Report forwarded
to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>: Bug#550457; Package python-django.
(Sat, 10 Oct 2009 09:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>.
(Sat, 10 Oct 2009 09:51:04 GMT) (full text, mbox, link).
Package: python-django
Version: 1.0.2-1+lenny1
Severity: serious
Tags: security
> Django's forms library included field types which perform
> regular-expression based validation of email addresses and URLs. Certain
> addresses/URLs could trigger a pathological performance case in this
> regular expression, resulting in the server process/thread becoming
> unresponsive, and consuming excessive CPU over an extended period of time.
> If deliberately triggered, this could result in an effective
> denial-of-service attack.
[..]
> This issue was disclosed publicly by a third party on a high-traffic
> mailing list, and attempts have been made to exploit it against live Django
> installations.
<http://www.djangoproject.com/weblog/2009/oct/09/security/>
Does not affect unstable (once 1.1.1-1 lands).
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>: Bug#550457; Package python-django.
(Sat, 10 Oct 2009 10:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>.
(Sat, 10 Oct 2009 10:24:02 GMT) (full text, mbox, link).
Chris Lamb wrote:
> > This issue was disclosed publicly by a third party on a high-traffic
> > mailing list, and attempts have been made to exploit it against live
> > Django installations.
Packages for stable-security are available at:
http://people.debian.org/~lamby/550457/
I can't find any CVE numbers, but am not used to looking.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org
`-
Bug Marked as found in versions python-django/1.1-4.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Sat, 10 Oct 2009 18:15:03 GMT) (full text, mbox, link).
Bug Marked as fixed in versions python-django/1.1.1-1.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Sat, 10 Oct 2009 18:15:04 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Sun, 11 Oct 2009 20:30:12 GMT) (full text, mbox, link).
Notification sent
to Chris Lamb <lamby@debian.org>:
Bug acknowledged by developer.
(Sun, 11 Oct 2009 20:30:13 GMT) (full text, mbox, link).
Subject: Bug#550457: fixed in python-django 1.0.2-1+lenny2
Date: Sun, 11 Oct 2009 19:57:55 +0000
Source: python-django
Source-Version: 1.0.2-1+lenny2
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:
python-django_1.0.2-1+lenny2.diff.gz
to pool/main/p/python-django/python-django_1.0.2-1+lenny2.diff.gz
python-django_1.0.2-1+lenny2.dsc
to pool/main/p/python-django/python-django_1.0.2-1+lenny2.dsc
python-django_1.0.2-1+lenny2_all.deb
to pool/main/p/python-django/python-django_1.0.2-1+lenny2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 550457@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 10 Oct 2009 10:33:24 +0100
Source: python-django
Binary: python-django
Architecture: source all
Version: 1.0.2-1+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django - A high-level Python Web framework
Closes: 550457
Changes:
python-django (1.0.2-1+lenny2) stable-security; urgency=high
.
* Add patch to fix remote denial of service by exploiting pathological
performance of regular expressions (Closes: #550457)
.
Upstream writes:
.
SECURITY ALERT: Corrected regular expressions for URL and email fields.
.
Certain email addresses/URLs could trigger a catastrophic backtracking
situation, causing 100% CPU and server overload. If deliberately triggered, this
could be the basis of a denial-of-service attack.
.
<http://www.djangoproject.com/weblog/2009/oct/09/security/>
Checksums-Sha1:
466095f33104f5379f4a00619c37404cc48a9875 1606 python-django_1.0.2-1+lenny2.dsc
f2d9088f17aff47ea17e5767740cab67b2a73b6b 4649433 python-django_1.0.2.orig.tar.gz
f9e69917b7555014724957707f1fe775fd11e5aa 15789 python-django_1.0.2-1+lenny2.diff.gz
648979e26b4d850626538d27f6365942acd26048 4706950 python-django_1.0.2-1+lenny2_all.deb
Checksums-Sha256:
4848234afbdb076d8dc4156b1424df1d12f30a218038030cefc214cb19a7bbd0 1606 python-django_1.0.2-1+lenny2.dsc
50a5d228743a69a682899b20141194bf8fd3fd75eaf33ba5f2932f43ea93ea0d 4649433 python-django_1.0.2.orig.tar.gz
27239a86821dde3e9e843ebc744040a0515c81b362273d9d8cc962c8e83b3076 15789 python-django_1.0.2-1+lenny2.diff.gz
e1e5258f4ac75e42c9ade6eb68fe537ac52fe5500c6a6bc605253e5476cb67a6 4706950 python-django_1.0.2-1+lenny2_all.deb
Files:
7d335038ed1c10264a8ae9089574397c 1606 python optional python-django_1.0.2-1+lenny2.dsc
89353e3749668778f1370d2e444f3adc 4649433 python optional python-django_1.0.2.orig.tar.gz
586cdeaa9d99dc74240a16d1c40803fb 15789 python optional python-django_1.0.2-1+lenny2.diff.gz
f01133963dbac73a87e9a209f85cb38d 4706950 python optional python-django_1.0.2-1+lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkrQXksACgkQ5/8uW2NPmiDlWQCeOn6qOAvqreyQ9eO+xGpvHUpO
QvgAoJaqaz1XTSydUpu8ce9YrwS3yK9L
=kWDt
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>: Bug#550457; Package python-django.
(Wed, 21 Oct 2009 09:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Joerg Scheurich aka MUFTI <rusmufti@helpdesk.bera.rus.uni-stuttgart.de>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>.
(Wed, 21 Oct 2009 09:03:07 GMT) (full text, mbox, link).
To: Philippe Coval <rzr@users.sf.net>, 550457@bugs.debian.org
Subject: Re: Bug#550459: [whitedune] Segmentation fault at start up
Date: Wed, 21 Oct 2009 10:51:21 +0200
Hi,
Manolo Díaz found out, that the 0.28.14-1 version of whitedune needs the
helvetica font (font size 12) to start (current versions of whitedune
can fall back to the "fixed" font and support a X11 style "-fn" commandline
option).
It looks like, the package "xfonts-100dpi" would install a helvetica font
with font size 12, so it should be added to the "Depends".
so long
MUFTI
--
Anwendungen das "Works with Windows Vista" Logo von verdient haben
Unternehmen Produktname Version
Gesetzerzwingungssoftwareloesungen FIRMA 1.0.0
Micro$oft Knowledge Base Artikel-ID:933305 Version:4.1
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 Jan 2010 07:37:26 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.