Debian Bug report logs -
#842856
python-django: CVE-2016-9013 CVE-2016-9014
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 1 Nov 2016 19:39:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version python-django/1.7.7-1
Fixed in versions python-django/1.7.11-1+deb8u2, python-django/1:1.11~alpha1-1, python-django/1:1.10.3-1
Done: Luke W Faraone <lfaraone@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#842856; Package src:python-django.
(Tue, 01 Nov 2016 19:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 01 Nov 2016 19:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-django
Version: 1.7.7-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerabilities were published for python-django.
CVE-2016-9013[0]:
User with hardcoded password created when running tests on Oracle
CVE-2016-9014[1]:
DNS rebinding vulnerability when DEBUG=True
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9013
[1] https://security-tracker.debian.org/tracker/CVE-2016-9014
[2] https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions python-django/1:1.10.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 13 Nov 2016 06:09:02 GMT) (full text, mbox, link).
Reply sent
to Luke W Faraone <lfaraone@debian.org>:
You have taken responsibility.
(Fri, 28 Apr 2017 10:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 28 Apr 2017 10:36:03 GMT) (full text, mbox, link).
Message #12 received at 842856-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1.7.11-1+deb8u2
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 842856@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luke W Faraone <lfaraone@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 23 Apr 2017 20:52:55 +0000
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1.7.11-1+deb8u2
Distribution: stable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Luke W Faraone <lfaraone@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 842856 859515 859516
Changes:
python-django (1.7.11-1+deb8u2) jessie-security; urgency=high
.
* SECURITY UPDATE:
- CVE-2016-9013: User with hardcoded password created when running tests on
Oracle
- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True
(Closes: #842856)
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs (Closes: #859515)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()
(Closes: #859516)
Checksums-Sha1:
284789efbe64cd5c85da22ca0a8442c664f21958 2713 python-django_1.7.11-1+deb8u2.dsc
5dfa550c5fd4a666371e63056f9b8b4e1688c28a 35356 python-django_1.7.11-1+deb8u2.debian.tar.xz
2da960925b1ea9c513ed151dd9465e85b6b7517c 994342 python-django_1.7.11-1+deb8u2_all.deb
09c35a9948a584808213c0623272360fe4062aca 978076 python3-django_1.7.11-1+deb8u2_all.deb
15a96f0657c0bdf04d1b9437fae384df729bf42d 1503460 python-django-common_1.7.11-1+deb8u2_all.deb
731d1528e7975ebfe3a200fa4609be03b8496eb6 2493184 python-django-doc_1.7.11-1+deb8u2_all.deb
Checksums-Sha256:
d238c7ab55ade686db92c64dcd01cf5241a5705f5262552ec9e9a4a41028296a 2713 python-django_1.7.11-1+deb8u2.dsc
f39cf99d63fc94ccb1eeca51505785ee3d85c8ff376225036e9c08929d4ba521 35356 python-django_1.7.11-1+deb8u2.debian.tar.xz
52ae8d17cc99b175d77292ee449377f7139519fa85e588605ea264aae2d04f20 994342 python-django_1.7.11-1+deb8u2_all.deb
f96e381d52a974fb476904a53ce0ad7c35b952bb505c4c6316271a5e894e975d 978076 python3-django_1.7.11-1+deb8u2_all.deb
09db2448b7a0413b18ae737d23d9d9abe856d748ce7c73d1591649e084785b66 1503460 python-django-common_1.7.11-1+deb8u2_all.deb
765e13af0467296c28356a94c9f30838e5ca3565c42b2495f3d89ac4a2c2b1a3 2493184 python-django-doc_1.7.11-1+deb8u2_all.deb
Files:
c1e975d0dd687959fb35b7efa27d0902 2713 python optional python-django_1.7.11-1+deb8u2.dsc
7fec8261ab9b449073c389142e524497 35356 python optional python-django_1.7.11-1+deb8u2.debian.tar.xz
e0007128e55e4da01e66db324dd3ebab 994342 python optional python-django_1.7.11-1+deb8u2_all.deb
33540a04897acce631852c3b759c44c7 978076 python optional python3-django_1.7.11-1+deb8u2_all.deb
75a2f62e80f61e331daf42675bbb7998 1503460 python optional python-django-common_1.7.11-1+deb8u2_all.deb
6b2245d7c89250de5256966e15814a81 2493184 doc optional python-django-doc_1.7.11-1+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQItBAEBCAAXBQJY/TU4EBxsdWtlQGZhcmFvbmUuY2MACgkQ2Ov4wRG5tSCkrhAA
ilI9+NIuP2Zr1tiOYnKoGLx0n+RpGAHzWshXV38XciTftN3sHHKeaAA9rhXYd0+3
JK7dYAtYl/uIMmtYkQsNg41GS0fEnRO486rLaip+thB8Pq+M0UTLXnWugQuTtNSP
/5+v5gA7vOBdgCkEqE77HnbsFqnJna/jNZswk5W3UOqSPAKESrwpYS9XZT0eSzcP
T8o9Cfwwu5xATaGM0YS0B9RsrGVh+5s+1uNQf1PBzcR/wi7d45FN+INevtSDePe1
1V6LmDkOLqH9R76ifVr3ZmJqp110lwz4Ki27+8K2lT4/w2LB473TjD1m+OTboI6i
AVKMBS0Oq9KMyCvy5Vf1JTA9BBcFNZdO6fjwLUHPQhhJsIa8Li/mj5lSBwer6pzR
mi7zl7oZ8XujMMVx/ls5+6EuFNKYdN5uJDuYpwcl2r0vHskpYTwaJ7PoezSSj9DY
nrcMuKvGv3jDzUWwVeHa5eVLGe4M8V/aG5qG2G6EET/uOGLJHob8KPEp5gD4tpjg
BgsS17V9ti7/tGvz0f6bIvwS0jge6+6vMM43OEiMRrOD8eXs1y+gpuEFIdwAMkht
IF05yRRoUB/k2fVVXY06OFLlHW1hy1eq2HGUrVcslxQ7bw2IF+KqGKG+srcr4FKm
y9gAFO63KVMY9md7ibBsdQVbwpXa0NyjKjRcBNO2Wjc=
=5h4u
-----END PGP SIGNATURE-----
Marked as fixed in versions python-django/1:1.11~alpha1-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 17 Sep 2017 03:24:37 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 15 Nov 2017 07:30:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:11:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon