Debian Bug report logs - #641405
several Django security issues

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django.

Reported by: "Thijs Kinkhorst" <thijs@debian.org>

Date: Tue, 13 Sep 2011 08:54:01 UTC

Severity: serious

Tags: security

Fixed in versions python-django/1.3.1-1, python-django/1.0.2-1+lenny3, python-django/1.2.3-3+squeeze2

Done: Raphaël Hertzog <hertzog@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Tue, 13 Sep 2011 08:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Chris Lamb <lamby@debian.org>. (Tue, 13 Sep 2011 08:54:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: submit@bugs.debian.org
Subject: several Django security issues
Date: Tue, 13 Sep 2011 10:52:45 +0200
Package: python-django
Severity: serious
Tags: security

Hi,

Several security issues were announced in Django:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
and a regression fix was later posted:
https://www.djangoproject.com/weblog/2011/sep/10/127/

Can you please ensure that unstable is fixed for these issues, and analyse
whether updates to stable and oldstable security are necessary?

CVE id's are not assigned yet at this point, but there's no need to wait
for them to continue.


Thanks,
Thijs




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Tue, 13 Sep 2011 13:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Tue, 13 Sep 2011 13:03:06 GMT) Full text and rfc822 format available.

Message #10 received at 641405@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 641405@bugs.debian.org
Cc: Chris Lamb <lamby@debian.org>
Subject: Re: Bug#641405: several Django security issues
Date: Tue, 13 Sep 2011 15:00:13 +0200
Hi,

On Tue, 13 Sep 2011, Thijs Kinkhorst wrote:
> Several security issues were announced in Django:
> https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
> and a regression fix was later posted:
> https://www.djangoproject.com/weblog/2011/sep/10/127/
> 
> Can you please ensure that unstable is fixed for these issues, and analyse
> whether updates to stable and oldstable security are necessary?

An update for Squeeze is required but Lenny should be unaffected apparently.

Chris, will you take care of the uploads or do you need help?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Follow my Debian News ▶ http://RaphaelHertzog.com (English)
                      ▶ http://RaphaelHertzog.fr (Français)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#641405; Package python-django. (Tue, 13 Sep 2011 15:48:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. (Tue, 13 Sep 2011 15:48:12 GMT) Full text and rfc822 format available.

Message #15 received at 641405@bugs.debian.org (full text, mbox):

From: Chris Lamb <lamby@debian.org>
To: Raphael Hertzog <hertzog@debian.org>, 641405@bugs.debian.org
Cc: Thijs Kinkhorst <thijs@debian.org>
Subject: Re: Bug#641405: several Django security issues
Date: Tue, 13 Sep 2011 16:45:57 +0100
Raphael Hertzog wrote:

> Chris, will you take care of the uploads or do you need help?

Should manage to do it this evening.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-




Added tag(s) pending. Request was from hertzog@users.alioth.debian.org to control@bugs.debian.org. (Thu, 15 Sep 2011 08:30:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Thu, 15 Sep 2011 13:12:49 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 15 Sep 2011 13:12:49 GMT) Full text and rfc822 format available.

Message #22 received at 641405@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Chris Lamb <lamby@debian.org>, 641405@bugs.debian.org
Cc: Thijs Kinkhorst <thijs@debian.org>
Subject: Re: Bug#641405: several Django security issues
Date: Thu, 15 Sep 2011 14:57:42 +0200
Hi Chris,

On Tue, 13 Sep 2011, Chris Lamb wrote:
> Raphael Hertzog wrote:
> 
> > Chris, will you take care of the uploads or do you need help?
> 
> Should manage to do it this evening.

Since you missed your target, I took the liberty to prepare the unstable
upload (there was more work to do than expected, but should be ok).

I'll let you handle the stable upload. If you can't, please tell us.

Thijs, can you update the security tracker to mark oldstable as not
vulnerable ? It has 1.0 and only versions >= 1.2 are vulnerable
apparently.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Follow my Debian News ▶ http://RaphaelHertzog.com (English)
                      ▶ http://RaphaelHertzog.fr (Français)




Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Thu, 15 Sep 2011 13:13:37 GMT) Full text and rfc822 format available.

Notification sent to "Thijs Kinkhorst" <thijs@debian.org>:
Bug acknowledged by developer. (Thu, 15 Sep 2011 13:13:38 GMT) Full text and rfc822 format available.

Message #27 received at 641405-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 641405-close@bugs.debian.org
Subject: Bug#641405: fixed in python-django 1.3.1-1
Date: Thu, 15 Sep 2011 12:48:10 +0000
Source: python-django
Source-Version: 1.3.1-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django-doc_1.3.1-1_all.deb
  to main/p/python-django/python-django-doc_1.3.1-1_all.deb
python-django_1.3.1-1.debian.tar.gz
  to main/p/python-django/python-django_1.3.1-1.debian.tar.gz
python-django_1.3.1-1.dsc
  to main/p/python-django/python-django_1.3.1-1.dsc
python-django_1.3.1-1_all.deb
  to main/p/python-django/python-django_1.3.1-1_all.deb
python-django_1.3.1.orig.tar.gz
  to main/p/python-django/python-django_1.3.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 641405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 15 Sep 2011 12:43:51 +0200
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.3.1-1
Distribution: unstable
Urgency: low
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 630421 641405
Changes: 
 python-django (1.3.1-1) unstable; urgency=low
 .
   * New upstream release. It includes security updates described here:
     https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
     Closes: #641405
   * Update 01_disable_url_verify_regression_tests.diff and merge
     07_disable_url_verify_model_tests.diff into it.
   * Update patch headers to conform to DEP-3.
   * Apply patch from Steve Langasek to dynamically build the UTF-8
     locale required by the test-suite instead of build-depending on
     locales-all. Closes: #630421
   * Use "dh --with sphinxdoc" to clean up the Sphinx generated documentation
     and avoid the embedded-javascript-library lintian warning. Build-Depends
     on python-sphinx >= 1.0.7+dfsg-1 for this and also add
     ${sphinxdoc:Depends} to python-django-doc Depends field.
   * Cleanup build-dependencies now that even oldstable has python 2.5.
   * Switch to dh_python2 as python helper tool. Drop legacy files
     debian/pyversions and debian/pycompat.
   * New patch 02_disable-sources-in-sphinxdoc.diff to not generate
     the _sources directory that we used to remove manually within the rules
     file. But must be kept disabled until #641710 is fixed.
   * Properly support DEB_BUILD_OPTIONS=nocheck despite the override
     of dh_auto_test.
Checksums-Sha1: 
 1b3e821b829fe4e6f6f8f2f4f4183cf4c707bf06 2139 python-django_1.3.1-1.dsc
 fd968134c8ded38d2d9ccd2cafe865a0585aefc4 6514564 python-django_1.3.1.orig.tar.gz
 b661a0e87fb10dcbc0258a206db220a080e7fb1d 19500 python-django_1.3.1-1.debian.tar.gz
 acaec9cf3c43bc9f03bb2f640cea187faf0f9c88 4379606 python-django_1.3.1-1_all.deb
 32324456de73399b18be20d049e94d4af3eb2fdf 2948432 python-django-doc_1.3.1-1_all.deb
Checksums-Sha256: 
 22960d9f5428eacc576ba382bb42e8e668b7adfb788f7e8d5d2c266d9565a79c 2139 python-django_1.3.1-1.dsc
 af9118c4e8a063deb0b8cda901fcff2b805e7cf496c93fd43507163f3cde156b 6514564 python-django_1.3.1.orig.tar.gz
 f7f7b0776a8df0df9492f9014f1750dfb6a3717f3e8569313840a088c2f33a49 19500 python-django_1.3.1-1.debian.tar.gz
 0902a6622f2cc2cac28080fb827a0a4a1bcd232cde349da298fe901bc3255249 4379606 python-django_1.3.1-1_all.deb
 8101872a99df25374b0d0a7321d6483dceac4bebb702a8da915fe5cd963c51ea 2948432 python-django-doc_1.3.1-1_all.deb
Files: 
 b20dfedd840f891bfb8e523357bf87ab 2139 python optional python-django_1.3.1-1.dsc
 62d8642fd06b9a0bf8544178f8500767 6514564 python optional python-django_1.3.1.orig.tar.gz
 c13418163d0f07db4f8d701c2865331b 19500 python optional python-django_1.3.1-1.debian.tar.gz
 c5cb4f784a101429d0273f31c57d9bb4 4379606 python optional python-django_1.3.1-1_all.deb
 e1c8d20721fd3029e4e86dc0915ffda8 2948432 doc optional python-django-doc_1.3.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJOcfAIAAoJEOYZBF3yrHKap88P/ibA2bNb7PrFPYVy9e7PbWdr
/ueqHhYXWM5Z/3Y7fk5lTCWblSv1xN+hfmsmFN00l1tDOcvivO9jSjsb8XIriAAG
YEG/zOKUVO/Z3NH+WlAiA8gnpf8OV4PttIlY02j5KlcuRLkN3FhbtUi8aqMVPjSK
HLunLGN+3ZAEO/o3ybqcR245NR31PCA9pZ0lnJYXupLVHEnpRDzbCzp7u+PZFgqd
4XgKd4tdHpZBPL0H6uHA5Ggr2/fwXZlLUr5wSOVPUoero1Es8PBheS05Lvc3IE+K
3zvuTikE/trhEALhcy1uz+G1r6dFxZZVG5+ZePAbJC8TXJjwFkR7CCeFbSLA4hpk
1q56cyeoFv5moyZgvuEbeVXfms5bVc2kvS/Jr+hZKTCaLeLISeKZYWKqR6bcuOG1
U2e6tx2xFNWlVoSeIQjK/0LHM7BChhA6IQyT9zQ2cDwvXA+CCGdVRFDLSLF4BCqK
yBJdzzjpOgVmM+hCnjNRhT0Js+kWVSkPUz9Ec0Qom5q+uv2FMbhXC/QZkNPfvo70
AHltat6nb8/KO5pud4ZNJc0lenmT4SZ93MHLBPyQfCyKF0/s6KNz3D9vMfkStefN
HPLIxjhd54nMXBlXaepZzSwublHC95JnRMab5i3v5xmitNHCFT2iS8iqEQBET6ms
ZPz8uRlxG7ktHyi5phSD
=OKrH
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Mon, 19 Sep 2011 07:55:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@uvt.nl>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Mon, 19 Sep 2011 07:55:03 GMT) Full text and rfc822 format available.

