Debian Bug report logs -
#946011
python-django: CVE-2019-19118
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Mon, 2 Dec 2019 20:24:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions 2:2.1-1, 1.7.11-1+deb8u7
Fixed in versions 2:2.2.8-1, 2:3.0-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#946011
; Package python-django
.
(Mon, 02 Dec 2019 20:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Mon, 02 Dec 2019 20:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1.7.11-1+deb8u7
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2019-19118[0]:
| Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
| editing. A Django model admin displaying inline related models, where
| the user has view-only permissions to a parent model but edit
| permissions to the inline model, would be presented with an editing
| UI, allowing POST requests, for updating the inline model. Directly
| editing the view-only parent model was not possible, but the parent
| model's save() method was called, triggering potential side effects,
| and causing pre and post-save signal handlers to be invoked. (To
| resolve this, the Django admin is adjusted to require edit permissions
| on the parent model in order for inline models to be editable.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19118
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#946011
; Package python-django
.
(Mon, 02 Dec 2019 20:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Mon, 02 Dec 2019 20:33:04 GMT) (full text, mbox, link).
Message #10 received at 946011@bugs.debian.org (full text, mbox, reply):
Chris Lamb wrote:
> Package: python-django
> Version: 1.7.11-1+deb8u7
[…]
> CVE-2019-19118[0]:
> | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
> | editing. A Django model admin displaying inline related models, where
> | the user has view-only permissions to a parent model but edit
> | permissions to the inline model, would be presented with an editing
> | UI, allowing POST requests, for updating the inline model. Directly
> | editing the view-only parent model was not possible, but the parent
> | model's save() method was called, triggering potential side effects,
> | and causing pre and post-save signal handlers to be invoked. (To
> | resolve this, the Django admin is adjusted to require edit permissions
> | on the parent model in order for inline models to be editable.)
Security team, would you like an upload for stable?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 02 Dec 2019 20:33:05 GMT) (full text, mbox, link).
Marked as fixed in versions 2:2.2.8-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 02 Dec 2019 20:33:06 GMT) (full text, mbox, link).
Marked as fixed in versions 2:3.0-1.
Request was from "Chris Lamb" <lamby@debian.org>
to control@bugs.debian.org
.
(Mon, 02 Dec 2019 20:33:08 GMT) (full text, mbox, link).
No longer marked as fixed in versions 2:3.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 02 Dec 2019 20:36:05 GMT) (full text, mbox, link).
Marked as fixed in versions 2:3.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 02 Dec 2019 20:36:07 GMT) (full text, mbox, link).
Marked as found in versions 2:2.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 02 Dec 2019 20:54:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#946011
; Package python-django
.
(Mon, 02 Dec 2019 20:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Mon, 02 Dec 2019 20:57:03 GMT) (full text, mbox, link).
Message #27 received at 946011@bugs.debian.org (full text, mbox, reply):
Hi Chris,
On Mon, Dec 02, 2019 at 09:30:49PM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
>
> > Package: python-django
> > Version: 1.7.11-1+deb8u7
> […]
> > CVE-2019-19118[0]:
> > | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
> > | editing. A Django model admin displaying inline related models, where
> > | the user has view-only permissions to a parent model but edit
> > | permissions to the inline model, would be presented with an editing
> > | UI, allowing POST requests, for updating the inline model. Directly
> > | editing the view-only parent model was not possible, but the parent
> > | model's save() method was called, triggering potential side effects,
> > | and causing pre and post-save signal handlers to be invoked. (To
> > | resolve this, the Django admin is adjusted to require edit permissions
> > | on the parent model in order for inline models to be editable.)
>
> Security team, would you like an upload for stable?
As far I can see this issue has been introduced around 2.1 where the
surch support for view permissions and a read-only admin support was
added. Before that the issue does not seem to be present and as such
not affecting buster, nor stretch or older.
I have updated this bug with some metadata with that regard. Can you
confirm this assessment?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#946011
; Package python-django
.
(Tue, 03 Dec 2019 20:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Tue, 03 Dec 2019 20:30:08 GMT) (full text, mbox, link).
Message #32 received at 946011@bugs.debian.org (full text, mbox, reply):
Dear Salvatore,
> > Security team, would you like an upload for stable?
>
> As far I can see this issue has been introduced around 2.1 where the
> search support for view permissions and a read-only admin support was
> added. […]
Upon further inspection that is my reading too. I was being overly-
cautious in assuming that it was vulnerable without doing any checking
first, thus leading to this noise (for which I apologise).
I have updated data/dla-needed.txt and data/CVE/list to match.
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Dec 3 20:51:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.