Debian Bug report logs -
#796104
python-django: CVE-2015-5963 CVE-2015-5964
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 19 Aug 2015 14:00:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version python-django/1.4.5-1
Fixed in versions python-django/1.7.7-1+deb8u2, python-django/1.4.5-1+deb7u13, python-django/1.8.4-1, python-django/1.7.10-1
Done: Brian May <bam@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#796104; Package src:python-django.
(Wed, 19 Aug 2015 14:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Wed, 19 Aug 2015 14:00:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-django
Version: 1.4.5-1
Severity: important
Tags: security upstream fixed-upstream
Control: fixed -1 1.7.7-1+deb8u2
Hi,
the following vulnerabilities were published for python-django.
CVE-2015-5963[0]:
Denial-of-service possibility in logout() view by filling session store
CVE-2015-5964[1]:
more to CVE-2015-5963
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-5963
[1] https://security-tracker.debian.org/tracker/CVE-2015-5964
[2] https://www.djangoproject.com/weblog/2015/aug/18/security-releases/
Regards,
Salvatore
Marked as fixed in versions python-django/1.7.7-1+deb8u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 19 Aug 2015 14:00:06 GMT) (full text, mbox, link).
Marked as fixed in versions python-django/1.4.5-1+deb7u13.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 19 Aug 2015 14:03:07 GMT) (full text, mbox, link).
Marked as fixed in versions python-django/1.8.4-1.
Request was from Luke Faraone <lfaraone@debian.org>
to control@bugs.debian.org.
(Mon, 24 Aug 2015 00:30:04 GMT) (full text, mbox, link).
Reply sent
to Brian May <bam@debian.org>:
You have taken responsibility.
(Mon, 12 Oct 2015 03:27:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 12 Oct 2015 03:27:05 GMT) (full text, mbox, link).
Message #16 received at 796104-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1.7.10-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 796104@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brian May <bam@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 12 Oct 2015 12:59:43 +1100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1.7.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Brian May <bam@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 796104 800137 801554
Changes:
python-django (1.7.10-1) unstable; urgency=medium
.
* Fix Python 3.5 HTMLParseError issue. Closes: #800137.
* New upstream version. Fixes CVE-2015-5963, CVE-2015-5964. Closes: #796104.
* Add numpy 1.9 support. Closes: #801554.
Checksums-Sha1:
4f8b4010ab831e8b00225e53a72d26cc67be7f99 2629 python-django_1.7.10-1.dsc
ec091d804d3a71ed280c0a08804db94a7aa93b30 7584312 python-django_1.7.10.orig.tar.gz
6a3c242bc1e2eb2bab4a9b34b8c4797c8836afc9 23128 python-django_1.7.10-1.debian.tar.xz
26415c56a434a0027a80b769b4e4375ae68e30fa 1488016 python-django-common_1.7.10-1_all.deb
09f1a1b2105e15a6b1197583be752b0e54ed49be 2621328 python-django-doc_1.7.10-1_all.deb
5bae0b82e9438437fbc70a14cb5a0eaaf252a6dc 984092 python-django_1.7.10-1_all.deb
08e778fc7d61a8804507bd162aeee8ce8393db16 967410 python3-django_1.7.10-1_all.deb
Checksums-Sha256:
c2c9cb1268e1851636a30ca8f2f09728506355f49ef12207c1e261c6bfc32cd7 2629 python-django_1.7.10-1.dsc
b9357d2cebe61997055d417d607f9c650e817cd1a383b9a1b88bf1edad797c75 7584312 python-django_1.7.10.orig.tar.gz
3eb3e5636e9c8c261275301b27ddb4665a3eb13d28220aca5cb4290381399a39 23128 python-django_1.7.10-1.debian.tar.xz
909205662f5f882bda426a015901352a7e2b49ac2512a34d99d4dfd416388e27 1488016 python-django-common_1.7.10-1_all.deb
5dca0c156dcd1e99d595ef6fac39368dc71f1184a8407dc2e5c7c58a902b9d4b 2621328 python-django-doc_1.7.10-1_all.deb
c6f355bc8131d0cc231958d0c2ee29e9d5c96608c988bbd639b2a5ec9cd47a23 984092 python-django_1.7.10-1_all.deb
d348804db5237e47362887a441d1fe67ec9baa5064a0e30d0cfe41091accf77d 967410 python3-django_1.7.10-1_all.deb
Files:
8bf74cf92bc60cf26f7b84d33b713cd4 2629 python optional python-django_1.7.10-1.dsc
90315a9bec9b073a91beeb3f60994600 7584312 python optional python-django_1.7.10.orig.tar.gz
600e81cfd4a6e3866f7a16064e3ab0a0 23128 python optional python-django_1.7.10-1.debian.tar.xz
8c7607e3ca34013d127b47efdf14b7ee 1488016 python optional python-django-common_1.7.10-1_all.deb
e64db23f2245915a8e7f923ae0d2f673 2621328 doc optional python-django-doc_1.7.10-1_all.deb
3fe101be459affe4c026d65aa6e9020a 984092 python optional python-django_1.7.10-1_all.deb
d70102ad9c797cc90c1e347b5e842ad2 967410 python optional python3-django_1.7.10-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWGxekAAoJEJyE7hq50CY24BEP/3lRqdp6NfdRUowQ/QQZrOFd
t4TIuKNKae55rDfx4+mNLSBZ6+6FQpA6gY8g0FnVhhffiKym3Hn1Oyz++MaNvyZg
9C3/glYDPsJsZOShxAG9cJ+Y2YQhYArDDWLvjy1qmxu6lkmeiahQJz0jEZGw3J7G
s+epDdrU+Y/suYzLKjcILlTL2ajYEw/k7LuUrGrEUwtlC0ST85MxKJv24gLE4ve4
gezSYXbfMUFWBUgTFFDpVqxy/eMPvP/mmEx9cDo3gnGvWxLqTonA8TDGcA7BmLPd
b6dG388IGL8jlkI5UL7mDIiHTsc6QylzO6/PbPa6Q5+iz5A3iUBCWppUtwlI2RCy
mI4WMWpNawu9TVcam76QaS6JGhcrO2VpGEQ53wGhMArqtZ78+/ieU4RpWG9LdG44
KSsmfviC8J7Ux7JSI0znNDgmS6RDcLavaMkUszc20V0l8r1aomfE2MNmzhbxhNYR
NByxIluQTzBSaYD4m4iQqx1YykmITEq2vY7LdqsU7JCr2PmjTg2gJWNCDPnJqDxE
Zww2aMy3+aNKABV9G5bu4FlZ5C+yfW9nVByXq8/Li+vsNj5c/smQS1KWj10Ht8fz
3i+ZBq6gp4lKHewwx99U5b2Yog5E4UY4mimXFF++MBOgItWGlxR92H1Nm27zp7FK
Ya9ckSLs57MIWdCWoA/4
=kTAd
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 14 Nov 2015 07:25:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:48:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon