Debian Bug report logs - #497765
Cross-site request forgery

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django.

Reported by: Raphael Hertzog <hertzog@debian.org>

Date: Thu, 4 Sep 2008 06:21:01 UTC

Severity: grave

Tags: security

Found in version python-django/0.95.1-1

Fixed in versions python-django/1.0-1, python-django/0.95.1-1etch2

Done: David Spreen <netzwurm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#497765; Package python-django. Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
New Bug report received and forwarded. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: submit@bugs.debian.org
Subject: Cross-site request forgery
Date: Thu, 4 Sep 2008 08:18:43 +0200
Package: python-django
Severity: grave
Version: 0.95.1-1
Tags: security

All details are in http://www.djangoproject.com/weblog/2008/sep/02/security/
This affects stable/testing/unstable.

Unstable will be fixed shortly with the 1.0 version and hopefully, Lenny
will benefit from it. We need to release 0.95.1-1etch2 with the changes
from 0.95.4.

Cheers,
-- 
Raphaël Hertzog

Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/




Tags added: pending Request was from hertzog@users.alioth.debian.org to control@bugs.debian.org. (Thu, 04 Sep 2008 07:03:48 GMT) Full text and rfc822 format available.

Reply sent to Raphael Hertzog <hertzog@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 497765-close@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: 497765-close@bugs.debian.org
Subject: Bug#497765: fixed in python-django 1.0-1
Date: Thu, 04 Sep 2008 07:32:07 +0000
Source: python-django
Source-Version: 1.0-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_1.0-1.diff.gz
  to pool/main/p/python-django/python-django_1.0-1.diff.gz
python-django_1.0-1.dsc
  to pool/main/p/python-django/python-django_1.0-1.dsc
python-django_1.0-1_all.deb
  to pool/main/p/python-django/python-django_1.0-1_all.deb
python-django_1.0.orig.tar.gz
  to pool/main/p/python-django/python-django_1.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 497765@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 04 Sep 2008 08:33:32 +0200
Source: python-django
Binary: python-django
Architecture: source all
Version: 1.0-1
Distribution: unstable
Urgency: low
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Raphael Hertzog <hertzog@debian.org>
Description: 
 python-django - A high-level Python Web framework
Closes: 497765
Changes: 
 python-django (1.0-1) unstable; urgency=low
 .
   [ David Spreen ]
   * New _stable_ upstream release.
 .
   [ Raphael Hertzog ]
   * This version fixes the latest security issue:
     http://www.djangoproject.com/weblog/2008/sep/02/security/
     Closes: #497765
   * Don't include source files of documentation in the binary package,
     keep only the HTML version.
   * Updated README.Debian with information about the switch from 0.96 to
     1.0.
   * Remove execute right on /etc/bash_completion.d/django_bash_completion
   * Add debian/patches/04_hyphen-manpage.diff to fix a lintian message
     (hyphen-used-as-minus-sign usr/share/man/man1/django-admin.1.gz:156).
   * Don't compress javascript files.
   * Add libjs-jquery to Recommends since it's used by the HTML
     documentation.
Checksums-Sha1: 
 072269a7fcd9c7f64061ac60e5b0ffff6fde3b7b 1572 python-django_1.0-1.dsc
 e3875f5ebf6f956d93f8b9bac47e23c48631b798 4789634 python-django_1.0.orig.tar.gz
 7cf1553d1f6d5a7d4a5b668d9d7256e61475a455 12975 python-django_1.0-1.diff.gz
 f8af40ff12576a0f96fbb80a58237a7b52ba9b1f 4542348 python-django_1.0-1_all.deb
Checksums-Sha256: 
 6771e8df26d5b2f3246a3999199ed1b868d01a5b0bd5f63ac2fb57611f3edc38 1572 python-django_1.0-1.dsc
 4c780b9e2906944ce02a9325b15f480d2bd4c0b12137f752aa4800c0f8563acf 4789634 python-django_1.0.orig.tar.gz
 6af3ae155f6ab0788b62fc55f575d740448aaf16ac021bd1db14d2da1f259a78 12975 python-django_1.0-1.diff.gz
 d4789dd774e6690be45da728326f78afc7918a7502edf4aa8f391aed3ac98c7c 4542348 python-django_1.0-1_all.deb
Files: 
 743bb06820538f458e938f9204eaf089 1572 python optional python-django_1.0-1.dsc
 84d0490e4126f31d1c23f640e1e86f2f 4789634 python optional python-django_1.0.orig.tar.gz
 33cf819d87b67db9192f426df964fb3c 12975 python optional python-django_1.0-1.diff.gz
 fd7a5b75572d48814c0a54086bbe977a 4542348 python optional python-django_1.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iEYEARECAAYFAki/jAkACgkQvPbGD26BadKt/wCgmcmD8F/36Y0qlNqPHHPvPRCM
n40An0IkeHT40Y81ggFU1zVwVgAPrX+F
=vRip
-----END PGP SIGNATURE-----





Reply sent to David Spreen <netzwurm@debian.org>:
You have taken responsibility. (Sun, 05 Oct 2008 20:00:08 GMT) Full text and rfc822 format available.

