python-django: CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page

Debian Bug report logs - #874415
python-django: CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-django: CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page

Date: Tue, 05 Sep 2017 22:26:19 +0200

Source: python-django
Version: 1:1.10.7-1 
Severity: normal
Tags: security upstream

Hi,

the following vulnerability was published for python-django.

CVE-2017-12794[0]:
Possible XSS in traceback section of technical 500 debug page

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12794
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12794
[1] https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 874415-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 874415-close@bugs.debian.org

Subject: Bug#874415: fixed in python-django 1:1.11.5-1

Date: Tue, 05 Sep 2017 21:35:29 +0000

Source: python-django
Source-Version: 1:1.11.5-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874415@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 05 Sep 2017 21:39:37 +0100
Source: python-django
Binary: python-django python-django-common python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 1:1.11.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 874415
Changes:
 python-django (1:1.11.5-1) unstable; urgency=medium
 .
   * CVE-2017-12794: New upstream security release. (Closes: #874415)
     <https://docs.djangoproject.com/en/dev/releases/1.11.5/>
Checksums-Sha1:
 b8651d8fd590730ccf84c4e72e486bdeeb1432ad 3176 python-django_1.11.5-1.dsc
 c16f8090c2251ff03e041afda77264474777a2d7 7875054 python-django_1.11.5.orig.tar.gz
 842ad8b7104651a4bd000666235ffe76f7d5ece9 22500 python-django_1.11.5-1.debian.tar.xz
 020c715af54ba043bc9aa8c753de838e426214a5 1543488 python-django-common_1.11.5-1_all.deb
 e9be1934d6dda555b3ae346adc3f4c6a25ff407c 2599474 python-django-doc_1.11.5-1_all.deb
 e133cca501bd94d849486c9ebacdad0528e0bbe5 914496 python-django_1.11.5-1_all.deb
 94d82ebb7670698e9ab43c8f6da438a511783b11 8140 python-django_1.11.5-1_amd64.buildinfo
 50f06b78f42336acabee882f9d74db0ba2b90029 914744 python3-django_1.11.5-1_all.deb
Checksums-Sha256:
 bf175fa4de2e82f28de9322fe7d2e78039975d9442ab001b6526f4625c4b99e0 3176 python-django_1.11.5-1.dsc
 1836878162dfdf865492bacfdff0321e4ee8f1e7d51d93192546000b54982b29 7875054 python-django_1.11.5.orig.tar.gz
 2ffbbdb2dd89eda851c8c10bb8c2cf9ef06425b8be84eb6cf7b6da0083b9b3fb 22500 python-django_1.11.5-1.debian.tar.xz
 32d6d60ff82849e68280439369c00b7cfa8983b9e7a3805f2557aeb3bbd917f3 1543488 python-django-common_1.11.5-1_all.deb
 95d5cee710152f6a6426ae1d10eea35da2c6d5cbc1831f9fee15add5c78bd39a 2599474 python-django-doc_1.11.5-1_all.deb
 e5ca9c2575f567ad16ba2c58f5ce2c2331e394c19d0c184de03aa796c25ad4df 914496 python-django_1.11.5-1_all.deb
 c7d316d1d59a42249bc2c2d8a4c689b85bba0673fe892273acee833cfb5f939e 8140 python-django_1.11.5-1_amd64.buildinfo
 2ff5f5207d500eedec84987acbe787ba4c57002d991af705f3688246a30db7a4 914744 python3-django_1.11.5-1_all.deb
Files:
 1f339de8f6a46f5f7730e9dc95e176c8 3176 python optional python-django_1.11.5-1.dsc
 8cef0d42aabacbc414ec4fbbb6056f3c 7875054 python optional python-django_1.11.5.orig.tar.gz
 f2a5a6382f728f367be2059151bffb32 22500 python optional python-django_1.11.5-1.debian.tar.xz
 e9ecfe84a4f1b8f682d2c7b0f13b560b 1543488 python optional python-django-common_1.11.5-1_all.deb
 ad13a776f3ea18bf56c55145ddeb4eab 2599474 doc optional python-django-doc_1.11.5-1_all.deb
 1174fd86c4c98cb29ecf056716eaa54c 914496 python optional python-django_1.11.5-1_all.deb
 8cb6da7142363a896f0f8055d64c0444 8140 python optional python-django_1.11.5-1_amd64.buildinfo
 9a9c43bc830b1e2fb94e98e76df4e017 914744 python optional python3-django_1.11.5-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlmvDnIACgkQHpU+J9Qx
Hlj6Mg/9H4EsT8Va2It1uw0nS1wuvNcXCBK21s9Cp74p6sdPz6JpcGKENsnek995
zy3rNh4gTGu4LfhzonbVmndSpA1Okc6bE7hDhTLQj2asxDDG2ko/+gfyHFCgpgHI
Urp5zwBoEYIUHwPDxwcFUuI/CQryY46Q9qHwGakcZl8Yk/+hxMAiNfATuNX1QHl1
0Asb0pR6V8Xe0TY5F8xJPUi6ny3Wzyij2EPY0FofiXBXYjuQOG2WaYEBH2WEtJE6
gSnIkOiyr1xFxo5st+nqufsagQgE3sDe11xQTG0G/SfXIpx+nzzcixTMEs5/prZP
onSVaSfb0Y3KDPyu+Jkt63l2/5oQSxUMHkb3NBjv0s4nBmKwtfRZ6NF5ivG8Nzpa
pkebbL3bI77IIhA/6deOhJa37xROsFvM/rDKYjE5hTZbdj4hkDBXaQsMIhRkoxck
OQC2KHo5mNt1xQCa3ir8bkHPPGFkCqVdeMOufDXhJq3zIxHp9hTduHJwaQg3EJH9
VQbEhOQGW+6UpFA7ghwsCC05rSD+bNebhcQCwjKrcdEGWG3D0DMzd5N5qAx66ogf
WnGPFxijThxjkQ3V3y945F5VtXmqOK6ZYfH9BF3H6CK3hWOTatXwdWRpMlPmoIHb
dSi99znebKxAkoBSk/jESLl2wzclrduJjo/1fnKaEnruNCJuCX0=
=bm5g
-----END PGP SIGNATURE-----

Message #15 received at 874415-submitter@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 874415-submitter@bugs.debian.org

Subject: Bug#874415 marked as pending

Date: Mon, 11 Sep 2017 07:41:39 +0000

tag 874415 pending
thanks

Hello,

Bug #874415 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/python-modules/packages/python-django.git/commit/?id=8273eb5

---
commit 8273eb574c4698dfe797321aa62400e5778c35c2
Merge: e03f52e 0fdb358
Author: Chris Lamb <lamby@debian.org>
Date:   Mon Sep 11 08:04:04 2017 +0100

    Merge branch 'debian/sid' into debian/stretch-backports
    
    * debian/sid:
      releasing package python-django version 1:1.11.5-1
      CVE-2017-12794: New upstream security release. (Closes: #874415) <https://docs.djangoproject.com/en/dev/releases/1.11.5/>
      New upstream version 1.11.5
      Follow DEP-14's recommendation & consistent branch branch names.

diff --cc debian/changelog
index 996e766,fcea208..c3112e7
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,10 -1,10 +1,17 @@@
+ python-django (1:1.11.5-1) unstable; urgency=medium
+ 
+   * CVE-2017-12794: New upstream security release. (Closes: #874415)
+     <https://docs.djangoproject.com/en/dev/releases/1.11.5/>
+ 
+  -- Chris Lamb <lamby@debian.org>  Tue, 05 Sep 2017 21:39:37 +0100
+ 
 +python-django (1:1.11.4-1~bpo9+1) stretch-backports; urgency=medium
 +
 +  * Rebuild for stretch-backports.
 +    - Drop python-six-doc from Build-Depends.
 +
 + -- Chris Lamb <lamby@debian.org>  Mon, 07 Aug 2017 07:52:49 -0400
 +
  python-django (1:1.11.4-1) unstable; urgency=medium
  
    * New upstream bugfix release.

Message #26 received at 874415@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 905216@bugs.debian.org

Cc: 874415@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Date: Fri, 03 Aug 2018 08:26:23 +0100

Hi Salvatore,

> Thanks! Looks good to me, please go ahead with the upload to
> security-master.

Uploaded. :)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #31 received at 874415-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 874415-close@bugs.debian.org

