Debian Bug report logs -
#946937
python-django: CVE-2019-19844: Potential account hijack via password reset form
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Wed, 18 Dec 2019 09:27:02 UTC
Severity: grave
Tags: security
Found in versions python-django/1:1.11.23-1~deb10u1, 2:2.2.8-1, python-django/1:1.10.7-2+deb9u6
Fixed in version python-django/2:2.2.9-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#946937; Package python-django.
(Wed, 18 Dec 2019 09:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Wed, 18 Dec 2019 09:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.10.7-2+deb9u6
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2019-19844[0][1]: Potential account hijack via password
reset form
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
[1] https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Marked as found in versions 2:2.2.8-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Dec 2019 09:42:03 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.11.23-1~deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Dec 2019 09:42:04 GMT) (full text, mbox, link).
Message sent on
to "Chris Lamb" <lamby@debian.org>:
Bug#946937.
(Wed, 18 Dec 2019 15:18:05 GMT) (full text, mbox, link).
Message #12 received at 946937-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #946937 in python-django reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/python-team/modules/python-django/commit/5019e30eec71c58332ae03aab750b078737878c1
------------------------------------------------------------------------
New upstream security release. (Closes: #946937) <https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/946937
Added tag(s) pending.
Request was from Chris Lamb <lamby@debian.org>
to 946937-submitter@bugs.debian.org.
(Wed, 18 Dec 2019 15:18:05 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Wed, 18 Dec 2019 15:39:17 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Wed, 18 Dec 2019 15:39:17 GMT) (full text, mbox, link).
Message #19 received at 946937-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:2.2.9-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 946937@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 18 Dec 2019 12:28:31 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 946937
Changes:
python-django (2:2.2.9-1) unstable; urgency=medium
.
* New upstream security release. (Closes: #946937)
<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>
Checksums-Sha1:
2084436cb89a6308542d79e3dd743e101c2b3310 2741 python-django_2.2.9-1.dsc
c5a1c4bec360b4e98e839fcf6088b8eb1599c1ed 9006404 python-django_2.2.9.orig.tar.gz
64c4677535831cdd2b0ba9b97a1415118e2c9a89 25800 python-django_2.2.9-1.debian.tar.xz
749e9bbf524c66eafa74226258d8e6cba98c8250 7476 python-django_2.2.9-1_amd64.buildinfo
Checksums-Sha256:
fe4053d8df0f10adfd0833991a0f20dcd17505431ee5ae020db24c30021a0486 2741 python-django_2.2.9-1.dsc
662a1ff78792e3fd77f16f71b1f31149489434de4b62a74895bd5d6534e635a5 9006404 python-django_2.2.9.orig.tar.gz
761abd8542aed52fa2ad85a4256a0e0575c372c4a440e1ac5ca5ee256081d40c 25800 python-django_2.2.9-1.debian.tar.xz
e431652344d7a71a409ec529ec70465a7ca4c35f7b1398bb3e7a45d99902c7d8 7476 python-django_2.2.9-1_amd64.buildinfo
Files:
e316ee8fbfbee1d45a3400b94e002e4f 2741 python optional python-django_2.2.9-1.dsc
a9a6555d166196e502b69715341f7ad4 9006404 python optional python-django_2.2.9.orig.tar.gz
9369e6ad7de0337af046e96e406819dc 25800 python optional python-django_2.2.9-1.debian.tar.xz
683d26ecc2d3d2a890ffc651d17f68b7 7476 python optional python-django_2.2.9-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl36RM0ACgkQHpU+J9Qx
HlgRiA/5AecoBqPZDjg5CQMqE+NZmnswAmJWK5INLCeGkzKTSnu/XW3NqjpHEHD0
zzmMxkeXEoq0npVWS+tw1dlEbXzS8CojTcnGoTpDMJNhbXng2H4Td+DfM9ljgHW/
GdRdaCByd1ipIiou5t/L1FMGSbpem69xgvBdb8Mx7xqDlx+SB/+IWpD0kw/CMIIf
gxtPmksPPEguNu5UAh+5enSh8XQ/DPiWUy8Q3cGK+Wqyngc1jORqb4U0ptTQWmvs
U7EHynwnOHmLYoot2q21NtWfcdHok3+moGqPd4OGljp9K5nwKFL62p+TbN9q8G/n
4vfeo9tjkRrNAKs4aQRRcSO2mVVvm7QYyC/IN6FREJH0VqY+sMKPlB/d3eGGeC90
14h9xDtb1EDwwAcTYgV7okcyygvlL8yEhRqfxOX9HSrQTq7gaf93yKeVUAXNWifm
ngF93NgXeT2pWpK35Jc0Sh6GDyXpLEBUWNxcA4Pyi0Gcjb9PhY4HG+ly5g6n41Lf
WWNKZTL2srvLsO+TzLKcBM/70u6qxtT6uUwB3DfFQw7SryHaF+wFe7wGivB8Ks9E
dYIWLbeOknG8/G7EURLHtLtnTLujlE7I57y9vFOohuEzSuH9NKkaWf+TaNLyd70K
sZM8lC36KslKJ0qhNZVhMgg2boGbS8psp/P0c/rdI7kL8NPlQj0=
=+uYM
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Dec 19 09:08:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon