python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Debian Bug report logs - #905216
python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Date: Wed, 01 Aug 2018 16:54:41 +0200

Source: python-django
Version: 1:1.11.14-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for python-django.

CVE-2018-14574[0]:
Open redirect possibility in CommonMiddleware

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-14574
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14574
[1] https://www.djangoproject.com/weblog/2018/aug/01/security-releases/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #24 received at 905216-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 905216-close@bugs.debian.org

Subject: Bug#905216: fixed in python-django 1:1.11.15-1

Date: Wed, 01 Aug 2018 15:20:18 +0000

Source: python-django
Source-Version: 1:1.11.15-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 905216@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Aug 2018 23:06:03 +0800
Source: python-django
Binary: python-django python-django-common python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 1:1.11.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 905216
Changes:
 python-django (1:1.11.15-1) unstable; urgency=medium
 .
   * New upstream security release.
     - CVE-2018-14574: Open redirect possibility in CommonMiddleware.
       (Closes: #905216)
Checksums-Sha1:
 3e7fc3f16eded38074dee6a0504fa6bddf121bc2 3160 python-django_1.11.15-1.dsc
 dfcb521471a5364bebe5fe1c40ad01cdd48e23bf 7843843 python-django_1.11.15.orig.tar.gz
 08b54b11b4ef30ac8790e22f85a1bcb049f00145 24728 python-django_1.11.15-1.debian.tar.xz
 21226e02857fd9240c8163af894646529c8c294d 1535560 python-django-common_1.11.15-1_all.deb
 4f1d2491e856c12a7c6a7aca97c5bd9b90d0f7b0 2631292 python-django-doc_1.11.15-1_all.deb
 e1006cc04aa07cf9bf46381388b8d09d9b14f442 914668 python-django_1.11.15-1_all.deb
 cb17bbe7c4847e449989fe6b5f1566c3008755f2 8547 python-django_1.11.15-1_amd64.buildinfo
 7e873ad8729065dd974ae8968e892e5d24fba3b9 914500 python3-django_1.11.15-1_all.deb
Checksums-Sha256:
 d42290e5f7c7e5d9f93324f283ba2e75244e4262370ebbdb2993600a3b7dc25b 3160 python-django_1.11.15-1.dsc
 b18235d82426f09733d2de9910cee975cf52ff05e5f836681eb957d105a05a40 7843843 python-django_1.11.15.orig.tar.gz
 b0a124a33f3f7f1f0111de11275d904bb43276bcd661b08e028b9e3ff4646abd 24728 python-django_1.11.15-1.debian.tar.xz
 a0e459b1dc999524d44020b0cf6a3936fbe09d2f802c1c8f837b16db919e2bc8 1535560 python-django-common_1.11.15-1_all.deb
 d39cce50af9e8e4e682371b64be6d2098a9907e3aa2d29c5ef38907ce90f45ee 2631292 python-django-doc_1.11.15-1_all.deb
 b6d1c637b90c08b47e7412fcbad43c9b51d22e81c5a9a74ea72cceed91f00839 914668 python-django_1.11.15-1_all.deb
 b3aed0aa81d36339d4650b3048a64a8a9fcd12675ec96b4822b9de478e391b05 8547 python-django_1.11.15-1_amd64.buildinfo
 0c22b8497d7d83e165efcea72f24ceaf669c3ed026cac8d934d8e3128a3e813e 914500 python3-django_1.11.15-1_all.deb
Files:
 2db29c052b2adf49664e1c44f4e54297 3160 python optional python-django_1.11.15-1.dsc
 9c25bc2575a2cd357bcc5764f809d29d 7843843 python optional python-django_1.11.15.orig.tar.gz
 ef6abf6ea08be6ab00fd816139d37da3 24728 python optional python-django_1.11.15-1.debian.tar.xz
 d9b09c8cc0925e7f0aeb4a6d64259e53 1535560 python optional python-django-common_1.11.15-1_all.deb
 9738bd672d2d9dc6aae3f66f603a5dc4 2631292 doc optional python-django-doc_1.11.15-1_all.deb
 2bf0562ab3ad52b567fb8a1f09f8623a 914668 python optional python-django_1.11.15-1_all.deb
 ad08153822fb4bcb8f383364169e725a 8547 python optional python-django_1.11.15-1_amd64.buildinfo
 8874c507de7b1c0c457a89db6f2202de 914500 python optional python3-django_1.11.15-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlthzaQACgkQHpU+J9Qx
HljY3Q/+IFouCmclQC4RIqKAoCvmGq0DNnRHNWs2Ti7ZJhueReiXdtXbSQJ59DoO
hs5z9RHSY8Q7UR69AMR3TkAvVWv3w0oa36W/5SJqoyM8wCjMt7wSxIDqXaSmUQfF
FP7BUARUFLel1BZn6chE/k4JrwXxO8H516XUjrlC4ydUhWdt6bRo7Az4g9KorWjM
9bBZY70cGpGAlo2n20Kf03l/JhABLDiorluAWUp9vN7MylxM9/5eWQG58G2csmNL
0slUWlqPsvN2TVcJIukw+GUmqsh7M0BgUxa4glOnH/B6k0PuKbKSZXlmsewpcUEi
iyPtnSh8U4UqXBitYCWnnNqYKz0RgcoLlvknfnJXy578EEtBuozVT1OKBUJl1i0R
Xg9e/xMgOp9AU7S5Iai+6Znwbr7NqsvFCws+NZ0aFNMG+o5QOHnPwryoavjiFrvz
L5aEKMJG8uJU6dos/2oMg72d5swCXSv5yOQ1EBabQ/Bc6VRFZqHpHFm+gDj76tjM
WBCcqi5kaPV3l4xPffsPuF5WINOnFWUgNNNwjTObFzhMPcvlsP2uAo4e+1c+ovOF
RDvgUAGRES3fM1A/+xW3T4viPiI0/+d6uKvp4TRL08jcsjTmMoFsQT8d+5aaR3WH
a05Hai93ZSqJaVxoE+MnFiG1PUqEx9KsjWjVWEbPuDNakib16Xo=
=Oq32
-----END PGP SIGNATURE-----

Message #37 received at 905216-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 905216-close@bugs.debian.org

Subject: Bug#905216: fixed in python-django 2:2.1-1

Date: Wed, 01 Aug 2018 15:20:36 +0000

Source: python-django
Source-Version: 2:2.1-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 905216@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Aug 2018 22:59:20 +0800
Source: python-django
Binary: python3-django python-django-doc
Built-For-Profiles: nocheck
Architecture: source all
Version: 2:2.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 905216
Changes:
 python-django (2:2.1-1) experimental; urgency=medium
 .
   * New upstream release.
     - CVE-2018-14574: Open redirect possibility in CommonMiddleware.
       (Closes: #905216)
Checksums-Sha1:
 3087d8c85488f4a1b301b6990499f7a6371c92d1 2652 python-django_2.1-1.dsc
 136bf406eb2cf4d74a7f1d78adc17241dde75a32 8583964 python-django_2.1.orig.tar.gz
 06cdb09f61d0676dba4d0fce569e597ee5bb9d48 23476 python-django_2.1-1.debian.tar.xz
 33f746fe06f8dc822d0179c5c2c15409791726d4 3033592 python-django-doc_2.1-1_all.deb
 6314ca08fd4e57d1902fdaa8e8b36b8f158f80e3 7364 python-django_2.1-1_amd64.buildinfo
 0fd80738ba85d35cefd1e254a1becb1ed682edcc 2584564 python3-django_2.1-1_all.deb
Checksums-Sha256:
 e6a388b819726f5f71ce5ec8557eb6e90b8c7b201a7a348afdc709df68035d60 2652 python-django_2.1-1.dsc
 7f246078d5a546f63c28fc03ce71f4d7a23677ce42109219c24c9ffb28416137 8583964 python-django_2.1.orig.tar.gz
 62aa7f44546c17234dd3caf608bfa01241a79b155e12423a8f60f645cda60511 23476 python-django_2.1-1.debian.tar.xz
 fc27cc571615b055e800138c1c06c244e44c6661da6cf62c1df371b7724fd2c3 3033592 python-django-doc_2.1-1_all.deb
 5d37a5400e7652e1197a65b0db867b7cbf3474ce0c652b07a8ebcb28c801d3d3 7364 python-django_2.1-1_amd64.buildinfo
 24b009e97e978750ae26e5653b6894ab75435f137ca4c694e12d361336c15348 2584564 python3-django_2.1-1_all.deb
Files:
 c463f4996ce9f64b2326d041c10192cf 2652 python optional python-django_2.1-1.dsc
 4a01d9325ac60e8d329762ecb9c9d2ea 8583964 python optional python-django_2.1.orig.tar.gz
 4798cb128707291a79c6daef290ca53c 23476 python optional python-django_2.1-1.debian.tar.xz
 d98a8b920824a7c9da656f03c0abec4c 3033592 doc optional python-django-doc_2.1-1_all.deb
 4d02c286acb20d35b634c3d16c252606 7364 python optional python-django_2.1-1_amd64.buildinfo
 65b1ed4618cf454e31f5daeb1e6a1788 2584564 python optional python3-django_2.1-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlthy8oACgkQHpU+J9Qx
HlhZqxAAo/wsqO18taV/z+pFhqha3StyltyM1+ligyZIUo5gT04lO4XX1n08C+Eu
gQjp+V4yYdt9Ypwx63gSk8Ake0w5W/WbgOB8QxwxXPEjIG9qUoXWwZ/G8n4wGsSZ
LcIs5apNiz3mJ2S9JMB8/bT1UmxVkha/wXHfkr+IoZP25dDasc8FTtOuU2FsnBXf
wymMBgNmJmXvHmxS3NPDYJ+GTRoanudn4gZhHFtMO5XAM9pzr9cVya4vSl6ZV44d
DguTuYrIwM0/0jqXuoN9b6s8VX2vssWSKnJdbaAifGDo/kRsJMABoXKyAYRu2vMC
FLVUSlPWk75p0ge8zHQNX8n8J3Nwa/Lx2jcL3AN14wMDspquJbqe0M+gi647W/Pg
JtFVH/mZwfbv8e1T+h0csT0oVlv7kWoFcSno1Nim5LVUzdWyrwge6lBzy5Lh4LEx
MP8z1souw++G5DyvbDuRUoAVa/pWaadjIGSP5S+5KT+VxP7i3syA9MdILowNjOVZ
W2RoMSNArAtKefyEMCFy0RvlljlU6OUyaxkXAKVGVJux4apmHWh+LXAlHyVyKP3s
eot+hgrFi2pJ6jtm82BHvEsDdxQP3bsfsDca6m1jwMuUTrOuSfjc6+vKVaD+mImm
2RMYQwND/T9eygso8Xgd+plwm3wv3CASPSYc/5C1iETsVTwE/6I=
=+ykd
-----END PGP SIGNATURE-----

Message #50 received at 905216@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 905216@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Date: Thu, 02 Aug 2018 03:42:41 +0100

[Message part 1 (text/plain, inline)]

Hi security team,

> python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
update for Django:

  Source: python-django
  Version: 1:1.10.7-2+deb9u2
  Distribution: stretch-security
  Urgency: high
  Maintainer: Chris Lamb <lamby@debian.org>
  Timestamp: 1533177448
  Date: Thu, 02 Aug 2018 10:37:28 +0800
  Closes: 905216
  Changes:
   python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
   .
     * Non-maintainer upload by the Security Team.
     * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
       If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
       setting were both enabled, and if the project has a URL pattern that
       accepted any path ending in a slash then a request to a maliciously crafted
       URL of that site could lead to a redirect to another site, enabling
       phishing and other attacks. (Closes: #905216)

       
Let me know if I should go ahead and upload.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[905216_stretch.txt (text/plain, attachment)]

Message #55 received at 905216@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Chris Lamb <lamby@debian.org>, 905216@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Date: Thu, 2 Aug 2018 07:06:05 +0200

Hi Chris,

On Thu, Aug 02, 2018 at 03:42:41AM +0100, Chris Lamb wrote:
> Hi security team,
> 
> > python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware
> 
> I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> update for Django:
> 
>   Source: python-django
>   Version: 1:1.10.7-2+deb9u2
>   Distribution: stretch-security
>   Urgency: high
>   Maintainer: Chris Lamb <lamby@debian.org>
>   Timestamp: 1533177448
>   Date: Thu, 02 Aug 2018 10:37:28 +0800
>   Closes: 905216
>   Changes:
>    python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
>    .
>      * Non-maintainer upload by the Security Team.
>      * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
>        If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
>        setting were both enabled, and if the project has a URL pattern that
>        accepted any path ending in a slash then a request to a maliciously crafted
>        URL of that site could lead to a redirect to another site, enabling
>        phishing and other attacks. (Closes: #905216)
> 
>        
> Let me know if I should go ahead and upload.

Thanks for preparing an update.

The debdiff looks good so far, were you able to test the resulting
package (in particular as well for the given case using
CommonMiddleware and APPEND_SLASH setting enabled)?

There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
relevant when "DEBUG = true". But as we do an update now via a DSA, we
can include this fix as well.

Regards,
Salvatore

Message #60 received at 905216@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 905216@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Date: Thu, 02 Aug 2018 06:42:59 +0100

Hi Salvatore,

> > I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> > update for Django:
[…]
> The debdiff looks good so far, were you able to test the resulting
> package

I believe that is covered in-depth by the additional tests I also
backported (which passes here). The package installs fine for me too I
did not alter any of my in-*production* sites to *specifically* test
pre/post application of the APPEND_SLASH handling.

> There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> relevant when "DEBUG = true". But as we do an update now via a DSA, we
> can include this fix as well.

That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
another debdiff?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #65 received at 905216@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Chris Lamb <lamby@debian.org>

Cc: 905216@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Date: Thu, 2 Aug 2018 07:50:49 +0200

Hi Chris,

On Thu, Aug 02, 2018 at 06:42:59AM +0100, Chris Lamb wrote:
> Hi Salvatore,
> 
> > > I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> > > update for Django:
> […]
> > The debdiff looks good so far, were you able to test the resulting
> > package
> 
> I believe that is covered in-depth by the additional tests I also
> backported (which passes here). The package installs fine for me too I
> did not alter any of my in-*production* sites to *specifically* test
> pre/post application of the APPEND_SLASH handling.

Ack thanks.

> > There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> > relevant when "DEBUG = true". But as we do an update now via a DSA, we
> > can include this fix as well.
> 
> That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
> another debdiff?

Yes please.

Thanks and regards,
Salvatore

Message #70 received at 905216@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 905216@bugs.debian.org, 874415@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Date: Fri, 03 Aug 2018 07:24:20 +0100

[Message part 1 (text/plain, inline)]

[adding 874415@bugs.debian.org to CC]

Hi Salvatore,

> > > There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> > > relevant when "DEBUG = true". But as we do an update now via a DSA, we
> > > can include this fix as well.
> > 
> > That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
> > another debdiff?
> 
> Yes please.

Full diff attached. Please let me know if this is okay to upload.

  Source: python-django
  Version: 1:1.10.7-2+deb9u2
  Distribution: stretch-security
  Urgency: high
  Maintainer: Chris Lamb <lamby@debian.org>
  Timestamp: 1533177448
  Date: Thu, 02 Aug 2018 10:37:28 +0800
  Closes: 874415 905216
  Changes:
   python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
   .
     * Non-maintainer upload by the Security Team.
     * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
       If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
       setting were both enabled, and if the project has a URL pattern that
       accepted any path ending in a slash then a request to a maliciously crafted
       URL of that site could lead to a redirect to another site, enabling
       phishing and other attacks. (Closes: #905216)
     * CVE-2017-12794: Fix a cross-site scripting attack in the technical HTTP 500
       page. This vulnerability did not affect production sites as they typically
       do not run with "DEBUG = True". (Closes: #874415)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[905216_874415_stretch.txt (text/plain, attachment)]

Message #75 received at 905216@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Chris Lamb <lamby@debian.org>

Cc: 905216@bugs.debian.org, 874415@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Date: Fri, 3 Aug 2018 08:57:23 +0200

Hi Chris,

On Fri, Aug 03, 2018 at 07:24:20AM +0100, Chris Lamb wrote:
> [adding 874415@bugs.debian.org to CC]
> 
> Hi Salvatore,
> 
> > > > There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> > > > relevant when "DEBUG = true". But as we do an update now via a DSA, we
> > > > can include this fix as well.
> > > 
> > > That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
> > > another debdiff?
> > 
> > Yes please.
> 
> Full diff attached. Please let me know if this is okay to upload.

Thanks! Looks good to me, please go ahead with the upload to
security-master.

Regards,
Salvatore

Message #80 received at 905216@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 905216@bugs.debian.org

Cc: 874415@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Date: Fri, 03 Aug 2018 08:26:23 +0100

Hi Salvatore,

> Thanks! Looks good to me, please go ahead with the upload to
> security-master.

Uploaded. :)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #85 received at 905216-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 905216-close@bugs.debian.org