Subject: Bug#874415: fixed in python-django 1:1.10.7-2+deb9u2

Date: Thu, 09 Aug 2018 05:35:27 +0000

Source: python-django
Source-Version: 1:1.10.7-2+deb9u2

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874415@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 03 Aug 2018 15:11:16 +0800
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1:1.10.7-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 874415 905216
Changes:
 python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
     If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
     setting were both enabled, and if the project has a URL pattern that
     accepted any path ending in a slash then a request to a maliciously crafted
     URL of that site could lead to a redirect to another site, enabling
     phishing and other attacks. (Closes: #905216)
   * CVE-2017-12794: Fix a cross-site scripting attack in the technical HTTP 500
     page. This vulnerability did not affect production sites as they typically
     do not run with "DEBUG = True". (Closes: #874415)
Checksums-Sha1:
 d4d06dbb55c65852065648f3c52c3549b9dfb070 2804 python-django_1.10.7-2+deb9u2.dsc
 5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz
 3199a75fd024170733fbf2e37594ac63e337c0ed 36080 python-django_1.10.7-2+deb9u2.debian.tar.xz
 b8ddf9e3b3f62f25cf37c6302b46af6b0d81a783 1513558 python-django-common_1.10.7-2+deb9u2_all.deb
 db77dfc3afd2f56d4651ed097b8b1e81c182602e 2532012 python-django-doc_1.10.7-2+deb9u2_all.deb
 2e23e245432e6542b46754a907ad5cd7e9c3cc8b 903406 python-django_1.10.7-2+deb9u2_all.deb
 d5b065462ec015c0880f0498531f28d09b65d491 9264 python-django_1.10.7-2+deb9u2_amd64.buildinfo
 1d44e145cb74b7b15b41078a61b1d928075648e6 885284 python3-django_1.10.7-2+deb9u2_all.deb
Checksums-Sha256:
 ebc070b0ac89ef5366033ed3a65d7186cb69e50439f141c3453a4e28339ef381 2804 python-django_1.10.7-2+deb9u2.dsc
 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz
 c6635a5f8952d2b955c7e3bcfe41035055ed2962992d5221d99d224d7e16886b 36080 python-django_1.10.7-2+deb9u2.debian.tar.xz
 39c5353d2b3340cf89003bf55b4dc7f8a2e286586d282fc4d8e583ed1ecbc969 1513558 python-django-common_1.10.7-2+deb9u2_all.deb
 f1675e269447784180af0ea000034237b7d38d1b1f5374332dcae597d010502a 2532012 python-django-doc_1.10.7-2+deb9u2_all.deb
 2340be6efff9397bb824dc01b58088aac847212e84c2d7a0cc01efdd062a83a5 903406 python-django_1.10.7-2+deb9u2_all.deb
 642f82f6d6afb6a6f5f1ba1d68275c1f999019ef5d000dadc0b93f2d2bd006e4 9264 python-django_1.10.7-2+deb9u2_amd64.buildinfo
 1574f3e292dff909d1e05418c7a38c4003bff69f28456a847cbeadd17eac5673 885284 python3-django_1.10.7-2+deb9u2_all.deb
Files:
 0deb756e1e4525802024155e7e57a34d 2804 python optional python-django_1.10.7-2+deb9u2.dsc
 693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz
 462ff484065d741dfc4ddd100a9d5c03 36080 python optional python-django_1.10.7-2+deb9u2.debian.tar.xz
 d9d238ed3a2ce33c7c4f7c864c95171f 1513558 python optional python-django-common_1.10.7-2+deb9u2_all.deb
 c50ec227e86bb8f1cb1d949a7844cd01 2532012 doc optional python-django-doc_1.10.7-2+deb9u2_all.deb
 402bf959aea2b8040235c452eb7f2f11 903406 python optional python-django_1.10.7-2+deb9u2_all.deb
 a25a3f79aa5c993570c6a9dff08550bb 9264 python optional python-django_1.10.7-2+deb9u2_amd64.buildinfo
 9ecd4027ae32bdc2e27340b76bf00331 885284 python optional python3-django_1.10.7-2+deb9u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltkAygACgkQHpU+J9Qx
Hlj+VA/9FDN4ieSysnp8g/2cDQ2F7wyEk2ufI0CIvVCbPu/jigoi2HVMFYCcShcW
0B50Kjjhr8qkrI8qY7xaA3wBQ/fWlnEZK4/uuFi27rnauMeFNCA9jowpYsmgPatE
rhu99y4Ou91mJBm9r+gibH7K73o147DcwlePWKS7iYXpGGPOSrCfVnmLOEexcrn3
uFoxUcfVhhPr0RwoXaSe0tt4UwqhVblFQ1OnAFOgEJxhevh93MxpLoamsDBnnrAL
/1nFubKIIGweXcARXG8tQvE3fCUavmOYDOrHmRdNaK7z44qMoUYu6HUj+EIe5GTd
kfIpBzXU6Q6ynFMTsTMC4vSUSaVsgz0Jix4C05LG1wNRMVFrwEB02txfCsQ0fMEE
4iLA6puiZQ5dPBtA5e522CuTxGSlzyPcarVAIM33PF/TWfZwDppGxOuGCYbdused
uw2IgQ1WniB/rTYmnW/CEL8g+tru+s0glQLlyPYxwMfDtkMRT9mDDscgKbp91ywZ
Ib7awFf3H+z7u2t0B0Pdp/wmposrZG1zLN/Fywk+2LUpqDf9lqykL/uML3A2z75S
GFeofeyMgiNictgm0NPEJpDapbEmrvDrNWXsSWChFHYJIsGunU7sgRZNJB/S3N5q
g9WV8j390BqiS7++N6olu/ODvMUmzdAK0olJm+Eql00Il+j5aVQ=
=tHk1
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.