python-django: CVE-2015-0219 CVE-2015-0220 CVE-2015-0221 CVE-2015-0222

Debian Bug report logs - #775375
python-django: CVE-2015-0219 CVE-2015-0220 CVE-2015-0221 CVE-2015-0222

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-django: CVE-2015-0219 CVE-2015-0220 CVE-2015-0221 CVE-2015-0222

Date: Wed, 14 Jan 2015 21:58:00 +0100

Source: python-django
Version: 1.7.1-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerabilities were published for python-django.

CVE-2015-0219[0]:
WSGI header spoofing via underscore/dash conflation

CVE-2015-0220[1]:
Mitigated possible XSS attack via user-supplied redirect URLs

CVE-2015-0221[2]:
Denial-of-service attack against django.views.static.serve

CVE-2015-0222[3]:
Database denial-of-service with ModelMultipleChoiceField

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-0219
[1] https://security-tracker.debian.org/tracker/CVE-2015-0220
[2] https://security-tracker.debian.org/tracker/CVE-2015-0221
[3] https://security-tracker.debian.org/tracker/CVE-2015-0222
[4] https://www.djangoproject.com/weblog/2015/jan/13/security/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 775375@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <linux@codehelp.co.uk>

To: 775375@bugs.debian.org

Subject: python-django: diff for NMU version 1.7.1-1.1

Date: Fri, 16 Jan 2015 23:41:27 +0000

[Message part 1 (text/plain, inline)]

Control: tags 775375 + patch
Control: tags 775375 + pending

Dear maintainer,

I've prepared an NMU for python-django (versioned as 1.7.1-1.1) and
I'll do some more testing of it before uploading it, likely to Delayed-2
or possibly 4.

Regards.

[python-django-1.7.1-1.1-nmu.diff (text/x-diff, attachment)]

Message #19 received at 775375@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: 775375@bugs.debian.org

Subject: Delayed upload

Date: Sat, 17 Jan 2015 12:34:03 +0000

[Message part 1 (text/plain, inline)]

Testing looks fine to me, uploading the NMU to delayed-4.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[Message part 2 (application/pgp-signature, inline)]

Message #24 received at 775375@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Neil Williams <linux@codehelp.co.uk>, 775375@bugs.debian.org

Subject: Re: Bug#775375: python-django: diff for NMU version 1.7.1-1.1

Date: Wed, 21 Jan 2015 09:44:03 +0100

Hello Neil,

On Fri, 16 Jan 2015, Neil Williams wrote:
> I've prepared an NMU for python-django (versioned as 1.7.1-1.1) and
> I'll do some more testing of it before uploading it, likely to Delayed-2
> or possibly 4.

Thanks for this, but we prefer to try to push 1.7.3 into unstable/jessie.
I'm opening a pre-approval request with the release team.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #27 received at 775375-submitter@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>

To: 775375-submitter@bugs.debian.org

Subject: Bug#775375 marked as pending

Date: Wed, 21 Jan 2015 10:10:57 +0000

tag 775375 pending
thanks

Hello,

Bug #775375 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=python-modules/packages/python-django.git;a=commitdiff;h=85cbbdc

---
commit 85cbbdc59c22ededb69ccf8e6a8254d0af9f9451
Author: Raphaël Hertzog <hertzog@debian.org>
Date:   Wed Jan 21 10:38:25 2015 +0100

    Prepare release to experimental
    
    Keep 1.7.3-1 for the unstable upload in case the release team acks
    it, so use 1.7.3-1~exp1 for now.

diff --git a/debian/changelog b/debian/changelog
index cb21a26..5a17859 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,12 +1,14 @@
-python-django (1.7.3-1) UNRELEASED; urgency=high
+python-django (1.7.3-1~exp1) experimental; urgency=high
 
+  [ Luke Faraone ]
   * New upstream security release.
     - WSGI header spoofing via underscore/dash conflation (CVE-2015-0219)
     - Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220)
     - DoS attack against django.views.static.serve (CVE-2015-0221)
     - Database DoS with ModelMultipleChoiceField (CVE-2015-0222)
+    Closes: #775375
 
- -- Luke Faraone <lfaraone@debian.org>  Thu, 15 Jan 2015 21:42:11 -0800
+ -- Raphaël Hertzog <hertzog@debian.org>  Wed, 21 Jan 2015 09:56:19 +0100
 
 python-django (1.7.2-1) experimental; urgency=medium
 

Message #32 received at 775375-close@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: 775375-close@bugs.debian.org

Subject: Bug#775375: fixed in python-django 1.7.1-1.1

Date: Wed, 21 Jan 2015 13:04:01 +0000

Source: python-django
Source-Version: 1.7.1-1.1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Neil Williams <codehelp@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 16 Jan 2015 23:05:55 +0000
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1.7.1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Neil Williams <codehelp@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 775375
Changes:
 python-django (1.7.1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2015-0219 - WSGI header spoofing via underscore/dash
     conflation
   * Fix CVE-2015-0220 - Mitigated possible XSS attack via
     user-supplied redirect URLs.
   * Fix CVE-2015-0221 - Denial-of-service attack against
     django.views.static.serve
   * Fix CVE-2015-0222 - Database denial-of-service with
     ModelMultipleChoiceField
     (Closes: #775375)
Checksums-Sha1:
 1a9aaf9284f9b9253c0eeccf420e284c48806a7e 2661 python-django_1.7.1-1.1.dsc
 071d1a477818a2c206b3f10013a820845607eaf8 38364 python-django_1.7.1-1.1.debian.tar.xz
 296bf08f3f01109bb9bb52c802ac78439b1378f9 984116 python-django_1.7.1-1.1_all.deb
 d543f9e2b096b9fc93eef9ebf78cea3a84ca17db 967486 python3-django_1.7.1-1.1_all.deb
 c282193047ca8a83748fd2f61cb69f6f04666835 1495808 python-django-common_1.7.1-1.1_all.deb
 ddf5a7034d98279cdc46283bf4c716ced0064c31 2485262 python-django-doc_1.7.1-1.1_all.deb
Checksums-Sha256:
 bb957021a0d439e1ed016d02e0d66fb32853106ed212d08690424acdcd6868f1 2661 python-django_1.7.1-1.1.dsc
 a05a224fe631de9b36701b68fca9f995b6b07b48d05c33a52c055178a3d66ba6 38364 python-django_1.7.1-1.1.debian.tar.xz
 aa4f3cfbe9a84ffa2e0c0158a9922cd2792d164425746df904bbeef0ee454319 984116 python-django_1.7.1-1.1_all.deb
 79a33b22746d01c93899ca416cca0d33657cf24ce47d29eeac0f010d471c3479 967486 python3-django_1.7.1-1.1_all.deb
 58652a6f4c9a0c74ca16f9dec59838bf66db27a133ae9cfec4a6b0f04438e283 1495808 python-django-common_1.7.1-1.1_all.deb
 8a85044be6ecc896e3280f82894b0537ce1521a023cbc7aaa69c7fd4091d3fa3 2485262 python-django-doc_1.7.1-1.1_all.deb
Files:
 27ded32d65a1aa078ea4623a4ed8cf6b 2661 python optional python-django_1.7.1-1.1.dsc
 e63729be481e1f21071f554a0bf1c246 38364 python optional python-django_1.7.1-1.1.debian.tar.xz
 e26c2c02acd386be5e21a71ae6c91746 984116 python optional python-django_1.7.1-1.1_all.deb
 a87a397e668ec2f7358492a7b565cf0e 967486 python optional python3-django_1.7.1-1.1_all.deb
 66b248d107468f385def095feb55d080 1495808 python optional python-django-common_1.7.1-1.1_all.deb
 f14ca33269bd41bd59f6bdd3c1a3fdd8 2485262 doc optional python-django-doc_1.7.1-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUulZVAAoJEPFn5DyBQ7aC6NoP/0KZ0xRrDVmTvvQP/rB/YDG5
a9xBM+7LPkwHw8mkhDegMOF31JHF4wAmzD5L5MXKvPYN5SGCPZcDJC6nlvP18kUJ
CLlzx6QbQIn5jcZfYV0eXkQGW0nAwzPlI+nulaLZl0SrKwA5VDAO+dq/yFRjRWfo
yL8x/EojIGZqcgemdi+GpYw+dlVnEeiBmUSMarPn+ZR0PyfCLOqELUcJ8tWso75d
ptt8z4co8pzuVn1UuzkS+jAcNE5CJ0TOX721GruNv/EhY6SuBkmE/j4f0ourYFRB
FbyDHDonFR6RT7o9FxYbU7o9WYn/w5+RqZQK/RXZLe1LQOOwxGYorLGkURxlIEa+
afQVSdz16WneAXIubvOYNXKN5leEOOUSkAaFTtew/Z6ugvUgfd62sZF8nS6ekAwJ
tH0/Rp9WYgwvEVjCJZv15DXZjbBzbolQhdRS8qYV0dgMECkrtzqW/hdIERfONMjt
2XjsXkSphvwIhZgCNEmjfDMGKZWuhj9Oema1oFG4NKEM6JiMTIiTR0X3jiCTwOVO
7aQ+6NDr2cfrMs+KFOVvgbDUeAlB39KQZQ0c4NKiA0yisFCq5sJGzCwTPGjRjC4k
6AzotkooeHe8liy5Rote1d2Y/9KIUGM9PmHQ2kDPuic0UQ5sZGknRCx02/OtnIPB
kr+rXt6JgqcuB9GAA70Z
=C4+E
-----END PGP SIGNATURE-----

Message #37 received at 775375-close@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>

To: 775375-close@bugs.debian.org

Subject: Bug#775375: fixed in python-django 1.7.3-1~exp1

Date: Fri, 23 Jan 2015 11:33:51 +0000

Source: python-django
Source-Version: 1.7.3-1~exp1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 21 Jan 2015 09:56:19 +0100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1.7.3-1~exp1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 775375
Changes:
 python-django (1.7.3-1~exp1) experimental; urgency=high
 .
   [ Luke Faraone ]
   * New upstream security release.
     - WSGI header spoofing via underscore/dash conflation (CVE-2015-0219)
     - Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220)
     - DoS attack against django.views.static.serve (CVE-2015-0221)
     - Database DoS with ModelMultipleChoiceField (CVE-2015-0222)
     Closes: #775375
 .
   [ Raphaël Hertzog ]
   * Add patch fix-24193-python34-test-failure.diff to fix a test failure with
     Python3.4.
Checksums-Sha1:
 71dfe01131bd6780d2b232be9b0f70adb40e2920 2360 python-django_1.7.3-1~exp1.dsc
 2577e8e40999f5120b091c17e8cabfb518917ca2 7589559 python-django_1.7.3.orig.tar.gz
 44bf7f31f2914dfed151c0d77d09635511c7f815 23068 python-django_1.7.3-1~exp1.debian.tar.xz
 bfb8e1c9d77c635a21a5772d94a3db9b259801c1 986154 python-django_1.7.3-1~exp1_all.deb
 1e607ed73007bdfb043faadef9fd43164994a630 966204 python3-django_1.7.3-1~exp1_all.deb
 904c44ee1497c9c99310f645505d46fa7dcb8c86 1488282 python-django-common_1.7.3-1~exp1_all.deb
 4826d69e9910a7ea9c71ec4a49b56f9753f50c20 2460952 python-django-doc_1.7.3-1~exp1_all.deb
Checksums-Sha256:
 c4abbb38ff0be5e786f50e87605befeb119de683d87e4d4ed4e6944a79d04b13 2360 python-django_1.7.3-1~exp1.dsc
 f226fb8aa438456968d403f6739de1cf2dad128db86f66ee2b41dfebe3645c5b 7589559 python-django_1.7.3.orig.tar.gz
 e2c0e96bdd7f51b70c0f3b637316f0529a868132eb7e2c3b7d3b7255aa9def84 23068 python-django_1.7.3-1~exp1.debian.tar.xz
 e52653e11d254c5fd3a329326e8d13400e9e0f309c9a2f61759087e96992335b 986154 python-django_1.7.3-1~exp1_all.deb
 9bbee09ca6f1349e4697f6142bacdff5476055286ace2980dc1873d48644136c 966204 python3-django_1.7.3-1~exp1_all.deb
 6e6efd55e7fdea437a620d7dd1b9fa2372c35e72c8896eb15c6a6f4823564598 1488282 python-django-common_1.7.3-1~exp1_all.deb
 d4d06840f39677e201641d6f5415e89fc30c19667825d7c328a5f8efbe296992 2460952 python-django-doc_1.7.3-1~exp1_all.deb
Files:
 9b5590433a5e142ea5cafa4b4250e574 2360 python optional python-django_1.7.3-1~exp1.dsc
 ea9a3fe7eca2280b233938a98c4a35a0 7589559 python optional python-django_1.7.3.orig.tar.gz
 1cb939d2ad60fa52e84361706fa5b77a 23068 python optional python-django_1.7.3-1~exp1.debian.tar.xz
 538ea401006a4129596eeb1878d03b98 986154 python optional python-django_1.7.3-1~exp1_all.deb
 f4dc800d9dcbb5d5c037e2bff1c06c8e 966204 python optional python3-django_1.7.3-1~exp1_all.deb
 32c5ab85528d51053f153aa9e6007670 1488282 python optional python-django-common_1.7.3-1~exp1_all.deb
 c54f76ccb2e404456f51b41db3ae0db9 2460952 doc optional python-django-doc_1.7.3-1~exp1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBAgAGBQJUwi0vAAoJEAOIHavrwpq5wPgH/0XpND1C8NWauoruKN6OMn5Z
yb3xISqlXwtH0e75Iju3H79b1WXECEAYnuSbl++TDLYZb5lzMxYbvhmr/vblZMFU
jh/EO9vl6hTcmy5w7CPF1/E7zoJhyCOmI3sY3/u6rT21DaQbn8ztKPEZ0PDodG97
X8kD2B2U9r9dycqwm8KAzvS4+aHP3m4elZuaY6LFOnx2y+WwxZx82WoF7YBWR28I
PGyR+r0bBCWwBg6Ktwi7Y2VDQT7KYPI8ZGIbkApzAL8zpYATd2HYFnhlRELdgRxI
S8vLm276PTe72GJZixkX2FvqttC2s5Lmv98Hc+LEQrhCIGNZmvsIS6t2FnCEH6E=
=Jql6
-----END PGP SIGNATURE-----

Message #42 received at 775375-submitter@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>

To: 775375-submitter@bugs.debian.org

Subject: Bug#775375 marked as pending

Date: Wed, 28 Jan 2015 20:58:50 +0000

tag 775375 pending
thanks

Hello,

Bug #775375 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=python-modules/packages/python-django.git;a=commitdiff;h=3f5c481

---
commit 3f5c481b72dac398ca22b6d44a0479f199f961c4
Merge: d87b702 b89ad8c
Author: Raphaël Hertzog <hertzog@debian.org>
Date:   Wed Jan 28 21:48:59 2015 +0100

    Merge remote-tracking branch 'origin/debian/wheezy-lfaraone' into debian/wheezy
    
    Integrate the 1.4.5-1+deb7u8 upload of Luke Faraone that somehow got lost
    in this branch.
    
    Conflicts:
    	debian/changelog
    	debian/patches/series

diff --cc debian/changelog
index 2c59f9d,38a8623..ab3f283
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,16 -1,13 +1,27 @@@
- python-django (1.4.5-1+deb7u8) stable-security; urgency=medium
++python-django (1.4.5-1+deb7u9) wheezy-security; urgency=high
 +
 +  * New upstream security release:
 +    https://www.djangoproject.com/weblog/2015/jan/13/security/
 +    - WSGI header spoofing via underscore/dash conflation (CVE-2015-0219)
 +    - Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220)
 +    - Denial-of-service attack against django.views.static.serve
 +      (CVE-2015-0221)
++    Closes: #775375
 +  * Also include a fix for a regression introduced by the patch for
 +    CVE-2015-0221: https://code.djangoproject.com/ticket/24158
 +
 + -- Raphaël Hertzog <hertzog@debian.org>  Wed, 28 Jan 2015 10:24:59 +0100
 +
+ python-django (1.4.5-1+deb7u8) wheezy-security; urgency=high
+ 
+   * New upstream security release.
 -    - reverse() can generate URLs pointing to other hosts (CVE-2014-0480)                                                                                                                                          
 -    - file upload denial of service (CVE-2014-0481)                                                                                                                                                                
 -    - RemoteUserMiddleware session hijacking (CVE-2014-0482)                                                                                                                                                       
++    - reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
++    - file upload denial of service (CVE-2014-0481)
++    - RemoteUserMiddleware session hijacking (CVE-2014-0482)
+     - data leakage via querystring manipulation in admin (CVE-2014-0483)   
+ 
+  -- Luke Faraone <lfaraone@debian.org>  Wed, 20 Aug 2014 01:46:17 -0700
+ 
  python-django (1.4.5-1+deb7u7) stable-security; urgency=high
  
