python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Debian Bug report logs - #918230
python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Date: Fri, 04 Jan 2019 15:58:02 +0100

Source: python-django
Version: 1:1.11.17-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 2:2.1.4-2

Hi,

The following vulnerability was published for python-django.

CVE-2019-3498[0]:
Content spoofing possibility in the default 404 page

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3498
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498
[1] https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 918230-submitter@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 918230-submitter@bugs.debian.org

Subject: Bug #918230 in python-django marked as pending

Date: Fri, 04 Jan 2019 17:27:57 +0000

Control: tag -1 pending

Hello,

Bug #918230 in python-django reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/python-team/modules/python-django/commit/b8e6ac2407f72a59fb89dd93288af46971e1ea69

------------------------------------------------------------------------
New upstream security release. (Closes: #918230)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/918230

Message #17 received at 918230-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 918230-close@bugs.debian.org

Subject: Bug#918230: fixed in python-django 1:1.11.18-1

Date: Fri, 04 Jan 2019 17:35:51 +0000

Source: python-django
Source-Version: 1:1.11.18-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918230@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 04 Jan 2019 18:23:06 +0100
Source: python-django
Binary: python-django python-django-common python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 1:1.11.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 918230
Changes:
 python-django (1:1.11.18-1) unstable; urgency=medium
 .
   * New upstream security release:
     - CVE-2019-3498: Content spoofing possibility in the default 404 page.
       (Closes: #918230)
     <https://www.djangoproject.com/weblog/2019/jan/04/security-releases/>
   * Move to debhelper-compat virtual package.
   * Bump debhelper compatibility level to 12.
   * Bump Standards-Version to 4.3.0.
   * 0007-Fixed-29182-Adjusted-SQLite-schema-table-.patch: Fix grammar/spelling
     error in upstream patch.
Checksums-Sha1:
 0848b9f9327d5f2df65190a73a37cd7eeb22e5b3 3203 python-django_1.11.18-1.dsc
 705d631e290ba20e19c574f8bb2f2c26d281ddb1 7847617 python-django_1.11.18.orig.tar.gz
 a4580ff4cec727f37b2e9828a66f0ef8333810f5 26072 python-django_1.11.18-1.debian.tar.xz
 8f3726bf3e5530eddf112e8c5a494844ef531dd0 1536516 python-django-common_1.11.18-1_all.deb
 9cb3f617f651f72e28e3fcebf65336836e308b6a 2634100 python-django-doc_1.11.18-1_all.deb
 da01fa57f82cf2201d8b933a38e6bde4f50714c2 915560 python-django_1.11.18-1_all.deb
 96137c663dd51344223b8488527e9af9f1775566 8318 python-django_1.11.18-1_amd64.buildinfo
 84d0406c6b53198fdda5c98c86dc703b4eb544fe 915724 python3-django_1.11.18-1_all.deb
Checksums-Sha256:
 ba372d047e6a413c6b83b3f3db634f6d03ed1bb8cfa353358caff238c0f4acd7 3203 python-django_1.11.18-1.dsc
 73cca1dac154e749b39cc91a54dc876109eb0512a5c6804986495305047066a5 7847617 python-django_1.11.18.orig.tar.gz
 48877ddae20c2b6f4aa66655e878dd479b9b6920c38017b918d97ac54ea12f96 26072 python-django_1.11.18-1.debian.tar.xz
 77dedf5be9747c718bc267191852d09a8b21bd348afbfa9e905660f6ce9ceccc 1536516 python-django-common_1.11.18-1_all.deb
 b45d55ee14f4bb170751e9951b7efbd2311998c0a1d63d2749f0992bde50071e 2634100 python-django-doc_1.11.18-1_all.deb
 79dbe265371c43f04ae3d8356f0a10d75f70a579d7d9a543c40996534d291ff0 915560 python-django_1.11.18-1_all.deb
 a625c1822955f2f0adc9a115acc433c7b389ea28b4591d57f4529382fe5e9875 8318 python-django_1.11.18-1_amd64.buildinfo
 78f76a9cb2010e9ea4c3fb78965cb7dceca0c783affd7e102e0f5d69f301880a 915724 python3-django_1.11.18-1_all.deb
Files:
 725e8a5124f2246d997a4a310214cda3 3203 python optional python-django_1.11.18-1.dsc
 ef734560a81a8c0eb535e7a46205bd72 7847617 python optional python-django_1.11.18.orig.tar.gz
 92154896a95fa54ba1c942dc39b6f60d 26072 python optional python-django_1.11.18-1.debian.tar.xz
 237229d6bb6adf434516e338d45dc952 1536516 python optional python-django-common_1.11.18-1_all.deb
 f7cb2264e9b5515faa0a606752dcde57 2634100 doc optional python-django-doc_1.11.18-1_all.deb
 cf8eecb01e4a4d9a83e7ab96d18e244b 915560 python optional python-django_1.11.18-1_all.deb
 f2e58e859fb7269e2bf28d6a624210d2 8318 python optional python-django_1.11.18-1_amd64.buildinfo
 3a873d8b6bb689e539da80b65ec506b9 915724 python optional python3-django_1.11.18-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlwvl6YACgkQHpU+J9Qx
HliPzA/+Mn1Va6JYhboGciDAqaNcfsb9A2g18ov84LyG9+iy9Nj2QAOY6gzPjmiA
7fobUCMEt890nhdYMsjtWRChkLZSRABdcUoOGqzGwW9apoN/VDtDaXqAkVj1pmUM
qCGujfblWgmXmMySYzjYGwCsJr3UCxpMd84AOA8E433ghNRqRcapZnn3c7TXdLOn
qDwGuL1y1l6tKqX6wKsfpJ0Qr8BbB9jcslw4wuEd47gRmnF4gw1PvYT7Vl/Jb/gM
PUsd/sJeVAThhXf6rpuPMlTmat0MeXZljXpjBVLlPKiwEU+99G17JmiElvnsRB/X
tsIapOxXR7CfbD85qvhC6oFMXhPJJgL3hinbhbTk4v+iJxg+8ISwbJ5kICs7SUBO
02knLx7DBubavqAjKC4Owc9m8ei1xZgfNiUFg7BmgPih79KnXJH3x8UHYeR9hb7x
DTf9usgIogjdILZ5RqjuVbiQN10Q3bwEgFJfYSo7sjbY0zswvFIQsE/DQ8CwekXl
qX7s9Fw77fwmFUNFjSWss//ng8Hru9/JTW6Uhq08s6I+IoikUhuSyBGRZ+RuH745
1TZaFDO6wAdbB5fhsB/PaRQWNSIoC8X3komhXRXMKXdrxpEM0GuBvnHkqN8Y4Nw4
XvbnsN9TKLTyI8CS1P23CdHxdNaS3Rzl1VK9B5rLDSJBUzHD98c=
=gkG4
-----END PGP SIGNATURE-----

Message #22 received at 918230@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 918230@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Date: Fri, 04 Jan 2019 19:00:19 +0100

found 918230 1:1.10.7-2+deb9u3
thanks

[Adding team@security.debian.org to CC]

Hi Salvatore,

> Source: python-django
> Version: 1:1.11.17-2
[..]
> CVE-2019-3498[0]:
> Content spoofing possibility in the default 404 page

This also affects stable from my reading of the code. Shall I
prepare an upload to stretch-security?

(I'm preparing one for unstable, experimental and oldstable anyway,
so...)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #29 received at 918230-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 918230-close@bugs.debian.org

Subject: Bug#918230: fixed in python-django 2:2.1.5-1

Date: Fri, 04 Jan 2019 18:06:43 +0000

Source: python-django
Source-Version: 2:2.1.5-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918230@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 04 Jan 2019 18:49:35 +0100
Source: python-django
Binary: python3-django python-django-doc
Built-For-Profiles: nocheck
Architecture: source all
Version: 2:2.1.5-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 918230
Changes:
 python-django (2:2.1.5-1) experimental; urgency=medium
 .
   * New upstream security release:
     - CVE-2019-3498: Content spoofing possibility in the default 404 page.
       (Closes: #918230)
     <https://www.djangoproject.com/weblog/2019/jan/04/security-releases/>
   * Drop 0007-Fixed-29182-Adjusted-SQLite-schema-table-alteration-.patch;
     applied upstream. (re. #915626)
   * Move to debhelper-compat virtual package.
   * debian/control:
     - Bump debhelper compatibility level to 12.
     - Bump Standards-Version to 4.3.0.
Checksums-Sha1:
 13e676cf51c36caa60223db8aa0fdacb6aaffb72 2709 python-django_2.1.5-1.dsc
 67297b08e31b9f4562bb6813cc28b897fdcc49a5 8612384 python-django_2.1.5.orig.tar.gz
 08f3f761fb37cfabba1cb4e7063629ebfe21a3e3 24432 python-django_2.1.5-1.debian.tar.xz
 b9a1cfd38de16388ae0ea132da355dc90eaa312a 3043976 python-django-doc_2.1.5-1_all.deb
 404834d6a8bf8f2c303d4f6274a6c1eb82ee9d52 7158 python-django_2.1.5-1_amd64.buildinfo
 3072eeb8f1db9af7ce915878ac6e1d650c0ff520 2587964 python3-django_2.1.5-1_all.deb
Checksums-Sha256:
 2cca7817f2639ea7569e55a84f119255145fe8477cb9ecf62c65ccaa576a4b89 2709 python-django_2.1.5-1.dsc
 d6393918da830530a9516bbbcbf7f1214c3d733738779f06b0f649f49cc698c3 8612384 python-django_2.1.5.orig.tar.gz
 2c3d1e1d48ace5fdef32a1ddc6c00400ef6a997e4a4c554b20efb6726801ea83 24432 python-django_2.1.5-1.debian.tar.xz
 3235f48f5cfaa5ff596d24594811ed8e0927f45b8d48d4c3aa54b3a3f2c954c4 3043976 python-django-doc_2.1.5-1_all.deb
 3d3e83ee116c17ebc4313d0b53f628e7c31f79300c1bd739612c7b134b731f7d 7158 python-django_2.1.5-1_amd64.buildinfo
 93cc69f6aaaefe0d38fa649335b89572f44375f98f8590e0e5d3a466ccc46faf 2587964 python3-django_2.1.5-1_all.deb
Files:
 5a75a5f3af3996a526c8100fc3887122 2709 python optional python-django_2.1.5-1.dsc
 9309c48c8b92503b8969a7603a97e2a1 8612384 python optional python-django_2.1.5.orig.tar.gz
 19ac29cd2948465f86e8b5bbcf308273 24432 python optional python-django_2.1.5-1.debian.tar.xz
 fe0d73d93c0ad62869eb0b247ae81c8a 3043976 doc optional python-django-doc_2.1.5-1_all.deb
 bb13c477dc34415fd6b19ba6af4d01fc 7158 python optional python-django_2.1.5-1_amd64.buildinfo
 a85b32a4e21264fa7dedff6842fa924c 2587964 python optional python3-django_2.1.5-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlwvneYACgkQHpU+J9Qx
Hli/og//aIQtqnHpWfMp67DVC1xinFORnpSERkdh4ukcxzTB50cMv3MGQDUw11S7
G8Zl0V3kOo+AyQkgidXQimN+w4H8jliAv3cJRYmFDyTf8Cx5NmjS0s3y82qDU2NM
hSIhlYWV0VoqITpVy2pnmYHOJxbO2hlTWT4vNxs605K3Ivw21+voIu4NUhLUNdnp
s23iSdjMnnGasYhFhTGMOIFhq0lPDrvRa2FODlv0T+lVBd044g7o/iq2B2SNDaKs
VRjxpapo5Det8Zlhmec3QSMJ0Ki2OX7gnhyi1eb43P4qF9cHFA/h4xF3UR7T7xCx
Pdz/ULlD+di0QSP57B9Ptn1FUjZTq0wtUeXr+DRPferjahsvp+z9hULjkguMXvMN
+CVs6O2ErA1dBKAcnuF301xN4aY0wsvhhphPPxTmGyEJpDwoptWX0+B5+nUMa0fK
tjTOq2FalazeLbC6zZ7jU9bmlCcybdUGisv262TUYdH+FNcmMOxEbOyynSlf0BT1
6hqkXvGX+O5sFhHVaEvJYA7H6ZrZqakSZ+2LJzn4TbJykONu/kAmORHQdxCxv+km
LkIlvNHNgtZU9Y00riSVHr3BnPcfbjs35MTduXbUFcT2F1I6SFSvpM6O81Aqs9KH
/+gi75U9slK/ui2UQkubDqsT7wOH8Mch4MhOwxYB1QEV65QM9K8=
=BGdp
-----END PGP SIGNATURE-----

Message #34 received at 918230@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Chris Lamb <lamby@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 918230@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Date: Fri, 4 Jan 2019 19:08:34 +0100

On Fri, Jan 04, 2019 at 07:00:19PM +0100, Chris Lamb wrote:
> found 918230 1:1.10.7-2+deb9u3
> thanks
> 
> [Adding team@security.debian.org to CC]
> 
> Hi Salvatore,
> 
> > Source: python-django
> > Version: 1:1.11.17-2
> [..]
> > CVE-2019-3498[0]:
> > Content spoofing possibility in the default 404 page
> 
> This also affects stable from my reading of the code. Shall I
> prepare an upload to stretch-security?
> 
> (I'm preparing one for unstable, experimental and oldstable anyway,
> so...)

Please do.

Cheers,
        Moritz

Message #39 received at 918230@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 918230@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org

Subject: Re: Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Date: Sat, 05 Jan 2019 21:39:38 +0100

[Message part 1 (text/plain, inline)]

Hi Moritz,

> > This also affects stable from my reading of the code. Shall I
> > prepare an upload to stretch-security?
[..]
> Please do.

debdiff attached, awaiting team@security.debian.org ACK to upload.


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[CVE-2019-3498.debdiff.txt (text/plain, attachment)]

Message #44 received at 918230@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Chris Lamb <lamby@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 918230@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Date: Sat, 5 Jan 2019 22:57:20 +0100

Hi Chris,

Thanks for working on the update.

[disclaimer: not a full review, but something jumped on while i was
reading the debdiff]

On Sat, Jan 05, 2019 at 09:39:38PM +0100, Chris Lamb wrote:
> Hi Moritz,
> 
> > > This also affects stable from my reading of the code. Shall I
> > > prepare an upload to stretch-security?
> [..]
> > Please do.
> 
> debdiff attached, awaiting team@security.debian.org ACK to upload.
> 
> 
> Best wishes,
> 
> -- 
>       ,''`.
>      : :'  :     Chris Lamb
>      `. `'`      lamby@debian.org / chris-lamb.co.uk
>        `-

> diff --git a/debian/changelog b/debian/changelog
> index b1c56f7c5..d6472a04e 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high
> +
> +  * CVE-2019-3498: Fix a content spoofing vulnerability in the default
> +    404 page. (Closes: #918230)
> +
> + -- Chris Lamb <lamby@debian.org>  Sat, 05 Jan 2019 21:36:27 +0100
> +
>  python-django (1:1.10.7-2+deb9u3) stretch; urgency=medium
>  
>    * Default to supporting Spatialite >= 4.2. (Closes: #910240)
> diff --git a/debian/patches/0017-CVE-2019-3498.patch b/debian/patches/0017-CVE-2019-3498.patch
> new file mode 100644
> index 000000000..ea647e964
> --- /dev/null
> +++ b/debian/patches/0017-CVE-2019-3498.patch
> @@ -0,0 +1,401 @@
> +From: Tom Hacohen <tasn@users.noreply.github.com>
> +Date: Fri, 4 Jan 2019 02:21:55 +0000
> +Subject: Fixed #30070,
> + CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page.
> +
> +Co-Authored-By: Tim Graham <timograham@gmail.com>
> +Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.
> +---
> + ...0006-Default-to-supporting-Spatialite-4.2.patch |  4 +--
> + debian/patches/0013-CVE-2018-7536.patch            |  6 ++--
> + debian/patches/0015-CVE-2018-14574.patch           |  2 +-
> + .../patches/02_disable-sources-in-sphinxdoc.diff   |  5 ++--
> + .../06_use_debian_geoip_database_as_default.diff   |  3 +-
> + debian/patches/fix-migration-fake-initial-1.patch  | 20 ++++++++++----
> + debian/patches/fix-migration-fake-initial-2.patch  | 32 ++++++++++++++++------
> + .../fix-test-middleware-classes-headers.patch      |  7 ++---
> + debian/patches/series                              |  1 +
> + django/views/defaults.py                           |  8 ++++--
> + tests/handlers/tests.py                            | 12 +++++---
> + 11 files changed, 65 insertions(+), 35 deletions(-)

With the 0017-CVE-2019-3498.patch patch there is something strange.
While it touches correctly the files django/views/defaults.py and the
tests, it touches and modifies files in debian/*, other patches and
series file.

Can you recheck what went wrong here?

Were you able to test resulting packages under stretch on production
systems or any other tests which were performed?

Regards,
Salvatore

Message #49 received at 918230@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 918230@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Date: Sun, 06 Jan 2019 09:39:30 +0100

[Message part 1 (text/plain, inline)]

Hi Salvatore,

> With the 0017-CVE-2019-3498.patch patch there is something strange.
> While it touches correctly the files django/views/defaults.py and the
> tests, it touches and modifies files in debian/*, other patches and
> series file.

Thanks for your review. I went through my shell's history and
unpicked what happened; whilst I had created and tested a regular
patch file at debian/patches/CVE-2019-3498.patch I wanted to store
everything in DPMT's Git repository and, as part of that,
accidentally used git commit --whilst on the magic git-pq(1) branch
and thus included all of these nonsense changes.

Updated patch attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[918230.diff.txt (text/plain, attachment)]

Message #54 received at 918230@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Chris Lamb <lamby@debian.org>

Cc: 918230@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Date: Sun, 6 Jan 2019 17:28:41 +0100

Hi Chris,

On Sun, Jan 06, 2019 at 09:39:30AM +0100, Chris Lamb wrote:
> Hi Salvatore,
> 
> > With the 0017-CVE-2019-3498.patch patch there is something strange.
> > While it touches correctly the files django/views/defaults.py and the
> > tests, it touches and modifies files in debian/*, other patches and
> > series file.
> 
> Thanks for your review. I went through my shell's history and
> unpicked what happened; whilst I had created and tested a regular
> patch file at debian/patches/CVE-2019-3498.patch I wanted to store
> everything in DPMT's Git repository and, as part of that,
> accidentally used git commit --whilst on the magic git-pq(1) branch
> and thus included all of these nonsense changes.
> 
> Updated patch attached.

Thanks, looks good to me. Please go ahead with the upload to
security-master.

Thank you for your work on this update,

Regards,
Salvatore

Message #59 received at 918230@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 918230@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page

Date: Sun, 06 Jan 2019 18:18:21 +0100

Hi Salvatore,

> > Updated patch attached.
> 
> Thanks, looks good to me. Please go ahead with the upload to
> security-master.

Sure thing, uploading:

Successfully uploaded python-django_1.10.7-2+deb9u4.dsc to ssh.security.upload.debian.org for security-master.
Successfully uploaded python-django_1.10.7.orig.tar.gz to ssh.security.upload.debian.org for security-master.
Successfully uploaded python-django_1.10.7-2+deb9u4.debian.tar.xz to ssh.security.upload.debian.org for security-master.
Successfully uploaded python-django-common_1.10.7-2+deb9u4_all.deb to ssh.security.upload.debian.org for security-master.
Successfully uploaded python-django-doc_1.10.7-2+deb9u4_all.deb to ssh.security.upload.debian.org for security-master.
Successfully uploaded python-django_1.10.7-2+deb9u4_all.deb to ssh.security.upload.debian.org for security-master.
Successfully uploaded python-django_1.10.7-2+deb9u4_amd64.buildinfo to ssh.security.upload.debian.org for security-master.
Successfully uploaded python3-django_1.10.7-2+deb9u4_all.deb to ssh.security.upload.debian.org for security-master.
Successfully uploaded python-django_1.10.7-2+deb9u4_amd64.changes to ssh.security.upload.debian.org for security-master.

> Thank you for your work on this update,

No problem.


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #64 received at 918230-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 918230-close@bugs.debian.org

Subject: Bug#918230: fixed in python-django 1:1.10.7-2+deb9u4

Date: Tue, 29 Jan 2019 13:02:16 +0000

Source: python-django
Source-Version: 1:1.10.7-2+deb9u4

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918230@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 06 Jan 2019 09:35:11 +0100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1:1.10.7-2+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 918230
Changes:
 python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high
 .
   * CVE-2019-3498: Prevent a content-spoofing vulnerability in the default
     404 page. (Closes: #918230)
Checksums-Sha1:
 5efaeaca83b3a50a1a7ec625754de098699167e1 2804 python-django_1.10.7-2+deb9u4.dsc
 5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz
 e01359592fda6efd3190c089c116656e3f757b07 37644 python-django_1.10.7-2+deb9u4.debian.tar.xz
 fe1b2e76cafe244b60191437c3b0f9f0f0f93e38 1514142 python-django-common_1.10.7-2+deb9u4_all.deb
 db37122f7bd1f91089d7aa2a873f39e870a98660 2535672 python-django-doc_1.10.7-2+deb9u4_all.deb
 bffd8fe13bb80f0f531bec564ef0caf864a84334 903582 python-django_1.10.7-2+deb9u4_all.deb
 95eaf30ff4a2879349d0dc0105587a6f0ac29a96 9306 python-django_1.10.7-2+deb9u4_amd64.buildinfo
 ebd316e1b60275c3718ee034b2779070d5f9d5f0 885312 python3-django_1.10.7-2+deb9u4_all.deb
Checksums-Sha256:
 5580bf9ca6d79a6adde05a8b5d302ef92ca8cc5d58f32234de5fa53d2a0be73d 2804 python-django_1.10.7-2+deb9u4.dsc
 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz
 88e3bf0c7f30c6fcbee6269b107cfa23e23f799d747dab2900ec8886e0606fac 37644 python-django_1.10.7-2+deb9u4.debian.tar.xz
 30867f974673e8476e0be00a385642b789bf556a2aa2a3784f2928f8fc90f73c 1514142 python-django-common_1.10.7-2+deb9u4_all.deb
 89d8e2891242665c410bfcc9a9d7bbcecb82173cccd831244dc14527deac9041 2535672 python-django-doc_1.10.7-2+deb9u4_all.deb
 ce7fb9dc817ffb285193f5f9b5eaffb20a5a4bb55f2e0eb5bc0d803604f2720c 903582 python-django_1.10.7-2+deb9u4_all.deb
 1952f40cdbcf336562d88dd908a672a70aa0dd2728e506dc61544f5df4aac81a 9306 python-django_1.10.7-2+deb9u4_amd64.buildinfo
 d45a6993b629ee6a098407058b3e52b4a2715ae0abc276af6ddefadb55975c97 885312 python3-django_1.10.7-2+deb9u4_all.deb
Files:
 d92baefb611435ceb37f9d868c863cc2 2804 python optional python-django_1.10.7-2+deb9u4.dsc
 693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz
 b92973c03f17d3b9ed1bba70edf07cab 37644 python optional python-django_1.10.7-2+deb9u4.debian.tar.xz
 e850ff2d5f0a0a5d8a136616c1e3a3fa 1514142 python optional python-django-common_1.10.7-2+deb9u4_all.deb
 a7560502fc611e5c9c1aaa7fa92d0511 2535672 doc optional python-django-doc_1.10.7-2+deb9u4_all.deb
 47ca744e66278d9dc38748c28557f91c 903582 python optional python-django_1.10.7-2+deb9u4_all.deb
 66a2210dbe3d96c9992394c4384c2fea 9306 python optional python-django_1.10.7-2+deb9u4_amd64.buildinfo
 d569435e9bab9af9d8f9f0ae669c9eeb 885312 python optional python3-django_1.10.7-2+deb9u4_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlwyNzIACgkQHpU+J9Qx
HlgEaxAAs9Kim/P8eP9gvfVSN5Y0wNd++lQGzi/A0ml3wBd/lhkKt9jAuo1f7L6w
0YyrAW6OsqBtTwxFONVACuxouE+XO7lS/347JekwcNHTDCAbTBYRtXsK44xYvnkK
Z9flEHXaw5TDy/ZbkhQRr+yXGskMe4p1xS2OWVwqpjJy1Xf1lwpRl6t1u0Fckz+N
ZlFIyfqj98Rpkkzy8vvB3RFsrOfMe6PnmiOIQm1xSJ0Raaa2EbdaYDtiCXjJgb4t
p8FZDUDzlz80cp2tM/nTCZTkgwHY5WZWNFBQVSF+DDxnRUUuyNrLJwenTcjujWFy
acqG9svytSH6h4Nc/t9mba9GKCZRSjR3S/iFKZumEDyBlm1/ABUmlfWsZM7v0tjN
pCF77BQLrwJwr3qPBo4QaT5Gz/u/ztr84rjQ6IJPIHI9FEOvV1BeiTtsoBXoAnl3
3p4bb43OZFNhuUVR3mJ6caWABPXBFmfgzev78+U08ehAD9FiGspCo9mQr2eiUvid
oN9TX+oYkOelMkVmpWC2gird2wphJMXUzELSwe7DkzwvCq/oF5QZDcLOARbOg+oQ
stxQLcxIDYWRUHx8uk784s/a2tNbh4nzNs52GWmTppnXOlXR1ZSJrrQhKD8n2WsL
YQ6pfoSSN7CdTQ2rUq4be6YjpoLWVPQ8At5kAeuxsN3nKZAtiX8=
=gh65
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.