Debian Bug report logs -
#953102
python-django: CVE-2020-9402
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 4 Mar 2020 14:21:02 UTC
Severity: important
Tags: security, upstream
Found in versions python-django/1:1.10.7-2+deb9u8, python-django/1:1.11.28-1~deb10u1, python-django/2:2.2.10-1, python-django/1:1.10.7-2+deb9u7, python-django/1:1.11.27-1~deb10u1, python-django/2:3.0.2-1, python-django/1:1.10.7-1
Fixed in versions python-django/2:2.2.11-1, python-django/2:3.0.4-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#953102; Package src:python-django.
(Wed, 04 Mar 2020 14:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Wed, 04 Mar 2020 14:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-django
Version: 2:2.2.10-1
Severity: important
Tags: security upstream
Control: found -1 2:3.0.2-1
Control: found -1 1:1.11.28-1~deb10u1
Control: found -1 1:1.11.27-1~deb10u1
Control: found -1 1:1.10.7-2+deb9u8
Control: found -1 1:1.10.7-2+deb9u7
Control: found -1 1:1.10.7-1
Hi,
The following vulnerability was published for python-django.
CVE-2020-9402[0]:
| Potential SQL injection via tolerance
| parameter in GIS functions and aggregates on Oracle
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-9402
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402
[1] https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions python-django/2:3.0.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 04 Mar 2020 14:21:04 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.11.28-1~deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 04 Mar 2020 14:21:05 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.11.27-1~deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 04 Mar 2020 14:21:05 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.10.7-2+deb9u8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 04 Mar 2020 14:21:06 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.10.7-2+deb9u7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 04 Mar 2020 14:21:06 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.10.7-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 04 Mar 2020 14:21:07 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Wed, 04 Mar 2020 16:24:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 04 Mar 2020 16:24:04 GMT) (full text, mbox, link).
Message #22 received at 953102-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:2.2.11-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 953102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 04 Mar 2020 08:01:27 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 953102
Changes:
python-django (2:2.2.11-1) unstable; urgency=medium
.
* New upstream security release. (Closes: #953102)
<https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>
Checksums-Sha1:
21702eef4bb4eb9697cbb399f33a063128a2e51f 2798 python-django_2.2.11-1.dsc
fcb4c862f6f769465dc1d2bbb71e7a733db8e134 9010479 python-django_2.2.11.orig.tar.gz
b8db3a8ece58a0fea0711e8dd7b0edac3b3b07d4 25964 python-django_2.2.11-1.debian.tar.xz
8a07ab0e1ba8d5da1b570fc2eced78ee65300a77 7642 python-django_2.2.11-1_amd64.buildinfo
Checksums-Sha256:
cfbb26bf69a69c254e752858aae4ca61f4763f1115d2cca089a35d663ff57cf2 2798 python-django_2.2.11-1.dsc
65e2387e6bde531d3bb803244a2b74e0253550a9612c64a60c8c5be267b30f50 9010479 python-django_2.2.11.orig.tar.gz
d5a01d20026fe88096236d0703599a49b80bd1c64e13ec17e5a409e4f51aab3b 25964 python-django_2.2.11-1.debian.tar.xz
b88f526c782b39c0e3fc1467c6c1d0de83423b49f0d89a8681a7b95e137040b0 7642 python-django_2.2.11-1_amd64.buildinfo
Files:
2f9fa76ff9e5b373c09e7bc6868e4512 2798 python optional python-django_2.2.11-1.dsc
3d8cc4ec1329c742d848c418932e488a 9010479 python optional python-django_2.2.11.orig.tar.gz
b15f8de05ead846293570c8c44d40b99 25964 python optional python-django_2.2.11-1.debian.tar.xz
5cbb6ed644c7689af89fcb35c4e2b877 7642 python optional python-django_2.2.11-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5f0pcACgkQHpU+J9Qx
HliAvA//fmliQy1Lqf03+LF2WJU/nOireceWXZ9A+AwHnZ0xWnCWd0j5AvP3+Vbq
xzn99sD5UARx6jD9MhVIUIlG8mJViKBsaXdZ8h4G7Jauddxs/W+KZTUI/A7bst5P
S97r5MhMJCENeFn9tdXdbQDiaoCOr71NseTRiHVk2tXaLVJ6VfdjySKFGykhxHZG
oDa++NeVbtUUR2DNjuBSfB7B0RU4AZgeHNYWX5Um35z0ahJHRWZl5Jwmv2eOqPL1
sc1NFOrNEYMB0ZBIuXdRpeX0hXFci1Lng6ymC9CwOaJObH0WOavubVBqE/1EVnAP
miWcmVi6QiKoln57ckCGCvKGk5KKpyvHiLmlSheGraFkx9Ki1ZP2L9vZKW4QziC9
AzGywluKQq9MFDTMT/ywC9CMOZvT1NCn96fYy6hD4LLxTKh8LaKtWdgAVbnJHlzz
1NYa0a+snnELMcZ9OP+buxcuVHl0LLU6yTx93o0yOq8UrKksXOUclTJygetnUdVT
1/uzuXu2QpuFzkh6UEhzopPvt1EkJKESOep7IVEBf3n2OUPK3KWpJh/vyYnO306b
4Bbb6wZGSAgL+NSx+n6/X9CyB4PXKRNLmNRba8vBSnBpuWcqIsbM6aI6BWgniYUc
3IqNoDurE7qotmnS41Nhp9SrglDhNARkn64oKyKxX2HSCx719cs=
=//FD
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Wed, 04 Mar 2020 16:45:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 04 Mar 2020 16:45:09 GMT) (full text, mbox, link).
