Debian Bug report logs - #448838
CVE-2007-5712 remote denial of service

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django.

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 1 Nov 2007 11:27:02 UTC

Severity: important

Tags: patch, security

Fixed in versions python-django/0.96.1-1, python-django/0.97~svn6668-1, python-django/0.96-1.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#448838; Package python-django. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-5712 remote denial of service
Date: Thu, 1 Nov 2007 12:24:19 +0100
[Message part 1 (text/plain, inline)]
Package: python-django
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for python-django.

CVE-2007-5712[0]:
| The internationalization (i18n) framework in Django 0.91, 0.95,
| 0.95.1, and 0.96, when the USE_I18N option and the i18n component are
| enabled, allows remote attackers to cause a denial of service (memory
| consumption) via many HTTP requests with large Accept-Language
| headers.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5712

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#448838; Package python-django. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. Full text and rfc822 format available.

Message #10 received at 448838@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448838@bugs.debian.org
Subject: Re: CVE-2007-5712 remote denial of service
Date: Thu, 1 Nov 2007 13:04:44 +0100
[Message part 1 (text/plain, inline)]
Hi,
patches can be found on:
http://media.djangoproject.com/patches/2007-10-26-security-fix/
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 01 Nov 2007 12:06:17 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#448838; Package python-django. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. Full text and rfc822 format available.

Message #17 received at 448838@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448838@bugs.debian.org
Subject: Re: CVE-2007-5712 remote denial of service
Date: Sun, 4 Nov 2007 14:05:11 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached is an NMU proposal to fix this bug.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/python-django-0.96-1_0.96-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[python-django-0.96-1_0.96-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#448838; Package python-django. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. Full text and rfc822 format available.

Message #22 received at 448838@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448838@bugs.debian.org
Subject: Upload
Date: Sun, 4 Nov 2007 16:19:28 +0100
[Message part 1 (text/plain, inline)]
Hi,
uploading NMU with maintainers permission.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Brett Parker <iDunno@sommitrealweird.co.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 448838-close@bugs.debian.org (full text, mbox):

From: Brett Parker <iDunno@sommitrealweird.co.uk>
To: 448838-close@bugs.debian.org
Subject: Bug#448838: fixed in python-django 0.96.1-1
Date: Mon, 12 Nov 2007 05:25:55 +0000
Source: python-django
Source-Version: 0.96.1-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_0.96.1-1.diff.gz
  to pool/main/p/python-django/python-django_0.96.1-1.diff.gz
python-django_0.96.1-1.dsc
  to pool/main/p/python-django/python-django_0.96.1-1.dsc
python-django_0.96.1-1_all.deb
  to pool/main/p/python-django/python-django_0.96.1-1_all.deb
python-django_0.96.1.orig.tar.gz
  to pool/main/p/python-django/python-django_0.96.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brett Parker <iDunno@sommitrealweird.co.uk> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 10 Nov 2007 13:51:07 +0000
Source: python-django
Binary: python-django
Architecture: source all
Version: 0.96.1-1
Distribution: unstable
Urgency: low
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Brett Parker <iDunno@sommitrealweird.co.uk>
Description: 
 python-django - A high-level Python Web framework
Closes: 448838 450659
Changes: 
 python-django (0.96.1-1) unstable; urgency=low
 .
   * New upstream release with security fix for CVE-2007-5712
     Closes: #448838
   * Add note for upstream sources to copyright file
     Closes: #450659
Files: 
 cb04d23dea2e8df1f7e6c3a1fb8b83c8 886 python optional python-django_0.96.1-1.dsc
 10aa32e58969c4efeb00ef42ba192b17 1746455 python optional python-django_0.96.1.orig.tar.gz
 e8926bc55ec73e430f916c36f015949a 6468 python optional python-django_0.96.1-1.diff.gz
 5d57ac645a9e51e55e9c7fa45fdd7d5a 1700246 python optional python-django_0.96.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHNeD8vPbGD26BadIRArgzAJ92H+jT4EOhOYze3YjPRx7eHMFpZACgo6hW
VHwYf0j6CeS6dTZS54umI+c=
=M5iQ
-----END PGP SIGNATURE-----