Message #32 received at 641405@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@uvt.nl>
To: Raphael Hertzog <hertzog@debian.org>, 641405@bugs.debian.org
Cc: Chris Lamb <lamby@debian.org>
Subject: Re: Bug#641405: several Django security issues
Date: Mon, 19 Sep 2011 09:44:11 +0200
[Message part 1 (text/plain, inline)]
Op donderdag 15 september 2011 14:57:42 schreef Raphael Hertzog:
> On Tue, 13 Sep 2011, Chris Lamb wrote:
> > Raphael Hertzog wrote:
> > 
> >
> > > Chris, will you take care of the uploads or do you need help?
> >
> > 
> >
> > Should manage to do it this evening.
> 
> Since you missed your target, I took the liberty to prepare the unstable
> upload (there was more work to do than expected, but should be ok).

Thanks!
 
> I'll let you handle the stable upload. If you can't, please tell us.

Indeed...

> Thijs, can you update the security tracker to mark oldstable as not
> vulnerable ? It has 1.0 and only versions >= 1.2 are vulnerable
> apparently.

What's the base of this conclusion? I've read upstreams announcement and they 
don't mention 1.0, but also don't explicitly say that it's not affected. Has 
it been checked that it's indeed not affected?


-- 
Thijs Kinkhorst <thijs@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Mon, 19 Sep 2011 08:18:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Mon, 19 Sep 2011 08:18:07 GMT) Full text and rfc822 format available.

Message #37 received at 641405@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Thijs Kinkhorst <thijs@uvt.nl>
Cc: 641405@bugs.debian.org, Chris Lamb <lamby@debian.org>, James Bennett <ubernostrum@gmail.com>
Subject: Re: Bug#641405: several Django security issues
Date: Mon, 19 Sep 2011 10:13:51 +0200
On Mon, 19 Sep 2011, Thijs Kinkhorst wrote:
> > I'll let you handle the stable upload. If you can't, please tell us.
> 
> Indeed...
> 
> > Thijs, can you update the security tracker to mark oldstable as not
> > vulnerable ? It has 1.0 and only versions >= 1.2 are vulnerable
> > apparently.
> 
> What's the base of this conclusion? I've read upstreams announcement and they 
> don't mention 1.0, but also don't explicitly say that it's not affected. Has 
> it been checked that it's indeed not affected?

The last 2 release (besides the current one) are security maintained, aka
1.1 and 1.2. Since 1.1 has not seen any update, it means it's not affected
and thus 1.0 isn't as well.

But we can verify this. I'm ccing James Bennett, the Django release
manager. Can you confirm what I said, James?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Follow my Debian News ▶ http://RaphaelHertzog.com (English)
                      ▶ http://RaphaelHertzog.fr (Français)




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Mon, 19 Sep 2011 08:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Bennett <james@b-list.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Mon, 19 Sep 2011 08:45:05 GMT) Full text and rfc822 format available.

Message #42 received at 641405@bugs.debian.org (full text, mbox):

From: James Bennett <james@b-list.org>
To: Raphael Hertzog <hertzog@debian.org>, 641405@bugs.debian.org
Cc: Thijs Kinkhorst <thijs@uvt.nl>, Chris Lamb <lamby@debian.org>, James Bennett <ubernostrum@gmail.com>
Subject: Re: Bug#641405: several Django security issues
Date: Mon, 19 Sep 2011 03:43:14 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Raphael Hertzog wrote:
> The last 2 release (besides the current one) are security maintained,
> aka 1.1 and 1.2. Since 1.1 has not seen any update, it means it's not
> affected and thus 1.0 isn't as well.
> 
> But we can verify this. I'm ccing James Bennett, the Django release 
> manager. Can you confirm what I said, James?

I have a subscription that already gets me on these bugs :)

Anyway, our policy is that the most recent release (1.3) gets both
security and general bug fixes, while the release prior to it (1.2) gets
only security. We don't support anything older than that.

That means we no longer support 1.1 or earlier versions in any official
way. I'm quite certain that at least some of the security issues
(especially the URLField problems) are present in 1.1.


- -- 
James Bennett
james@b-list.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk53AKIACgkQNoTAwIyLKuFtxACgnI8klzgYF/4xs15na09CabT/
p4MAn2AD4shy3d64vAH60XE66nBbRpYC
=xCFW
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Mon, 03 Oct 2011 18:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@uvt.nl>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Mon, 03 Oct 2011 18:03:03 GMT) Full text and rfc822 format available.

Message #47 received at 641405@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@uvt.nl>
To: <641405@bugs.debian.org>
Cc: Raphael Hertzog <hertzog@debian.org>, Chris Lamb <lamby@debian.org>, James Bennett <ubernostrum@gmail.com>
Subject: Re: Bug#641405: several Django security issues
Date: Mon, 03 Oct 2011 20:01:10 +0200
Hi all,

On Mon, 19 Sep 2011 03:43:14 -0500, James Bennett <james@b-list.org>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Raphael Hertzog wrote:
>> The last 2 release (besides the current one) are security maintained,
>> aka 1.1 and 1.2. Since 1.1 has not seen any update, it means it's not
>> affected and thus 1.0 isn't as well.
>> 
>> But we can verify this. I'm ccing James Bennett, the Django release 
>> manager. Can you confirm what I said, James?
> 
> I have a subscription that already gets me on these bugs :)
> 
> Anyway, our policy is that the most recent release (1.3) gets both
> security and general bug fixes, while the release prior to it (1.2) gets
> only security. We don't support anything older than that.
> 
> That means we no longer support 1.1 or earlier versions in any official
> way. I'm quite certain that at least some of the security issues
> (especially the URLField problems) are present in 1.1.

Is work in progress on updates for squeeze and lenny of Django for these
issues?


thanks,
Thijs




Added tag(s) pending. Request was from hertzog@users.alioth.debian.org to control@bugs.debian.org. (Thu, 06 Oct 2011 12:06:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Thu, 06 Oct 2011 12:30:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 06 Oct 2011 12:30:17 GMT) Full text and rfc822 format available.

Message #54 received at 641405@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Thijs Kinkhorst <thijs@uvt.nl>, 641405@bugs.debian.org
Cc: Chris Lamb <lamby@debian.org>
Subject: Re: Bug#641405: several Django security issues
Date: Thu, 6 Oct 2011 14:19:40 +0200
On Mon, 03 Oct 2011, Thijs Kinkhorst wrote:
> Is work in progress on updates for squeeze and lenny of Django for these
> issues?

I have prepared the Squeeze update. I have no way to test it since I don't
run any website with Django on top of Squeeze currently but I don't see
any reason why it shouldn't work. The extensive test suites passes.

You can grab it here:
http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze2_i386.changes

(not signed, feel free to sign it and to upload it)

Note that it's based on what was in svn and not on the formeer
1.2.3-3+squeeze1 so there will a bit of noise in the debdiff but
I checked that we had the same changes (the patches in SVN have
some non regression test that the 1.2.3-3+squeeze1 upload did not have).

As for lenny, I think it's too much work given that upstream doesn't
support it any longer.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/go/ulule-rh/




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Fri, 07 Oct 2011 08:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@uvt.nl>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Fri, 07 Oct 2011 08:45:04 GMT) Full text and rfc822 format available.

Message #59 received at 641405@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@uvt.nl>
To: Raphael Hertzog <hertzog@debian.org>
Cc: 641405@bugs.debian.org, Chris Lamb <lamby@debian.org>
Subject: Re: Bug#641405: several Django security issues
Date: Fri, 7 Oct 2011 10:41:26 +0200
[Message part 1 (text/plain, inline)]
Hi Raphaël,

Op donderdag 6 oktober 2011 14:19:40 schreef Raphael Hertzog:
> On Mon, 03 Oct 2011, Thijs Kinkhorst wrote:
> > Is work in progress on updates for squeeze and lenny of Django for these
> > issues?
> 
> I have prepared the Squeeze update. I have no way to test it since I don't
> run any website with Django on top of Squeeze currently but I don't see
> any reason why it shouldn't work. The extensive test suites passes.

I've installed it on a test server, can conclude that it doesn't completely go 
down in flames but we cannot really test it until Monday.

> As for lenny, I think it's too much work given that upstream doesn't
> support it any longer.

We kind of promised our users that Lenny would be security supported for one 
year after the squeeze release. But we'll have to see what we can do about 
this.


-- 
Thijs Kinkhorst <thijs@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Tue, 11 Oct 2011 08:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@uvt.nl>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Tue, 11 Oct 2011 08:18:05 GMT) Full text and rfc822 format available.

Message #64 received at 641405@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@uvt.nl>
To: 641405@bugs.debian.org
Cc: Raphael Hertzog <hertzog@debian.org>, Chris Lamb <lamby@debian.org>, team@security.debian.org
Subject: Re: Bug#641405: several Django security issues
Date: Tue, 11 Oct 2011 10:15:33 +0200
[Message part 1 (text/plain, inline)]
Hi Raphaël,

Op vrijdag 7 oktober 2011 10:41:26 schreef Thijs Kinkhorst:
> > 
> >
> > I have prepared the Squeeze update. I have no way to test it since I
> > don't run any website with Django on top of Squeeze currently but I
> > don't see any reason why it shouldn't work. The extensive test suites
> > passes.
> 
> I've installed it on a test server, can conclude that it doesn't completely
> go  down in flames but we cannot really test it until Monday.

OK, we did some testing in our setup and nothing breaks.
 
> > As for lenny, I think it's too much work given that upstream doesn't
> > support it any longer.
> 
> We kind of promised our users that Lenny would be security supported for
> one  year after the squeeze release. But we'll have to see what we can do
> about this.

See here a user response to dealing with Lenny in such an ad hoc way:
http://lists.debian.org/debian-security/2011/10/msg00048.html

-- 
Thijs Kinkhorst <thijs@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Thu, 27 Oct 2011 17:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul van der Vlis <paul@vandervlis.nl>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 27 Oct 2011 17:51:05 GMT) Full text and rfc822 format available.

Message #69 received at 641405@bugs.debian.org (full text, mbox):

From: Paul van der Vlis <paul@vandervlis.nl>
To: 641405@bugs.debian.org
Subject: Re: Bug#641405: several Django security issues
Date: Thu, 27 Oct 2011 19:43:14 +0200
Hello,

How is it with this bug? I did not see a security update in Squeeze.

I understand there is a diskussion about a fix for Lenny, but Squeeze is
more important in my opinion. I think Django in Lenny is not much used
anymore.

What about a: "There is no Lenny security fix at the moment. If you use
Lenny and upgrading to Squeeze is really a problem, please drop a mail
at the security mailinglist. Making this fix is a lot of work, we will
only do it when there are enough people who really need it."

With regards,
Paul.


-- 
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Thu, 27 Oct 2011 18:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 27 Oct 2011 18:48:03 GMT) Full text and rfc822 format available.

Message #74 received at 641405@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Paul van der Vlis <paul@vandervlis.nl>, 641405@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#641405: several Django security issues
Date: Thu, 27 Oct 2011 20:45:11 +0200
On Thu, 27 Oct 2011, Paul van der Vlis wrote:
> How is it with this bug? I did not see a security update in Squeeze.

I did upload my updated package to the security archive after Thijs
confirmed it being good but I haven't heard back since then.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/go/ulule-rh/




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Thu, 27 Oct 2011 19:42:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@uvt.nl>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 27 Oct 2011 19:42:06 GMT) Full text and rfc822 format available.

Message #79 received at 641405@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@uvt.nl>
To: Paul van der Vlis <paul@vandervlis.nl>, <641405@bugs.debian.org>
Subject: Re: Bug#641405: several Django security issues
Date: Thu, 27 Oct 2011 21:40:28 +0200
On Thu, 27 Oct 2011 19:43:14 +0200, Paul van der Vlis <paul@vandervlis.nl>
wrote:
> Hello,
> 
> How is it with this bug? I did not see a security update in Squeeze.

We still need a fix for Lenny indeed.

> I understand there is a diskussion about a fix for Lenny, but Squeeze is
> more important in my opinion. I think Django in Lenny is not much used
> anymore.

Where do you base this assertion on?

> What about a: "There is no Lenny security fix at the moment. If you use
> Lenny and upgrading to Squeeze is really a problem, please drop a mail
> at the security mailinglist. Making this fix is a lot of work, we will
> only do it when there are enough people who really need it."

I don't rule that strategy out, but do we have concrete info that it's
indeed an unreasonable amount of work?
I would want to check it out but that will be next week.


-- 
Thijs Kinkhorst <thijs@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Thu, 27 Oct 2011 20:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul van der Vlis <paul@vandervlis.nl>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 27 Oct 2011 20:54:06 GMT) Full text and rfc822 format available.

Message #84 received at 641405@bugs.debian.org (full text, mbox):

From: Paul van der Vlis <paul@vandervlis.nl>
To: Thijs Kinkhorst <thijs@uvt.nl>, 641405@bugs.debian.org
Subject: Re: Bug#641405: several Django security issues
Date: Thu, 27 Oct 2011 22:51:29 +0200
Op 27-10-11 21:40, Thijs Kinkhorst schreef:
> 
> On Thu, 27 Oct 2011 19:43:14 +0200, Paul van der Vlis <paul@vandervlis.nl>
> wrote:
>> Hello,
>>
>> How is it with this bug? I did not see a security update in Squeeze.
> 
> We still need a fix for Lenny indeed.
> 
>> I understand there is a diskussion about a fix for Lenny, but Squeeze is
>> more important in my opinion. I think Django in Lenny is not much used
>> anymore.
> 
> Where do you base this assertion on?

Because it's a relative new platform. The newer version in Squeeze is
much better then the version in Lenny. I think in such a case people
will upgrade fast or use packages from upstream (Python eggs).

Hmm, in popcon I don't see how many people are using the Lenny-version.
That would be a nice extra feature...

>> What about a: "There is no Lenny security fix at the moment. If you use
>> Lenny and upgrading to Squeeze is really a problem, please drop a mail
>> at the security mailinglist. Making this fix is a lot of work, we will
>> only do it when there are enough people who really need it."
> 
> I don't rule that strategy out, but do we have concrete info that it's
> indeed an unreasonable amount of work?

The only info I have about it, is from this bug.

> I would want to check it out but that will be next week.

Wish you good luck!

With regards,
Paul.


-- 
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Fri, 28 Oct 2011 07:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Fri, 28 Oct 2011 07:18:03 GMT) Full text and rfc822 format available.

Message #89 received at 641405@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Thijs Kinkhorst <thijs@uvt.nl>, 641405@bugs.debian.org
Cc: Paul van der Vlis <paul@vandervlis.nl>
Subject: Re: Bug#641405: several Django security issues
Date: Fri, 28 Oct 2011 09:15:22 +0200
Hi,

On Thu, 27 Oct 2011, Thijs Kinkhorst wrote:
> > What about a: "There is no Lenny security fix at the moment. If you use
> > Lenny and upgrading to Squeeze is really a problem, please drop a mail
> > at the security mailinglist. Making this fix is a lot of work, we will
> > only do it when there are enough people who really need it."
> 
> I don't rule that strategy out, but do we have concrete info that it's
> indeed an unreasonable amount of work?

Since you insist, I looked into it and backporting the patches was a
reasonable amount of work... I uploaded
python-django_1.0.2-1+lenny3_i386.changes to oldstable-security and also
here:
http://people.debian.org/~hertzog/packages/python-django_1.0.2-1+lenny3_i386.changes

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/go/ulule-rh/




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#641405; Package python-django. (Sat, 29 Oct 2011 05:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@uvt.nl>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Sat, 29 Oct 2011 05:39:04 GMT) Full text and rfc822 format available.

Message #94 received at 641405@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@uvt.nl>
To: Raphael Hertzog <hertzog@debian.org>, <641405@bugs.debian.org>
Cc: Paul van der Vlis <paul@vandervlis.nl>
Subject: Re: Bug#641405: several Django security issues
Date: Sat, 29 Oct 2011 07:34:43 +0200
On Fri, 28 Oct 2011 09:15:22 +0200, Raphael Hertzog <hertzog@debian.org>
wrote:
> Since you insist, I looked into it and backporting the patches was a
> reasonable amount of work... I uploaded
> python-django_1.0.2-1+lenny3_i386.changes to oldstable-security and also
> here:
>
http://people.debian.org/~hertzog/packages/python-django_1.0.2-1+lenny3_i386.changes

Great! This is really useful.


-- 
Thijs Kinkhorst <thijs@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236




Reply sent to Raphael Hertzog <hertzog@debian.org>:
You have taken responsibility. (Sat, 29 Oct 2011 19:57:10 GMT) Full text and rfc822 format available.

Notification sent to "Thijs Kinkhorst" <thijs@debian.org>:
Bug acknowledged by developer. (Sat, 29 Oct 2011 19:57:10 GMT) Full text and rfc822 format available.

