84acdf27 2483758 python-django-doc_1.7.7-1_all.deb
Files:
 05a83cb25409f8a3a84418d99709eff7 2311 python optional python-django_1.7.7-1.dsc
 a62d6598966947d150525ad2ab20fb0c 7603286 python optional python-django_1.7.7.orig.tar.gz
 4fba1c456ba33d6a2cfc9a58c5520cb1 21708 python optional python-django_1.7.7-1.debian.tar.xz
 bed9b0aa1c8d6f72ac46af0253ad00b4 984522 python optional python-django_1.7.7-1_all.deb
 d33575e1a3cbf8549a4b997344cde7c8 967680 python optional python3-django_1.7.7-1_all.deb
 f543e667daeada7c10fb7ea81ab307c2 1499436 python optional python-django-common_1.7.7-1_all.deb
 dfac201febad15cce300877d61f395f4 2483758 doc optional python-django-doc_1.7.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBCAAGBQJVEHQRAAoJEAOIHavrwpq5+e8H/ib2BJO6n5NnjGIK9spH/5Gs
iS7fSaaLFNFCqOxzJ/7OCFz3SVNZ3YC9LirJiYZxHNp/JR7GR2FiDWd8yg57bUaT
pn8s8SBf4tzMUXk29RmecoyL1mrWUVqozhLiPAVZe/Rt5nxHCCSW5e18ORRFT3A0
jaqEjadH3Dk+gzUzurgokU3tQ/5EdF7VmrnojKG+eItIYifZ/49Uvb+U7iGx9yZY
DUw0Lsj8VqlDtfHX+OQAoM8jOKZBlX7vR8Fwb07IpUC091AO9okUlra1zW2odw6X
3B2gT1M3Xt/kFmrXIW+BxPEErzbxKOTPxkhqCbFJBWa1EkGZmzHbE+3LpWmGvrI=
=Xbud
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.