Message #27 received at 953102-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:3.0.4-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 953102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 04 Mar 2020 08:22:30 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.0.4-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 953102
Changes:
python-django (2:3.0.4-1) experimental; urgency=medium
.
* New upstream security release. (Closes: #953102)
<https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>
* Bump Standards-Version to 4.5.0.
* Refresh debian/patches/0004-Use-locally-installed-documentation-sources.patch.
Checksums-Sha1:
9f5b8a88bcec036104fbdb1da12cff2992305621 2798 python-django_3.0.4-1.dsc
97030f70e8f385c2f1cea031fb1e17a32e93f9cf 9060331 python-django_3.0.4.orig.tar.gz
bbadbf22e6599db642ab89614cdfd276dc4efed2 25884 python-django_3.0.4-1.debian.tar.xz
9953ef7070ebbdd18e16c70ccc088467a16d286f 7576 python-django_3.0.4-1_amd64.buildinfo
Checksums-Sha256:
dba1498cbb916167ee3ee455ec492323a0b4598ddb033c2cbd3858dd2b80781c 2798 python-django_3.0.4-1.dsc
50b781f6cbeb98f673aa76ed8e572a019a45e52bdd4ad09001072dfd91ab07c8 9060331 python-django_3.0.4.orig.tar.gz
d87c582648cfce828f74f9d3baee64d8e029af2cf6d7efcf925312d1e78ceba1 25884 python-django_3.0.4-1.debian.tar.xz
003157fb860fc2f6a33d9d87e052fe966655c16910b86617ec0204d34dc1205c 7576 python-django_3.0.4-1_amd64.buildinfo
Files:
9d6b336ec844c606c6e9854aa69288eb 2798 python optional python-django_3.0.4-1.dsc
0b0299419770eaff86ff3a4af519cd6a 9060331 python optional python-django_3.0.4.orig.tar.gz
d639a30a5f580f19fda98b75d59e8901 25884 python optional python-django_3.0.4-1.debian.tar.xz
1c14f52dfc07d96a9e2635b4b1f74e68 7576 python optional python-django_3.0.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5f1m8ACgkQHpU+J9Qx
HlgmiQ/9HJ0Py4sMRf4WujZFG9hxo5QVru6UXLV6P+KJ0ic0wuLOW2Wgr5+W3Ifq
p8DKuVwfS3rJrLeJHQ6cTrZ5lm1sKp5mqWEVyQAfi/PBDNL+/FUqLZt3csBe8pfv
S0Bjv9Hyps1H+sd61EytXaMjowm4p+zuR88YLKW6AE4PuY4cBGRWU0ykKmI2zHZa
awZ5LcjBsWGyrdVGJomvbzer/1HTtC15OcJms8igTNgmJcgGi9SMyhL2hqFM3vBm
7WBvJ34x+X19RdPDNK3LVq5U9iaGOq3BoOo2hHC8tcXw1cZilO6wMFc8rMconQvs
HcB/1hsbGm49an2Vyk5O79jMNAs39LJk9jQxkCkvdoQcDZztfMphcAHi1Pxk3yMm
iiGxKJ6XFRiZEr1VjiEB3ukBp4GQ4Nmh+Q9BKjj8l5irTs/dk2FqMZI70I3BuUuF
TpsRRwGAgwp+SZfzvOvbK51TOmfrJMvDxUl54rkTvm3nxcKfWWBDbr7IXvCZajZu
vJHuC7wpLsRLh5dJC2dWhK0TRjKii+nnrPeGCe4xH+O9oW0wAAMItzerpCWiMiWp
UKQVzbCh4317vQEKAqK894wt3Lt5NzXQf64msmKMO/wkO/9uaFUd2SwXjcHCmk0P
KZWFIU95dp8vTBRSY5J49Y5KVRf1POR+BW2ZQNea1SkxkWtHqXY=
=g7Cx
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Mar 5 08:32:58 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon