Debian Bug report logs - #683364
CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django.

Reported by: Henri Salo <henri@nerv.fi>

Date: Tue, 31 Jul 2012 06:03:02 UTC

Severity: grave

Tags: security

Found in versions python-django/1.4-1, python-django/1.2.3-3+squeeze2

Fixed in versions python-django/1.4.1-1, python-django/1.2.3-3+squeeze3

Done: Raphaël Hertzog <hertzog@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Tue, 31 Jul 2012 06:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Chris Lamb <lamby@debian.org>. (Tue, 31 Jul 2012 06:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Tue, 31 Jul 2012 08:53:58 +0300
Package: python-django
Version: 1.4-1
Severity: important
Tags: security

https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
http://www.openwall.com/lists/oss-security/2012/07/31/1
http://www.openwall.com/lists/oss-security/2012/07/31/2

- Henri Salo



Marked as found in versions python-django/1.2.3-3+squeeze2. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Tue, 31 Jul 2012 06:15:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Wed, 01 Aug 2012 18:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Bennett <james@b-list.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Wed, 01 Aug 2012 18:12:06 GMT) Full text and rfc822 format available.

Message #12 received at 683364@bugs.debian.org (full text, mbox):

From: James Bennett <james@b-list.org>
To: 683364@bugs.debian.org
Subject: New release coming
Date: Wed, 01 Aug 2012 13:09:27 -0500
As a heads-up: a bug affecting Python 2.4 compatibility was found in the
1.3.2 package, and we will be issuing a 1.3.3 release based on that. The
relevant commit is visible here:

https://github.com/django/django/commit/d0d5dc6cd76f01c8a71b677357ad2f702cb54416

And the 1.3.3 release will likely occur within 24 hours.





Added tag(s) pending. Request was from hertzog@users.alioth.debian.org to control@bugs.debian.org. (Thu, 02 Aug 2012 08:54:03 GMT) Full text and rfc822 format available.

Severity set to 'grave' from 'important' Request was from Raphaël Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Thu, 02 Aug 2012 09:15:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Thu, 02 Aug 2012 09:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 02 Aug 2012 09:57:06 GMT) Full text and rfc822 format available.

Message #21 received at 683364@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Henri Salo <henri@nerv.fi>, 683364@bugs.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Thu, 2 Aug 2012 11:45:42 +0200
[Message part 1 (text/plain, inline)]
Hi,

On Tue, 31 Jul 2012, Henri Salo wrote:
> https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/

I wanted to quickly upload 1.4.1 to sid but the test suite fails with
many errors every time that it has to parse some HTML (at least when
building with sbuild). I suspect that the the problem might be external to
Django... but it still needs to be resolved. If anyone has the time to
look into it, it would be appreciated.

http://people.debian.org/~hertzog/packages/python-django_1.4.1-1.dsc
(it's in svn too)

If the problem is indeed not in Django, then we can temporarily disable
the test suite and upload the package.

I attach my failed build log for reference. Now I'll go prepare the stable
upload in the mean time.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
[build-log.txt.gz (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Thu, 02 Aug 2012 10:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 02 Aug 2012 10:24:06 GMT) Full text and rfc822 format available.

Message #26 received at 683364@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Henri Salo <henri@nerv.fi>, 683364@bugs.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Thu, 2 Aug 2012 12:19:58 +0200
On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> If the problem is indeed not in Django, then we can temporarily disable
> the test suite and upload the package.

I just tried to build the current python-django 1.4-1 in Debian Sid and it
also failed. So this tends to confirm that something else broke Django's
test suite (since the test suite worked when I uploaded 1.4-1 to sid).

Now we need to find the culprit (and fix it or work-around it).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Thu, 02 Aug 2012 10:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 02 Aug 2012 10:45:03 GMT) Full text and rfc822 format available.

Message #31 received at 683364@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Henri Salo <henri@nerv.fi>, 683364@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Thu, 2 Aug 2012 12:41:53 +0200
Hi,

On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> I attach my failed build log for reference. Now I'll go prepare the stable
> upload in the mean time.

The stable update is ready here. Henri, please test it and report back
whether it works well for you.

http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze3_i386.changes

I'm ccing the release team to let them know about this security update.
Here are the relevant infos:
- stable is affected (fix in 1.2.3-3+squeeze3)
- wheezy/unstable is affected (fix in 1.4.1-1)

Please let me know whether I can proceed with the upload (once Henri
confirmed that it worked well for him).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Thu, 02 Aug 2012 12:06:08 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Thu, 02 Aug 2012 12:06:08 GMT) Full text and rfc822 format available.