    * New upstream security release.

Message #47 received at 775375-close@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>

To: 775375-close@bugs.debian.org

Subject: Bug#775375: fixed in python-django 1.2.3-3+squeeze12

Date: Thu, 29 Jan 2015 11:33:49 +0000

Source: python-django
Source-Version: 1.2.3-3+squeeze12

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Jan 2015 18:39:56 +0100
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze12
Distribution: squeeze-lts
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 775375
Changes: 
 python-django (1.2.3-3+squeeze12) squeeze-lts; urgency=medium
 .
   * Backport multiple security fixes released in 1.4 branch:
     https://www.djangoproject.com/weblog/2015/jan/13/security/
      - WSGI header spoofing via underscore/dash conflation (CVE-2015-0219)
      - Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220)
      - Denial-of-service attack against django.views.static.serve
        (CVE-2015-0221)
    * Also include a fix for a regression introduced by the patch for
      CVE-2015-0221: https://code.djangoproject.com/ticket/24158
Checksums-Sha1: 
 a4e19ad8e3ea56a1d3c5d8c8f5feaac8eb8679da 1891 python-django_1.2.3-3+squeeze12.dsc
 ff188c8d5b1bdbd8f3892ad9d1af26eae846e3f2 70273 python-django_1.2.3-3+squeeze12.debian.tar.gz
 d587c5e226f47f83f873f9e07240aad0d566e1ff 4219974 python-django_1.2.3-3+squeeze12_all.deb
 87d87e891c4456db470ceaf16ea8e1edb91c1a43 1898772 python-django-doc_1.2.3-3+squeeze12_all.deb
Checksums-Sha256: 
 7e87aa2d4de87ec5312a80e46e5c41b2cec5725f1de20345bb443cb677dc7a77 1891 python-django_1.2.3-3+squeeze12.dsc
 e55a5d0987c1dbdded3a5381c523c87d3e44558f7bb45d7cf92c523319a95c06 70273 python-django_1.2.3-3+squeeze12.debian.tar.gz
 2b8b8de356125d2a0e3afd451d4edfce689699904b49681d6b537c8010cf7365 4219974 python-django_1.2.3-3+squeeze12_all.deb
 f549a3b504c073e73a385e02f7894f9889193fc29948093e8badc598ae1a1441 1898772 python-django-doc_1.2.3-3+squeeze12_all.deb
Files: 
 97497708e02acb6cf77b189e3eacf8b6 1891 python optional python-django_1.2.3-3+squeeze12.dsc
 a78e708f15953fc6bfb5d93739916a53 70273 python optional python-django_1.2.3-3+squeeze12.debian.tar.gz
 5f938f3163216dd982007fcb1486510f 4219974 python optional python-django_1.2.3-3+squeeze12_all.deb
 2d75254e01f944ee7594327b8d2e12f6 1898772 doc optional python-django-doc_1.2.3-3+squeeze12_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBCAAGBQJUyhTRAAoJEAOIHavrwpq5s78H/j6jj77THwki34bg4Vs5AJKe
Xz1k5eDEkutmhIrUePfFQFDLEEW8DlAehUSgTzAeq1v9FaRF4NRDWN0CVRA1v/FV
0I94zirL0Edl5dV9DQX7WLvc3IjjBJ6HPiaUFjcajvnqYQqVInjviRwJ27467jRQ
c8Aab8wtaX9oWXCr/J31p4zrNNKhiv8r0C69448e8HfllsPCfmfllRABTFZ9ATOU
jVKHKCKlElqf/7ZgqTEP1eSCAecEo8rSE49+VQEpfYOkG8wANGbLQ0zZGrKPtgr9
hpT/rzRBnwTBnep6yqkZwFmjbnsLxExGSLkmA94JIOdgYpQkJHFrLduVxvsYBfQ=
=dCBp
-----END PGP SIGNATURE-----