Reply sent to Brett Parker <iDunno@sommitrealweird.co.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 448838-close@bugs.debian.org (full text, mbox):

From: Brett Parker <iDunno@sommitrealweird.co.uk>
To: 448838-close@bugs.debian.org
Subject: Bug#448838: fixed in python-django 0.97~svn6668-1
Date: Mon, 12 Nov 2007 05:25:56 +0000
Source: python-django
Source-Version: 0.97~svn6668-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_0.97~svn6668-1.diff.gz
  to pool/main/p/python-django/python-django_0.97~svn6668-1.diff.gz
python-django_0.97~svn6668-1.dsc
  to pool/main/p/python-django/python-django_0.97~svn6668-1.dsc
python-django_0.97~svn6668-1_all.deb
  to pool/main/p/python-django/python-django_0.97~svn6668-1_all.deb
python-django_0.97~svn6668.orig.tar.gz
  to pool/main/p/python-django/python-django_0.97~svn6668.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brett Parker <iDunno@sommitrealweird.co.uk> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 11 Nov 2007 10:15:55 +0000
Source: python-django
Binary: python-django
Architecture: source all
Version: 0.97~svn6668-1
Distribution: experimental
Urgency: low
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Brett Parker <iDunno@sommitrealweird.co.uk>
Description: 
 python-django - A high-level Python Web framework
Closes: 448838 450659
Changes: 
 python-django (0.97~svn6668-1) experimental; urgency=low
 .
   * New SVN snapshot (rev 6668)
     - Auth system delegations
     - Apps can now have thier own management commands
     - Fix for CVE-2007-5712 remote denial of service
       Closes: #448838
   * Fix missing upstream info in changelog
     Closes: #450659
Files: 
 fc81d040d93bc7530187a497037d8d19 1030 python optional python-django_0.97~svn6668-1.dsc
 526e2f61974128a527bec452829d7f24 2404765 python optional python-django_0.97~svn6668.orig.tar.gz
 4233ac73d649387168fd8585494ebc11 7213 python optional python-django_0.97~svn6668-1.diff.gz
 a69a111e3193fc192412912ea8584fd1 2327632 python optional python-django_0.97~svn6668-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHNuY1vPbGD26BadIRAiG2AJ9W5/1UImxHX6XdB5/fMFHt4E2DqQCghqle
8lsIUswyJpDRl1oTm29prTg=
=yXZ2
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #37 received at 448838-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448838-close@bugs.debian.org
Subject: Bug#448838: fixed in python-django 0.96-1.1
Date: Mon, 12 Nov 2007 05:25:53 +0000
Source: python-django
Source-Version: 0.96-1.1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_0.96-1.1.diff.gz
  to pool/main/p/python-django/python-django_0.96-1.1.diff.gz
python-django_0.96-1.1.dsc
  to pool/main/p/python-django/python-django_0.96-1.1.dsc
python-django_0.96-1.1_all.deb
  to pool/main/p/python-django/python-django_0.96-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 04 Nov 2007 13:56:02 +0100
Source: python-django
Binary: python-django
Architecture: source all
Version: 0.96-1.1
Distribution: unstable
Urgency: high
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 python-django - A high-level Python Web framework
Closes: 448838
Changes: 
 python-django (0.96-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by testing security team.
   * Added patch to fix remote denial of service via multiple crafted HTTP
     requests (CVE-2007-5712) (Closes: #448838).
Files: 
 0c96a51daea7da3fd0d219bd3d0dce61 884 python optional python-django_0.96-1.1.dsc
 1d8b65ce4a8d2f4cb9e45df71deccf2f 8369 python optional python-django_0.96-1.1.diff.gz
 a465721068c26206b43401962f094e64 1728296 python optional python-django_0.96-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHNt9AHYflSXNkfP8RAtWGAJ9kHwHJBYnEKy6kX+JUNPR38LHofACdEPsN
8x2TdOiGsR3SoCvJaKkuxtk=
=reLZ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 17 Dec 2007 07:37:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:29:01 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.