Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2015-2317 CVE-2015-2316

Source

Debian Bug report logs - #780873
python-django: CVE-2015-2317 Mitigated possible XSS attack via user-supplied redirect URLs

Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 20 Mar 2015 19:57:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version python-django/1.4.5-1

Fixed in versions python-django/1.4.5-1+deb7u10, python-django/1.7.7-1

Done: Raphaël Hertzog <hertzog@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#780873; Package src:python-django. (Fri, 20 Mar 2015 19:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Fri, 20 Mar 2015 19:57:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: python-django
Version: 1.4.5-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for python-django.

CVE-2015-2317[0]:
Mitigated possible XSS attack via user-supplied redirect URLs

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-2317

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#780873; Package src:python-django. (Mon, 23 Mar 2015 15:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Mon, 23 Mar 2015 15:09:04 GMT) (full text, mbox, link).

Message #10 received at 780873@bugs.debian.org (full text, mbox, reply):

Hello dear maintainer(s),

the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2015-2317

We decided that we would not prepare a squeeze security update (usually
because the security impact is low and that we concentrate our limited
resources on higher severity issues and on the most widely used packages).
That said the squeeze users would most certainly benefit from a fixed
package.

If you want to work on such an update, you're welcome to do so. Please
try to follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. However please make sure to
submit a tested package.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Added tag(s) pending. Request was from Raphaël Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Mon, 23 Mar 2015 20:18:04 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#780873. (Mon, 23 Mar 2015 20:18:12 GMT) (full text, mbox, link).

Message #15 received at 780873-submitter@bugs.debian.org (full text, mbox, reply):

tag 780873 pending
thanks

Hello,

Bug #780873 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=python-modules/packages/python-django.git;a=commitdiff;h=6ba93dc

---
commit 6ba93dcd9c8aaad285753c8d890603f212832728
Author: Raphaël Hertzog <hertzog@debian.org>
Date:   Mon Mar 23 20:52:05 2015 +0100

    New upstream security and bugfix release
    
    https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
    
    It fixes:
    - CVE-2015-2317: possible XSS attack via user-supplied redirect URLs
      Closes: #780873
    - CVE-2015-2316: Denial-of-service possibility with strip_tags()
      Closes: #780874

diff --git a/debian/changelog b/debian/changelog
index ae46600..39822bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+python-django (1.7.7-1) unstable; urgency=high
+
+  * New upstream security and bugfix release:
+    https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
+    It fixes:
+    - CVE-2015-2317: possible XSS attack via user-supplied redirect URLs
+      Closes: #780873
+    - CVE-2015-2316: Denial-of-service possibility with strip_tags()
+      Closes: #780874
+
+ -- Raphaël Hertzog <hertzog@debian.org>  Mon, 23 Mar 2015 20:41:13 +0100
+
 python-django (1.7.6-1) unstable; urgency=high
 
   * New upstream security release:

Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Mon, 23 Mar 2015 21:21:21 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 23 Mar 2015 21:21:21 GMT) (full text, mbox, link).

Message #20 received at 780873-close@bugs.debian.org (full text, mbox, reply):

Source: python-django
Source-Version: 1.7.7-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780873@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 23 Mar 2015 20:41:13 +0100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1.7.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 780873 780874
Changes:
 python-django (1.7.7-1) unstable; urgency=high
 .
   * New upstream security and bugfix release:
     https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
     It fixes:
     - CVE-2015-2317: possible XSS attack via user-supplied redirect URLs
       Closes: #780873
     - CVE-2015-2316: Denial-of-service possibility with strip_tags()
       Closes: #780874
Checksums-Sha1:
 72dc9c90ac92fbf6197b7d7d9e24c70efdadd9ef 2311 python-django_1.7.7-1.dsc
 614cc9f8e1af6630c54300f6bdd88e7b783614c3 7603286 python-django_1.7.7.orig.tar.gz
 c38bc1489f5cecb0f91e05449dbc91fbc96c5c50 21708 python-django_1.7.7-1.debian.tar.xz
 433314c88a5c70f72bd60d0511d974c54cb91da1 984522 python-django_1.7.7-1_all.deb
 c456939fad58b14c67cf5e46f97364205baa6a58 967680 python3-django_1.7.7-1_all.deb
 20b2d250603564453357e3040593f0941fb991c3 1499436 python-django-common_1.7.7-1_all.deb
 ae14434362f0ee1737468d87806afc18c79f02f9 2483758 python-django-doc_1.7.7-1_all.deb
Checksums-Sha256:
 3dfa5c4b949073de775ebd68fa9bbfd622c96442134f9070c8a64fe3574dbdc2 2311 python-django_1.7.7-1.dsc
 4816f892063569ca9a77584fa23cb4995c1b3b954ef875102a8219229cbd2e33 7603286 python-django_1.7.7.orig.tar.gz
 54d56fbaf3b4c93a59e44098c58e6362f45f55f0b3e2592a1288b9b699c067e9 21708 python-django_1.7.7-1.debian.tar.xz
 3408c356d04bbce78cac168d7cff9147d1e19de240f96d1284a5c5169efe6ae7 984522 python-django_1.7.7-1_all.deb
 4eb47b82b0b2ca7428008dbecf41a25e4521f5960a6ce9c0e4661cc97dc2c35d 967680 python3-django_1.7.7-1_all.deb
 93db9200787e66fae474958a7467efa5afe6934b6cd99afcd2c680278f6bee2f 1499436 python-django-common_1.7.7-1_all.deb
 2488226be2f66eb80ba8d14d90900e1b3864f792e9d85a91c5ddd66c84acdf27 2483758 python-django-doc_1.7.7-1_all.deb
Files:
 05a83cb25409f8a3a84418d99709eff7 2311 python optional python-django_1.7.7-1.dsc
 a62d6598966947d150525ad2ab20fb0c 7603286 python optional python-django_1.7.7.orig.tar.gz
 4fba1c456ba33d6a2cfc9a58c5520cb1 21708 python optional python-django_1.7.7-1.debian.tar.xz
 bed9b0aa1c8d6f72ac46af0253ad00b4 984522 python optional python-django_1.7.7-1_all.deb
 d33575e1a3cbf8549a4b997344cde7c8 967680 python optional python3-django_1.7.7-1_all.deb
 f543e667daeada7c10fb7ea81ab307c2 1499436 python optional python-django-common_1.7.7-1_all.deb
 dfac201febad15cce300877d61f395f4 2483758 doc optional python-django-doc_1.7.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBCAAGBQJVEHQRAAoJEAOIHavrwpq5+e8H/ib2BJO6n5NnjGIK9spH/5Gs
iS7fSaaLFNFCqOxzJ/7OCFz3SVNZ3YC9LirJiYZxHNp/JR7GR2FiDWd8yg57bUaT
pn8s8SBf4tzMUXk29RmecoyL1mrWUVqozhLiPAVZe/Rt5nxHCCSW5e18ORRFT3A0
jaqEjadH3Dk+gzUzurgokU3tQ/5EdF7VmrnojKG+eItIYifZ/49Uvb+U7iGx9yZY
DUw0Lsj8VqlDtfHX+OQAoM8jOKZBlX7vR8Fwb07IpUC091AO9okUlra1zW2odw6X
3B2gT1M3Xt/kFmrXIW+BxPEErzbxKOTPxkhqCbFJBWa1EkGZmzHbE+3LpWmGvrI=
=Xbud
-----END PGP SIGNATURE-----

Marked as fixed in versions python-django/1.4.5-1+deb7u10. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 24 Mar 2015 18:09:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 23 Apr 2015 07:28:27 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:58:10 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

python-django: CVE-2015-2317 Mitigated possible XSS attack via user-supplied redirect URLs

Debian Bug report logs - #780873
python-django: CVE-2015-2317 Mitigated possible XSS attack via user-supplied redirect URLs

Vulmon Search

About

Products

Connect

python-django: CVE-2015-2317 Mitigated possible XSS attack via user-supplied redirect URLs

Debian Bug report logs - #780873 python-django: CVE-2015-2317 Mitigated possible XSS attack via user-supplied redirect URLs

Vulmon Search

About

Products

Connect

Debian Bug report logs - #780873
python-django: CVE-2015-2317 Mitigated possible XSS attack via user-supplied redirect URLs