Subject: Bug#905216: fixed in python-django 1:1.10.7-2+deb9u2

Date: Thu, 09 Aug 2018 05:35:27 +0000

Source: python-django
Source-Version: 1:1.10.7-2+deb9u2

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 905216@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 03 Aug 2018 15:11:16 +0800
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1:1.10.7-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 874415 905216
Changes:
 python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
     If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
     setting were both enabled, and if the project has a URL pattern that
     accepted any path ending in a slash then a request to a maliciously crafted
     URL of that site could lead to a redirect to another site, enabling
     phishing and other attacks. (Closes: #905216)
   * CVE-2017-12794: Fix a cross-site scripting attack in the technical HTTP 500
     page. This vulnerability did not affect production sites as they typically
     do not run with "DEBUG = True". (Closes: #874415)
Checksums-Sha1:
 d4d06dbb55c65852065648f3c52c3549b9dfb070 2804 python-django_1.10.7-2+deb9u2.dsc
 5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz
 3199a75fd024170733fbf2e37594ac63e337c0ed 36080 python-django_1.10.7-2+deb9u2.debian.tar.xz
 b8ddf9e3b3f62f25cf37c6302b46af6b0d81a783 1513558 python-django-common_1.10.7-2+deb9u2_all.deb
 db77dfc3afd2f56d4651ed097b8b1e81c182602e 2532012 python-django-doc_1.10.7-2+deb9u2_all.deb
 2e23e245432e6542b46754a907ad5cd7e9c3cc8b 903406 python-django_1.10.7-2+deb9u2_all.deb
 d5b065462ec015c0880f0498531f28d09b65d491 9264 python-django_1.10.7-2+deb9u2_amd64.buildinfo
 1d44e145cb74b7b15b41078a61b1d928075648e6 885284 python3-django_1.10.7-2+deb9u2_all.deb
Checksums-Sha256:
 ebc070b0ac89ef5366033ed3a65d7186cb69e50439f141c3453a4e28339ef381 2804 python-django_1.10.7-2+deb9u2.dsc
 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz
 c6635a5f8952d2b955c7e3bcfe41035055ed2962992d5221d99d224d7e16886b 36080 python-django_1.10.7-2+deb9u2.debian.tar.xz
 39c5353d2b3340cf89003bf55b4dc7f8a2e286586d282fc4d8e583ed1ecbc969 1513558 python-django-common_1.10.7-2+deb9u2_all.deb
 f1675e269447784180af0ea000034237b7d38d1b1f5374332dcae597d010502a 2532012 python-django-doc_1.10.7-2+deb9u2_all.deb
 2340be6efff9397bb824dc01b58088aac847212e84c2d7a0cc01efdd062a83a5 903406 python-django_1.10.7-2+deb9u2_all.deb
 642f82f6d6afb6a6f5f1ba1d68275c1f999019ef5d000dadc0b93f2d2bd006e4 9264 python-django_1.10.7-2+deb9u2_amd64.buildinfo
 1574f3e292dff909d1e05418c7a38c4003bff69f28456a847cbeadd17eac5673 885284 python3-django_1.10.7-2+deb9u2_all.deb
Files:
 0deb756e1e4525802024155e7e57a34d 2804 python optional python-django_1.10.7-2+deb9u2.dsc
 693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz
 462ff484065d741dfc4ddd100a9d5c03 36080 python optional python-django_1.10.7-2+deb9u2.debian.tar.xz
 d9d238ed3a2ce33c7c4f7c864c95171f 1513558 python optional python-django-common_1.10.7-2+deb9u2_all.deb
 c50ec227e86bb8f1cb1d949a7844cd01 2532012 doc optional python-django-doc_1.10.7-2+deb9u2_all.deb
 402bf959aea2b8040235c452eb7f2f11 903406 python optional python-django_1.10.7-2+deb9u2_all.deb
 a25a3f79aa5c993570c6a9dff08550bb 9264 python optional python-django_1.10.7-2+deb9u2_amd64.buildinfo
 9ecd4027ae32bdc2e27340b76bf00331 885284 python optional python3-django_1.10.7-2+deb9u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltkAygACgkQHpU+J9Qx
Hlj+VA/9FDN4ieSysnp8g/2cDQ2F7wyEk2ufI0CIvVCbPu/jigoi2HVMFYCcShcW
0B50Kjjhr8qkrI8qY7xaA3wBQ/fWlnEZK4/uuFi27rnauMeFNCA9jowpYsmgPatE
rhu99y4Ou91mJBm9r+gibH7K73o147DcwlePWKS7iYXpGGPOSrCfVnmLOEexcrn3
uFoxUcfVhhPr0RwoXaSe0tt4UwqhVblFQ1OnAFOgEJxhevh93MxpLoamsDBnnrAL
/1nFubKIIGweXcARXG8tQvE3fCUavmOYDOrHmRdNaK7z44qMoUYu6HUj+EIe5GTd
kfIpBzXU6Q6ynFMTsTMC4vSUSaVsgz0Jix4C05LG1wNRMVFrwEB02txfCsQ0fMEE
4iLA6puiZQ5dPBtA5e522CuTxGSlzyPcarVAIM33PF/TWfZwDppGxOuGCYbdused
uw2IgQ1WniB/rTYmnW/CEL8g+tru+s0glQLlyPYxwMfDtkMRT9mDDscgKbp91ywZ
Ib7awFf3H+z7u2t0B0Pdp/wmposrZG1zLN/Fywk+2LUpqDf9lqykL/uML3A2z75S
GFeofeyMgiNictgm0NPEJpDapbEmrvDrNWXsSWChFHYJIsGunU7sgRZNJB/S3N5q
g9WV8j390BqiS7++N6olu/ODvMUmzdAK0olJm+Eql00Il+j5aVQ=
=tHk1
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.