Message #52 received at 775375-close@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>

To: 775375-close@bugs.debian.org

Subject: Bug#775375: fixed in python-django 1.4.5-1+deb7u9

Date: Tue, 03 Feb 2015 21:32:18 +0000

Source: python-django
Source-Version: 1.4.5-1+deb7u9

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Jan 2015 10:24:59 +0100
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.4.5-1+deb7u9
Distribution: wheezy-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 775375
Changes: 
 python-django (1.4.5-1+deb7u9) wheezy-security; urgency=high
 .
   * New upstream security release:
     https://www.djangoproject.com/weblog/2015/jan/13/security/
     - WSGI header spoofing via underscore/dash conflation (CVE-2015-0219)
     - Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220)
     - Denial-of-service attack against django.views.static.serve
       (CVE-2015-0221)
     Closes: #775375
   * Also include a fix for a regression introduced by the patch for
     CVE-2015-0221: https://code.djangoproject.com/ticket/24158
Checksums-Sha1: 
 c8c1760f38e043f5ad67871a8cf1d39086327026 1928 python-django_1.4.5-1+deb7u9.dsc
 72e7794a049795d2a16bfa070336046276e17544 53052 python-django_1.4.5-1+deb7u9.debian.tar.gz
 a865f776c70540e8af70316299946d437473a134 5398024 python-django_1.4.5-1+deb7u9_all.deb
 9cd42699ef94932983c537d3d2ae39cf59a44b03 2436772 python-django-doc_1.4.5-1+deb7u9_all.deb
Checksums-Sha256: 
 c5f3ac951c2ab826259684a57ea745b72aba073dc1002b2071e77641128ac9ac 1928 python-django_1.4.5-1+deb7u9.dsc
 bdd28da574424d333b7797e4bb8cb4f27a11e4c201decd8d10b189c0e35b9258 53052 python-django_1.4.5-1+deb7u9.debian.tar.gz
 3734fe7cebccdf651098997ac8c9f76df49cc8d2585de232e3ed3ce232bf1565 5398024 python-django_1.4.5-1+deb7u9_all.deb
 ec7b1ed7b77932e54244a2e71463213a52587eff043114c5fe779258663d9b1c 2436772 python-django-doc_1.4.5-1+deb7u9_all.deb
Files: 
 2a628d741213ad706a136698fc9f3334 1928 python optional python-django_1.4.5-1+deb7u9.dsc
 5a169beef36a78db87c87e26fdc5df10 53052 python optional python-django_1.4.5-1+deb7u9.debian.tar.gz
 f56d65e6f8d01e06003ddbde3a8b82b3 5398024 python optional python-django_1.4.5-1+deb7u9_all.deb
 16fcc053ace64ba0af18540d5de46af6 2436772 doc optional python-django-doc_1.4.5-1+deb7u9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBCAAGBQJUyVshAAoJEAOIHavrwpq5hkMH/2hwFx8C7RDqPIZ4Sv24yyG7
pFWOy6GZBNA187LWXnozlkI+1N9qnHwEwN6gqsGKpwn/IF5iAJWbiOHWoFL9C/bl
6l8P8OsHF+Uej/SkZo4b0RgEuFWs/TU6SrL20U7+v6VusLs6pT3iqz5EaRsrPbZT
bnZsW+41/QTPOtJS6cG/VOlswOjqiOrZxorsyejMe0FV2QWZJddTWQIKnvrymVLJ
drfZebGlg2+/Q31bHuBEbhdqbnL7PdmNI1RWP+E9HyG0+mTDl+Lv4H0ioS0lxea3
MvwDHSc/ASPew5j0XC4LhQdEKD5d47NJHtC3omfLJoW+6jC87QGqmR3PSNBjZaU=
=IFSj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.