Message #99 received at 641405-close@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: 641405-close@bugs.debian.org
Subject: Bug#641405: fixed in python-django 1.0.2-1+lenny3
Date: Sat, 29 Oct 2011 19:53:24 +0000
Source: python-django
Source-Version: 1.0.2-1+lenny3

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_1.0.2-1+lenny3.diff.gz
  to main/p/python-django/python-django_1.0.2-1+lenny3.diff.gz
python-django_1.0.2-1+lenny3.dsc
  to main/p/python-django/python-django_1.0.2-1+lenny3.dsc
python-django_1.0.2-1+lenny3_all.deb
  to main/p/python-django/python-django_1.0.2-1+lenny3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 641405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Oct 2011 08:47:50 +0200
Source: python-django
Binary: python-django
Architecture: source all
Version: 1.0.2-1+lenny3
Distribution: oldstable-security
Urgency: low
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Raphael Hertzog <hertzog@debian.org>
Description: 
 python-django - A high-level Python Web framework
Closes: 641405
Changes: 
 python-django (1.0.2-1+lenny3) oldstable-security; urgency=low
 .
   * Security upload:
     https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
   * Backport the 3 patches provided for Django 1.2 to the old 1.0 version
     provided in Debian Lenny.
     Closes: #641405
Checksums-Sha1: 
 2d7b36e66f51e7955ca3aec0d15fda469d0d6d4e 2282 python-django_1.0.2-1+lenny3.dsc
 6e4fc41dc20366bbdb3f8be7809616c5d8360151 17501 python-django_1.0.2-1+lenny3.diff.gz
 d5e43910b8bd4b44cd77e0798d8ca17be956e5be 4770238 python-django_1.0.2-1+lenny3_all.deb
Checksums-Sha256: 
 e2a0400ddcc49a536ac9a7262d62ff172fd58abf0d124869e7802d3e0a10475a 2282 python-django_1.0.2-1+lenny3.dsc
 c1e3815883a6cc838b30e5070e97dfa22c2fa885e697f04e9a1966b7e29c6f8e 17501 python-django_1.0.2-1+lenny3.diff.gz
 9ee992bbd63a42327d04e4c3bcab10f376044f232a46a846605fc2084cf6bc20 4770238 python-django_1.0.2-1+lenny3_all.deb
Files: 
 de4f0c8e257d7de7b2b836362505b243 2282 python optional python-django_1.0.2-1+lenny3.dsc
 23950fd4bec0975a7b06a6eec92bde8d 17501 python optional python-django_1.0.2-1+lenny3.diff.gz
 864563f23d7ca58d820e679a27fa5afc 4770238 python optional python-django_1.0.2-1+lenny3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJOqlV1AAoJEOYZBF3yrHKa8y0P/0/2gKk9Lk9Dxmoc9lxDkHOF
KiXyrZO3gPwVSXCb0JgKm4Uhq1aEfvaIi7YGDP9NJAjhwabkA6Oa+fyyo3ak2/D+
AVUeYPa7vRbyi7sVUeKqVH/M5up7RXnNUGqqzn6DZs53qH0fbxXNkzOJDNdEAmLp
dGKkuiZFH0e6haf+YSs7cMSbC18UHubBjGtEyTVpNyuZ3HZRItKzRgKFceEWBJv3
D3GgKloLoHNarj3+QQeaMrxQyl4SnOZyDyPfB34tG2j/sjsXCzrKM9AgtJlt5b9a
rIF8IrnY/oPCFzNUERKEO43gs6cCwewullQlLUT2jGEZWPNATq/hXKbIstXc5Fm8
CFkhmcfJoqV9JNesAzKP4EF2HB1conMjwwNuguYg/rbk7ZrAs8JrBtUfmA8A631M
gfUE0qQpni9XoBiG/60zY3PwyHuwVAdpdHjgk3yu5Y6HjlifGPJWbbejscE7m8i3
GiEEKmnO7fymaWJZ0HDka7Fn9+7Zu1uR3sEX76dQBhsCxvRENDMj4Vglus0A5iA1
yh1+GknHCXEPOU8VJDTyRjAMITx390utbqh5Su5NRI5m4ekUWM2YYjSXg7MWxD6W
3pWP2EmCXz5DhvOKltgz8o3Wmo+pPg/l06UJYoi/rLapdzxoQ+uP1d3b7DgxHNmO
JJuOOftf+BdjBcDZVlLN
=wQpu
-----END PGP SIGNATURE-----





Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Sat, 29 Oct 2011 19:57:12 GMT) Full text and rfc822 format available.

Notification sent to "Thijs Kinkhorst" <thijs@debian.org>:
Bug acknowledged by developer. (Sat, 29 Oct 2011 19:57:12 GMT) Full text and rfc822 format available.

Message #104 received at 641405-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 641405-close@bugs.debian.org
Subject: Bug#641405: fixed in python-django 1.2.3-3+squeeze2
Date: Sat, 29 Oct 2011 19:53:26 +0000
Source: python-django
Source-Version: 1.2.3-3+squeeze2

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django-doc_1.2.3-3+squeeze2_all.deb
  to main/p/python-django/python-django-doc_1.2.3-3+squeeze2_all.deb
python-django_1.2.3-3+squeeze2.debian.tar.gz
  to main/p/python-django/python-django_1.2.3-3+squeeze2.debian.tar.gz
python-django_1.2.3-3+squeeze2.dsc
  to main/p/python-django/python-django_1.2.3-3+squeeze2.dsc
python-django_1.2.3-3+squeeze2_all.deb
  to main/p/python-django/python-django_1.2.3-3+squeeze2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 641405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 06 Oct 2011 12:20:30 +0200
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze2
Distribution: stable-security
Urgency: low
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 641405
Changes: 
 python-django (1.2.3-3+squeeze2) stable-security; urgency=low
 .
   * Stable security upload:
     https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
   * Apply/backport the 3 security patches:
     - debian/patches/13_fix_safety_issue_with_session_data.diff
     - debian/patches/14_fix_dos_with_urlfield.diff
     - debian/patches/15_fix_spoofing_issue_with_x_forwarded_host.diff
     Closes: #641405
Checksums-Sha1: 
 e8b728de85d334e7fd6e0f853ffceeceaab76767 2214 python-django_1.2.3-3+squeeze2.dsc
 545ac4cbf8c0dd4d5e7d41112784817b4bd5505b 28403 python-django_1.2.3-3+squeeze2.debian.tar.gz
 60968834b55e4a8b5bd7c86d523568f7e1c9a4b0 4239356 python-django_1.2.3-3+squeeze2_all.deb
 1d4a77872b38562e17ab75177f7de92e6f77ea08 1903840 python-django-doc_1.2.3-3+squeeze2_all.deb
Checksums-Sha256: 
 56a3c3b6f6aa28f25b87ab207eb7a750a6777eaed6e64e3fbc7379f636731418 2214 python-django_1.2.3-3+squeeze2.dsc
 88daa2ce089effd2f7ed1eceae948f83baaf76fce735f0612192ed6ed166e848 28403 python-django_1.2.3-3+squeeze2.debian.tar.gz
 cb483197afe9f2ac40a847b77754d3cc2f2ba8663a19a53e664b1ef4626b1f03 4239356 python-django_1.2.3-3+squeeze2_all.deb
 536d2671884ee1a6736a6d8d6e26839cc3125d129d045e554700c1521a40fa13 1903840 python-django-doc_1.2.3-3+squeeze2_all.deb
Files: 
 f22de39ad2b31db364683028e21aac67 2214 python optional python-django_1.2.3-3+squeeze2.dsc
 b9c5b0981589d83ce0a6ba6924181651 28403 python optional python-django_1.2.3-3+squeeze2.debian.tar.gz
 07f1df0d4abbfffb2db5b23e84c0d623 4239356 python optional python-django_1.2.3-3+squeeze2_all.deb
 1ba01f825a03e42ac896999507b25117 1903840 doc optional python-django-doc_1.2.3-3+squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJOlTmjAAoJEOYZBF3yrHKa8RkP/27HydJ4d3VLWDQxUehRnIDm
a1D4tHn4H8iUBKEG9SnCAwSnMnUtxLdO7MsDgCNmDHca2UeXmpJTFLzZEzG3ziTf
2vnqp0WD2z2MiVJ/lHMMSw09x/8M/ivOE+aDKyxfQhXX/mqk19kOP1n4mltsLjbA
AxOoRWHR+shCVULzt+mkMgm9eg1SfEYNZclfkN4tggBPqf9UPtD8yKjNpYM5P3tK
JhkKLIB92jz2IEjf2dRuRnPEdJdDm1dYRccHyx4CwBqYU9PetDHY9W8LFZ8eMe+u
5m/8EQ4NGcwrNfTf709ekL4oe72joDiPtTPgXh2jJiX5BswRh8v6uqYqz/98LQzh
dQKaPDtFbB5Y6rzOmiez2u9PDitwzRQaEFdmPfGKYicLqz29yq5yn7MsUvqvD1VS
BzSGBnYiNfnNyxtpP4hMIIQf8Sh9m3IAZmHn/DgdAN4zbWc1Y7l/nt1G8Jquggj+
aBv1gQv+NsfP2MVUijKgJnPkPNnajrLepKsc9+DoImsgKD2sh967FkmJlR/bfwb3
3C4I0IFzxKnRlfDvAdrJbAERs4quDrOcEZ/LjYPnIaAX2REILti/pkt9CK0GtY9j
mq9pljk30FQLHjkZE2Ai4VKZ/fbit57zb7YN1qhtDZnndtS3kYfWIX9Ifp/8K1tU
QQ+OAodTP1swbwYsmwDJ
=IgkH
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Jan 2012 07:33:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:32:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.