Debian Bug report logs - #696535
python-django: possible Host header poisoning and Redirect poisoning

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django.

Reported by: Jonas Smedegaard <dr@jones.dk>

Date: Sat, 22 Dec 2012 14:39:01 UTC

Severity: grave

Tags: security

Found in version python-django/1.4.2-2

Fixed in version python-django/1.4.3-1

Done: Raphaël Hertzog <hertzog@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Chris Lamb <lamby@debian.org>:
Bug#696535; Package python-django. (Sat, 22 Dec 2012 14:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonas Smedegaard <dr@jones.dk>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Chris Lamb <lamby@debian.org>. (Sat, 22 Dec 2012 14:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-django: possible Host header poisoning and Redirect poisoning
Date: Sat, 22 Dec 2012 15:37:52 +0100
Package: python-django
Version: 1.4.2-2
Severity: grave
Tags: security
Justification: user security hole

The Django project has recently issued [security updates] for improved
tightening against Host header poisoning and Redirect poisoning.


 - Jonas

[security updates]: https://www.djangoproject.com/weblog/2012/dec/10/security/



Added tag(s) pending. Request was from hertzog@users.alioth.debian.org to control@bugs.debian.org. (Wed, 26 Dec 2012 15:03:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#696535; Package python-django. (Wed, 26 Dec 2012 15:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Wed, 26 Dec 2012 15:51:03 GMT) Full text and rfc822 format available.

Message #12 received at 696535@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Jonas Smedegaard <dr@jones.dk>, 696535@bugs.debian.org
Subject: Re: Bug#696535: python-django: possible Host header poisoning and Redirect poisoning
Date: Wed, 26 Dec 2012 16:48:50 +0100
On Sat, 22 Dec 2012, Jonas Smedegaard wrote:
> The Django project has recently issued [security updates] for improved
> tightening against Host header poisoning and Redirect poisoning.

Thanks for the notice, I uploaded packages of version 1.4.3 to unstable.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Wed, 26 Dec 2012 16:06:03 GMT) Full text and rfc822 format available.

Notification sent to Jonas Smedegaard <dr@jones.dk>:
Bug acknowledged by developer. (Wed, 26 Dec 2012 16:06:03 GMT) Full text and rfc822 format available.

Message #17 received at 696535-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 696535-close@bugs.debian.org
Subject: Bug#696535: fixed in python-django 1.4.3-1
Date: Wed, 26 Dec 2012 16:02:46 +0000
Source: python-django
Source-Version: 1.4.3-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696535@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 26 Dec 2012 15:49:32 +0100
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.4.3-1
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 696535
Changes: 
 python-django (1.4.3-1) unstable; urgency=high
 .
   * New upstream security and maintenance release. Closes: #696535
     https://www.djangoproject.com/weblog/2012/dec/10/security/
   * Drop debian/patches/01_fix-self-tests.diff, merged upstream.
Checksums-Sha1: 
 f395ea2918baf19b91664331dfd231fe7b2da318 2227 python-django_1.4.3-1.dsc
 96b1a44afef3b765b55ba10ad81ca8fc29eca5a2 7729808 python-django_1.4.3.orig.tar.gz
 11a395fedfad1af479f4353cdd81aa034a3294aa 19656 python-django_1.4.3-1.debian.tar.gz
 7f5416108b7d42f3b200022b640fc844c542a973 5363382 python-django_1.4.3-1_all.deb
 6f956bb5f9fb0182cafaad883f7b75c3330b2893 2428586 python-django-doc_1.4.3-1_all.deb
Checksums-Sha256: 
 7f5bac0274254fcdfdc8613f6134ca2ace6fc97e285d96eec3be32c0d11caaed 2227 python-django_1.4.3-1.dsc
 dcadb4b612e5d14f62078869617a26a79b3da719573801d351c4a0a7f4181c4e 7729808 python-django_1.4.3.orig.tar.gz
 7435c551de258595e7ddbb259c0c3835865b405f748944b999ac788b7b50b536 19656 python-django_1.4.3-1.debian.tar.gz
 2796e4a7003afe0d3de31d58541dc121bcc3e2e3bf1acbcb1f194ed0f53b0949 5363382 python-django_1.4.3-1_all.deb
 65d1c17f32666fb2d3af912992cd5505f1464b32439ee6ed37b7472f1169c5fe 2428586 python-django-doc_1.4.3-1_all.deb
Files: 
 53d88c7c521b25b986030740c1ed1f43 2227 python optional python-django_1.4.3-1.dsc
 0b134c44b6dc8eb36822677ef506c9ab 7729808 python optional python-django_1.4.3.orig.tar.gz
 96c567a7448c96fbc825dd4b729184d0 19656 python optional python-django_1.4.3-1.debian.tar.gz
 ceab007daeeb107a588d8d523d0e0cbb 5363382 python optional python-django_1.4.3-1_all.deb
 234e0f1cf96904113adc022c5f7bd6c9 2428586 doc optional python-django-doc_1.4.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJQ2xvKAAoJEOYZBF3yrHKaw9EP/2TeUnBmihAT2B0bwMwLDchD
Be56lSfuwEqVfxzQd+4Yu9A7KTeUkeUFKZRkmKadu412XD8XGjX6oHOPt5KFmCFp
iJ1iNk57kGXP0MfpRT9KscixzbVFf2k21HFURkKcabByWj06kt+mMf9TIbHCR+hN
fxGJGRKXYqST6TizhJqlFTEmfNaipFrKYwyniWV+a9gUOffaFPuIidZSKXOU9dHf
qDPMK/dAirskZUjK8P3OdqgRj2Tauh4YMnOReABrs+2g6/vz38jZT1wPE4LWgHyv
C82fHGIsqbwAWTT0+rRWeNzHtje2rfXHS3A5lTvxSg1N2fUGQJtTTEEwUzoopVmU
hXvIBcQdRIPXnpuNBnYw/NEpxorRbe6cfEe0ejYtWgsovmLNszObTrhkLjFluUnh
MDTUIcV0u7C9wIRDEyfiZl0yW3kp/zc73qDDt2P7QNLjphvIQsemeRpPAm79+R4F
NjumUZDnnAYN2yzwy/ncN6qO4+ncMYo8aN/nXJMcAjWvhb/FxLsEMg+iMQ2Z5wjU
RDDdzpMebMOR0gzA4CyAc9jklewnV5ZKmr3hpYpzaYepRHVIej/u19qzZN9ku3+S
Ja40pfDfERjLRQf//qYcvjcfaDHYQ/ph6Kst7rOLxADQlGcBsnpOnYuQc1R2AWtl
f04tpCrlUdnA2zOLlpUH
=LzAm
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 24 Jan 2013 07:26:34 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:01:26 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.