Notification sent to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer. (Sun, 05 Oct 2008 20:00:08 GMT) Full text and rfc822 format available.

Message #17 received at 497765-close@bugs.debian.org (full text, mbox):

From: David Spreen <netzwurm@debian.org>
To: 497765-close@bugs.debian.org
Subject: Bug#497765: fixed in python-django 0.95.1-1etch2
Date: Sun, 05 Oct 2008 19:52:22 +0000
Source: python-django
Source-Version: 0.95.1-1etch2

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_0.95.1-1etch2.diff.gz
  to pool/main/p/python-django/python-django_0.95.1-1etch2.diff.gz
python-django_0.95.1-1etch2.dsc
  to pool/main/p/python-django/python-django_0.95.1-1etch2.dsc
python-django_0.95.1-1etch2_all.deb
  to pool/main/p/python-django/python-django_0.95.1-1etch2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 497765@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Spreen <netzwurm@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 Sep 2008 17:11:55 PDT
Source: python-django
Binary: python-django
Architecture: source all
Version: 0.95.1-1etch2
Distribution: stable-security
Urgency: low
Maintainer: David Spreen <netzwurm@debian.org>
Changed-By: David Spreen <netzwurm@debian.org>
Description:
 python-django - A high-level Python Web framework
Closes: 448838 497765
Changes:
 python-django (0.95.1-1etch2) stable-security; urgency=low
 .
   * debian/patches/04_csrf_fix.diff
     - Fixes cross-site request forgery vulnerability.
       http://www.djangoproject.com/weblog/2008/sep/02/security/
     Closes: 497765
   * debian/patches/05_i18n_dos_fix.diff.
     - Fixes denial of service vulnerability (CVE-2007-5712).
     Closes: 448838
Files: 
 62d31adf6a658ab089df66916148d2d8 940 python optional python-django_0.95.1-1etch2.dsc
 6e5e17af4148911137b1a8aebaa8096c 8069 python optional python-django_0.95.1-1etch2.diff.gz
 93417b16a120eada12b807b8372cc858 1025742 python optional python-django_0.95.1-1etch2_all.deb
 07f09d8429916481e09e84fd01e97355 1297839 python optional python-django_0.95.1.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjUQC8ACgkQdhEvvPyx3SNA5QCgmgf0OSlXPZ0DHoI+7oeq4ld/
yX8AnjUVolueFu7uwvhx7m07tft/4T6z
=8h2V
-----END PGP SIGNATURE-----





Reply sent to David Spreen <netzwurm@debian.org>:
You have taken responsibility. (Thu, 23 Oct 2008 15:57:08 GMT) Full text and rfc822 format available.

Notification sent to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer. (Thu, 23 Oct 2008 15:57:08 GMT) Full text and rfc822 format available.

Message #22 received at 497765-close@bugs.debian.org (full text, mbox):

From: David Spreen <netzwurm@debian.org>
To: 497765-close@bugs.debian.org
Subject: Bug#497765: fixed in python-django 0.95.1-1etch2
Date: Thu, 23 Oct 2008 15:28:13 +0000
Source: python-django
Source-Version: 0.95.1-1etch2

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_0.95.1-1etch2.diff.gz
  to pool/main/p/python-django/python-django_0.95.1-1etch2.diff.gz
python-django_0.95.1-1etch2.dsc
  to pool/main/p/python-django/python-django_0.95.1-1etch2.dsc
python-django_0.95.1-1etch2_all.deb
  to pool/main/p/python-django/python-django_0.95.1-1etch2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 497765@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Spreen <netzwurm@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 Sep 2008 17:11:55 PDT
Source: python-django
Binary: python-django
Architecture: source all
Version: 0.95.1-1etch2
Distribution: stable-security
Urgency: low
Maintainer: David Spreen <netzwurm@debian.org>
Changed-By: David Spreen <netzwurm@debian.org>
Description:
 python-django - A high-level Python Web framework
Closes: 448838 497765
Changes:
 python-django (0.95.1-1etch2) stable-security; urgency=low
 .
   * debian/patches/04_csrf_fix.diff
     - Fixes cross-site request forgery vulnerability.
       http://www.djangoproject.com/weblog/2008/sep/02/security/
     Closes: 497765
   * debian/patches/05_i18n_dos_fix.diff.
     - Fixes denial of service vulnerability (CVE-2007-5712).
     Closes: 448838
Files: 
 62d31adf6a658ab089df66916148d2d8 940 python optional python-django_0.95.1-1etch2.dsc
 6e5e17af4148911137b1a8aebaa8096c 8069 python optional python-django_0.95.1-1etch2.diff.gz
 93417b16a120eada12b807b8372cc858 1025742 python optional python-django_0.95.1-1etch2_all.deb
 07f09d8429916481e09e84fd01e97355 1297839 python optional python-django_0.95.1.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjUQC8ACgkQdhEvvPyx3SNA5QCgmgf0OSlXPZ0DHoI+7oeq4ld/
yX8AnjUVolueFu7uwvhx7m07tft/4T6z
=8h2V
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 21 Nov 2008 07:28:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:42:33 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.