Message #36 received at 683364-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 683364-close@bugs.debian.org
Subject: Bug#683364: fixed in python-django 1.4.1-1
Date: Thu, 02 Aug 2012 12:03:02 +0000
Source: python-django
Source-Version: 1.4.1-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683364@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 02 Aug 2012 10:44:02 +0200
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.4.1-1
Distribution: unstable
Urgency: low
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 683364
Changes: 
 python-django (1.4.1-1) unstable; urgency=low
 .
   * New upstream security and maintenance release. Closes: #683364
     Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
   * Drop 01_disable_broken_test.diff and 04_hyphen-manpage.diff which
     have been merged upstream.
Checksums-Sha1: 
 ab994c2ba489e01de15d53cf6c835ce2af12b988 2227 python-django_1.4.1-1.dsc
 992e0e9c6c3b9167b29946bfe3956406fc747ef4 7656756 python-django_1.4.1.orig.tar.gz
 fd1d5ae9d906d607d6665ed8d6ec73227283701e 19420 python-django_1.4.1-1.debian.tar.gz
 b72079fe43d9af25549e2bb022092dc9e7a4cec6 5371932 python-django_1.4.1-1_all.deb
 96594fb596b850dbbe8c758281f4ab63756f0a31 2357188 python-django-doc_1.4.1-1_all.deb
Checksums-Sha256: 
 1a121d36c924b0619bc35948939ba542040f6d25afb69e9ec489526e4d34ca5d 2227 python-django_1.4.1-1.dsc
 4d8d20eba350d3d29613cc5a6302d5c23730c7f9e150985bc58b3175b755409b 7656756 python-django_1.4.1.orig.tar.gz
 5bcd52903554a8e0fd3c7eb9f39683cc04efbea2e9918edb2d8b6767aadff67c 19420 python-django_1.4.1-1.debian.tar.gz
 9f15218df361ac6e5e75c196f703fe9a805c3d1d7a7635a789ce2b32cfde1f8e 5371932 python-django_1.4.1-1_all.deb
 7c508c2fabde676e189d8c9050c78f4ab7ff21013e8cdad4b17b590605a58660 2357188 python-django-doc_1.4.1-1_all.deb
Files: 
 164d33704691bfb3b4dd2abe537b0f77 2227 python optional python-django_1.4.1-1.dsc
 e345268dacff12876ae4e45de0a61b7d 7656756 python optional python-django_1.4.1.orig.tar.gz
 2565371f2e1bfd9ec10c23c7d1b066c4 19420 python optional python-django_1.4.1-1.debian.tar.gz
 3577195af4b14ce717decc44677a50dc 5371932 python optional python-django_1.4.1-1_all.deb
 8869956447d1de3366618b15196ac859 2357188 doc optional python-django-doc_1.4.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJQGmd8AAoJEOYZBF3yrHKaXDEQAIqoQqo8aq3UDAmvnzkvZmtd
+sme0xMBIQdum+d7tPxQxRtUuvK1yZeJCY78I35lJLglO/hrnEgWx2efpr5zrJ9A
S1gggGbY2XfKJ52kHLH3jKiLfvZxsxYcDNJBHKu7Qj/R3h14c/nEzLLC/9BK4OGj
zwU9FRxs+zATQQe8YjpO5KEMl+u1IBehmE9ECHUveLez5bOm3Tp0KGyYJFX0XPB5
PGlhk3oKURf5pzxfGYvdmwikouMOuvDNr3V3Mk+jfUZRxIeh469qDFm+uA7tg1NU
IL8hWf1xMNS096ey1GSUMpetIR+F7sdqdGIziNLmYUjVxgz+NCsgyVgctuF4zd/g
/VITtpmgzfG9jOnvnLldn/JpndFpYmYiQQA6nLdj8x3sb2+SgTUrJACyI3+gTGSP
4pVzSAkCInaQOsqX1zb6L7qQxppDWv1vIukWNl8zfoj15lytr915B1EDMmFMbU8W
6PlLpYFk3FsijzFzo2B5vC/j29AZxvsQIYmSsei5Vu1hqY2h1WrqmAW5HuBG659Y
V/7eMmsGfZ7nmShABaq3JxL1ZejYNk3FXadRb1A7a9hnIx9aK0y9EWgcQZc727Aw
4bk2NrRWdyBZLvj/I2mvif+SRqh66eitTv0I60g5Vb27weVQL5c+AD/y69j+dSmZ
0OZt9UkUpfMCVmeMT3ks
=i0eu
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Thu, 02 Aug 2012 12:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 02 Aug 2012 12:12:03 GMT) Full text and rfc822 format available.

Message #41 received at 683364@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Henri Salo <henri@nerv.fi>, 683364@bugs.debian.org
Cc: python2.7@packages.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Thu, 2 Aug 2012 14:08:23 +0200
On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> > If the problem is indeed not in Django, then we can temporarily disable
> > the test suite and upload the package.
> 
> I just tried to build the current python-django 1.4-1 in Debian Sid and it
> also failed. So this tends to confirm that something else broke Django's
> test suite (since the test suite worked when I uploaded 1.4-1 to sid).
> 
> Now we need to find the culprit (and fix it or work-around it).

Apparently the build works fine in wheezy so I have built it in wheezy and
uploaded it in sid.

sid and wheezy differ in their python2.7 version: 2.7.3-2 vs 2.7.3~rc2-2.1

So the regression might be between those two versions.

Doko, python-django test suite fails in sid but not in wheezy. The failure
looks like a HTMLParser regression. Do you know of any possible regression
in python 2.7.3 about this?

I see in the upstream changelog a “- Issue #14538: HTMLParser can now
parse correctly start tags that contain a bare '/'.” maybe this could be
related?

I also found https://code.djangoproject.com/ticket/18239 which might imply
that Django is relying on some internals of HTMLParser so it would
actually be a bug in Django in that case...

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Thu, 02 Aug 2012 12:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Watson <david@planetwatson.co.uk>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 02 Aug 2012 12:21:03 GMT) Full text and rfc822 format available.

Message #46 received at 683364@bugs.debian.org (full text, mbox):

From: David Watson <david@planetwatson.co.uk>
To: Raphael Hertzog <hertzog@debian.org>, 683364@bugs.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Thu, 2 Aug 2012 13:16:03 +0100
[Message part 1 (text/plain, inline)]
On 2 August 2012 13:08, Raphael Hertzog <hertzog@debian.org> wrote:

> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> > On Thu, 02 Aug 2012, Raphael Hertzog wrote:
> > > If the problem is indeed not in Django, then we can temporarily disable
> > > the test suite and upload the package.
> >
> > I just tried to build the current python-django 1.4-1 in Debian Sid and
> it
> > also failed. So this tends to confirm that something else broke Django's
> > test suite (since the test suite worked when I uploaded 1.4-1 to sid).
> >
> > Now we need to find the culprit (and fix it or work-around it).
>
> Apparently the build works fine in wheezy so I have built it in wheezy and
> uploaded it in sid.
>
> sid and wheezy differ in their python2.7 version: 2.7.3-2 vs 2.7.3~rc2-2.1
>
> So the regression might be between those two versions.
>
> Doko, python-django test suite fails in sid but not in wheezy. The failure
> looks like a HTMLParser regression. Do you know of any possible regression
> in python 2.7.3 about this?
>
> I see in the upstream changelog a “- Issue #14538: HTMLParser can now
> parse correctly start tags that contain a bare '/'.” maybe this could be
> related?
>
> I also found https://code.djangoproject.com/ticket/18239 which might imply
> that Django is relying on some internals of HTMLParser so it would
> actually be a bug in Django in that case...
>
> I was just looking into this and these are the changes in HTMLParser.py

diff ../HTMLParser.py-old ../HTMLParser.py
25c25
< tagfind = re.compile('[a-zA-Z][-.a-zA-Z0-9:_]*')
---
> tagfind = re.compile('([a-zA-Z][-.a-zA-Z0-9:_]*)(?:\s|/(?!>))*')
31c31
<     r'[\s/]*((?<=[\'"\s/])[^\s/>][^\s/=>]*)(\s*=+\s*'
---
>     r'((?<=[\'"\s/])[^\s/>][^\s/=>]*)(\s*=+\s*'
292c292
<         self.lasttag = tag = rawdata[i+1:k].lower()
---
>         self.lasttag = tag = match.group(1).lower()

-- 
David Watson
dwatson@debian.org
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Thu, 02 Aug 2012 14:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Watson <david@planetwatson.co.uk>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 02 Aug 2012 14:00:03 GMT) Full text and rfc822 format available.

Message #51 received at 683364@bugs.debian.org (full text, mbox):

From: David Watson <david@planetwatson.co.uk>
To: Raphael Hertzog <hertzog@debian.org>, 683364@bugs.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Thu, 2 Aug 2012 14:56:46 +0100
[Message part 1 (text/plain, inline)]
I have just successfully built the package under python 2.7.3 by using the
HTMLParser from python rather than Django's version.

-- 
David Watson
dwatson@debian.org

On 2 August 2012 13:16, David Watson <david@planetwatson.co.uk> wrote:

> On 2 August 2012 13:08, Raphael Hertzog <hertzog@debian.org> wrote:
>
>> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
>> > On Thu, 02 Aug 2012, Raphael Hertzog wrote:
>> > > If the problem is indeed not in Django, then we can temporarily
>> disable
>> > > the test suite and upload the package.
>> >
>> > I just tried to build the current python-django 1.4-1 in Debian Sid and
>> it
>> > also failed. So this tends to confirm that something else broke Django's
>> > test suite (since the test suite worked when I uploaded 1.4-1 to sid).
>> >
>> > Now we need to find the culprit (and fix it or work-around it).
>>
>> Apparently the build works fine in wheezy so I have built it in wheezy and
>> uploaded it in sid.
>>
>> sid and wheezy differ in their python2.7 version: 2.7.3-2 vs 2.7.3~rc2-2.1
>>
>> So the regression might be between those two versions.
>>
>> Doko, python-django test suite fails in sid but not in wheezy. The failure
>> looks like a HTMLParser regression. Do you know of any possible regression
>> in python 2.7.3 about this?
>>
>> I see in the upstream changelog a “- Issue #14538: HTMLParser can now
>> parse correctly start tags that contain a bare '/'.” maybe this could be
>> related?
>>
>> I also found https://code.djangoproject.com/ticket/18239 which might
>> imply
>> that Django is relying on some internals of HTMLParser so it would
>> actually be a bug in Django in that case...
>>
>> I was just looking into this and these are the changes in HTMLParser.py
>
> diff ../HTMLParser.py-old ../HTMLParser.py
> 25c25
> < tagfind = re.compile('[a-zA-Z][-.a-zA-Z0-9:_]*')
> ---
> > tagfind = re.compile('([a-zA-Z][-.a-zA-Z0-9:_]*)(?:\s|/(?!>))*')
> 31c31
> <     r'[\s/]*((?<=[\'"\s/])[^\s/>][^\s/=>]*)(\s*=+\s*'
> ---
> >     r'((?<=[\'"\s/])[^\s/>][^\s/=>]*)(\s*=+\s*'
> 292c292
> <         self.lasttag = tag = rawdata[i+1:k].lower()
> ---
> >         self.lasttag = tag = match.group(1).lower()
>
> --
> David Watson
> dwatson@debian.org
>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Thu, 02 Aug 2012 14:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 02 Aug 2012 14:15:03 GMT) Full text and rfc822 format available.

Message #56 received at 683364@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: David Watson <david@planetwatson.co.uk>
Cc: 683364@bugs.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Thu, 2 Aug 2012 16:11:28 +0200
clone 683364 -1
retitle -1 Django's HTMLParser incompatible with python 2.7.3
severity -1 serious
tag -1 = sid
reopen -1
thanks

On Thu, 02 Aug 2012, David Watson wrote:
> I have just successfully built the package under python 2.7.3 by using the
> HTMLParser from python rather than Django's version.

OK then let's clone a new bug to track this issue separately.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Bug 683364 cloned as bug 683648 Request was from Raphael Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Thu, 02 Aug 2012 14:15:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Thu, 02 Aug 2012 18:45:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 02 Aug 2012 18:45:11 GMT) Full text and rfc822 format available.

Message #63 received at 683364@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: Raphael Hertzog <hertzog@debian.org>, 683364@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Thu, 2 Aug 2012 21:35:38 +0300
On Thu, Aug 02, 2012 at 12:41:53PM +0200, Raphael Hertzog wrote:
> Hi,
> The stable update is ready here. Henri, please test it and report back
> whether it works well for you.
> 
> http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze3_i386.changes
> 
> I'm ccing the release team to let them know about this security update.
> Here are the relevant infos:
> - stable is affected (fix in 1.2.3-3+squeeze3)
> - wheezy/unstable is affected (fix in 1.4.1-1)
> 
> Please let me know whether I can proceed with the upload (once Henri
> confirmed that it worked well for him).

Hello Raphael,

After applying these patches my applications in Django and Django itself function normally. I did test this with normal amount of traffic. Do you think I should try to reproduce the security-issues? Patches are pretty much 1:1 with Django-patches.

- Henri Salo



Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Thu, 02 Aug 2012 18:45:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Thu, 02 Aug 2012 18:45:13 GMT) Full text and rfc822 format available.

Message #68 received at 683364@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Henri Salo <henri@nerv.fi>
Cc: 683364@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Thu, 2 Aug 2012 20:42:48 +0200
Hi,

On Thu, 02 Aug 2012, Henri Salo wrote:
> Hello Raphael,
> 
> After applying these patches my applications in Django and Django itself
> function normally. I did test this with normal amount of traffic. Do you
> think I should try to reproduce the security-issues? Patches are pretty
> much 1:1 with Django-patches.

Did you install http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze3_all.deb ?

One of the patches has been manually backported but it was relatively
trivial to do. Still, the underlying version differs greatly so it's still
good to double check that everything works properly.

In this case, it would be good to try to exercise the modified parts. So login
in with a redirect URL, trigger image handling code, etc.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Tue, 14 Aug 2012 11:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Klose <doko@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Tue, 14 Aug 2012 11:36:03 GMT) Full text and rfc822 format available.

Message #73 received at 683364@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@debian.org>
To: Raphael Hertzog <hertzog@debian.org>
Cc: Henri Salo <henri@nerv.fi>, 683364@bugs.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Tue, 14 Aug 2012 13:30:55 +0200
On 02.08.2012 14:08, Raphael Hertzog wrote:
> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
>> On Thu, 02 Aug 2012, Raphael Hertzog wrote:
>>> If the problem is indeed not in Django, then we can temporarily disable
>>> the test suite and upload the package.
>>
>> I just tried to build the current python-django 1.4-1 in Debian Sid and it
>> also failed. So this tends to confirm that something else broke Django's
>> test suite (since the test suite worked when I uploaded 1.4-1 to sid).
>>
>> Now we need to find the culprit (and fix it or work-around it).
> 
> Apparently the build works fine in wheezy so I have built it in wheezy and
> uploaded it in sid.
> 
> sid and wheezy differ in their python2.7 version: 2.7.3-2 vs 2.7.3~rc2-2.1
> 
> So the regression might be between those two versions.
> 
> Doko, python-django test suite fails in sid but not in wheezy. The failure
> looks like a HTMLParser regression. Do you know of any possible regression
> in python 2.7.3 about this?
> 
> I see in the upstream changelog a “- Issue #14538: HTMLParser can now
> parse correctly start tags that contain a bare '/'.” maybe this could be
> related?
> 
> I also found https://code.djangoproject.com/ticket/18239 which might imply
> that Django is relying on some internals of HTMLParser so it would
> actually be a bug in Django in that case...

I see a fix for this in the django upstream issue. Is this still an issue with
the current package in unstable?




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#683364; Package python-django. (Tue, 14 Aug 2012 12:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Tue, 14 Aug 2012 12:33:03 GMT) Full text and rfc822 format available.

Message #78 received at 683364@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Matthias Klose <doko@debian.org>
Cc: Henri Salo <henri@nerv.fi>, 683364@bugs.debian.org
Subject: Re: Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
Date: Tue, 14 Aug 2012 14:29:17 +0200
On Tue, 14 Aug 2012, Matthias Klose wrote:
> > I also found https://code.djangoproject.com/ticket/18239 which might imply
> > that Django is relying on some internals of HTMLParser so it would
> > actually be a bug in Django in that case...
> 
> I see a fix for this in the django upstream issue. Is this still an issue with
> the current package in unstable?

No, thanks. It effectively turned to be a django issue.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Fri, 17 Aug 2012 20:42:07 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Fri, 17 Aug 2012 20:42:07 GMT) Full text and rfc822 format available.

Message #83 received at 683364-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 683364-close@bugs.debian.org
Subject: Bug#683364: fixed in python-django 1.2.3-3+squeeze3
Date: Fri, 17 Aug 2012 20:40:01 +0000
Source: python-django
Source-Version: 1.2.3-3+squeeze3

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683364@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 02 Aug 2012 11:05:53 +0200
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze3
Distribution: stable-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 683364
Changes: 
 python-django (1.2.3-3+squeeze3) stable-security; urgency=high
 .
   * Stable security upload:
     https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
     Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
   * Apply/backport the 3 security patches:
     - debian/patches/16_fix_cross_site_scripting_in_authentication.diff
     - debian/patches/17_fix_dos_in_image_validation.diff
     - debian/patches/18_fix_dos_via_get_image_dimensions.diff
     Closes: #683364
Checksums-Sha1: 
 db06de100f0cdc9c764d1ae90bbd7c148cae7c27 2214 python-django_1.2.3-3+squeeze3.dsc
 5840c65319e6889984bb33d343778ee524811174 30059 python-django_1.2.3-3+squeeze3.debian.tar.gz
 06dde38874023f139ad41a6481254b7a1a82b873 4239072 python-django_1.2.3-3+squeeze3_all.deb
 2527f396d2606ae3165490215e9c9d5a0e4bc2cb 1903824 python-django-doc_1.2.3-3+squeeze3_all.deb
Checksums-Sha256: 
 be216548b799068b8604a56a0cb1b47f68db32f072bb0e4c7e5964f1bd58ac31 2214 python-django_1.2.3-3+squeeze3.dsc
 39d24cf22c491fedeb978f93bca3a69e4caa15f4a73e7653a60e1c427139bff1 30059 python-django_1.2.3-3+squeeze3.debian.tar.gz
 5addcb469066d34a44281fe07aec301752d860ed3571416d69c1257bcd088054 4239072 python-django_1.2.3-3+squeeze3_all.deb
 09859529e501cef1b6a426b52ae0c6feb3fd8a005cbdb0b154ef4573c61734f0 1903824 python-django-doc_1.2.3-3+squeeze3_all.deb
Files: 
 db76d856e41f2afd3627bd835fbdf211 2214 python optional python-django_1.2.3-3+squeeze3.dsc
 03d8d20663be27efb684d4664c5f7cd8 30059 python optional python-django_1.2.3-3+squeeze3.debian.tar.gz
 debd8f20a11aa5e0fabf6a6f2c3382f1 4239072 python optional python-django_1.2.3-3+squeeze3_all.deb
 b3e52e2447fb48ec6236b702293150f6 1903824 doc optional python-django-doc_1.2.3-3+squeeze3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJQGlcxAAoJEOYZBF3yrHKaP3MQALXyByLhrIw9Vu6DYqI0AR6t
OU63Y0eQ0BWIvgBhhknjrf7TpdUmQogLwn4UUCgWFamiuBXKYNXc8WoQkRlM6Qq/
jasDemsyWJ/7VmFELbW6KV2phl8ZRHx4KGi9G+p1P7GsLeIf8/oIgWVTwMwcA/Me
cocZ6wiRAZLAwfkM0O7/UQ6IbXbPZvlNiWi2j39LowPSXCmkA4Za4kYVNGqoTJbT
KfJAtjjThHTAZGRH8ucczmxZhv5PMy6IXVwXmNt4DenvbVy4acDbfavky88M/vN2
ReIgQEvJgtcEBNTPkAK8iDZGyK0HJElQ6nD4XuV06wc+DP0EuN7U0g2Mx50IdW9X
Loj2OGpIQXncsOKPEfL2SJeg+mt36Tgofvz+Te8PI2ahMGw9vgadmK5CWvU/+pEE
rGpVgYVNLkndTkMVKjObVfzFCLiJczPplLDRf3M2DlTQ+KhK7yvySoQ3udFROeCZ
Ht+fDPteUFWDMQqa4awmajYGLpYkEpTcd0myOhhoz67DfrqTWhYlS09HrsJlbxUa
c/mTCdvVl7ckjIie+jRmSkTxkVwIyvJBlZy9LVbTDz3+hqgK3xgmwYZgRLXiVGva
WdWJFmDWO1UmvLJ2vAAkBE+9gaNzNIkn8jf3zfMNMscXhk1f2bYBFO9+YjSORJ0f
qR72hm02HVrWHewU6Ywb
=otkq
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:30:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 02:58:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.