Debian Bug report logs - #701186
python-django: CVE-2013-0305 CVE-2013-0306

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 22 Feb 2013 14:27:01 UTC

Severity: grave

Tags: security

Found in version python-django/1.2.3-1

Fixed in versions python-django/1.4.4-1, python-django/1.2.3-3+squeeze5

Done: Raphaël Hertzog <hertzog@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Chris Lamb <lamby@debian.org>:
Bug#701186; Package python-django. (Fri, 22 Feb 2013 14:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Chris Lamb <lamby@debian.org>. (Fri, 22 Feb 2013 14:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-django: CVE-2013-0305 CVE-2013-0306
Date: Fri, 22 Feb 2013 15:20:55 +0100
Package: python-django
Severity: grave
Tags: security
Justification: user security hole

Please see
https://www.djangoproject.com/weblog/2013/feb/19/security/

Cheers,
        Moritz



Added tag(s) pending. Request was from hertzog@users.alioth.debian.org to control@bugs.debian.org. (Sat, 23 Feb 2013 09:21:09 GMT) Full text and rfc822 format available.

Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Sat, 23 Feb 2013 14:51:20 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 23 Feb 2013 14:51:20 GMT) Full text and rfc822 format available.

Message #12 received at 701186-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 701186-close@bugs.debian.org
Subject: Bug#701186: fixed in python-django 1.4.4-1
Date: Sat, 23 Feb 2013 14:47:56 +0000
Source: python-django
Source-Version: 1.4.4-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701186@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 23 Feb 2013 09:33:13 +0100
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.4.4-1
Distribution: unstable
Urgency: low
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 700483 701186
Changes: 
 python-django (1.4.4-1) unstable; urgency=low
 .
   * New upstream security and maintenance release. Closes: #701186
     https://www.djangoproject.com/weblog/2013/feb/19/security/
     Fixes mulptiple security issues:
     - Further fixes for Host header poisoning. CVE-2012-4520
     - XML attacks via entity expansion. CVE-2013-1665
     - Data leakage via admin history log. CVE-2013-0305
     - Formset denial-of-service. CVE-2013-0306
   * Add gettext to Suggests since it's required for django-admin
     compilemessages / makemessages. Closes: #700483
Checksums-Sha1: 
 38fb931786fa14eb9b8fc4e2ea7aa1aa6b2f72f9 2227 python-django_1.4.4-1.dsc
 7f4da833006b58929cbfd4ba5d11e6448c5846fc 7740176 python-django_1.4.4.orig.tar.gz
 bcba0843b0e759edbf53838598c0546a615de43e 19856 python-django_1.4.4-1.debian.tar.gz
 f4baec47dc0ee3fc78722a96cff70941c1043e72 5367026 python-django_1.4.4-1_all.deb
 3a73fffad101a64299b68070dd2d24b1462b69f7 2431524 python-django-doc_1.4.4-1_all.deb
Checksums-Sha256: 
 965bb364e75a2c7539fb1756395eda84b5bf1899c0831c03cf01921c44af8e31 2227 python-django_1.4.4-1.dsc
 0dd9fa4f0dfc4f64eedecc82bde8dfe15a0a420ceeb11ca1ed050f1742b57077 7740176 python-django_1.4.4.orig.tar.gz
 3fe8425e9b489aeae12bc7ad4f6b25a2dd5551fc0c33692e42794096ef8809fa 19856 python-django_1.4.4-1.debian.tar.gz
 c9bc1cbb5d8234918e842e2000b0d84be0d63549df27460da6de980f4e27feaa 5367026 python-django_1.4.4-1_all.deb
 ceaa8cec41e224039d7eea4d5a1cf33e6de5ac03b8cb694cafe8067831eba01a 2431524 python-django-doc_1.4.4-1_all.deb
Files: 
 0142dbfd3d85bcf71d3494119aec1ced 2227 python optional python-django_1.4.4-1.dsc
 833f531479948201f0f0a3b5b5972565 7740176 python optional python-django_1.4.4.orig.tar.gz
 4be82335fca9d168cf8dfae83a86c8eb 19856 python optional python-django_1.4.4-1.debian.tar.gz
 c76fbe5c855aed2b1e91ac215656b8c9 5367026 python optional python-django_1.4.4-1_all.deb
 2dcdbf7a234192ffe1a4b6da5159d617 2431524 doc optional python-django-doc_1.4.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJRKMeeAAoJEOYZBF3yrHKadeEQANA3jY2r1XgPQo+VfBI8h7eV
sZs0rSPvmvqgTV3PBrMwst0qyB/I2O8f+Swz0XwcX5P/0MS96uCeqwYDRn2wcC0I
a9BToRXOQKTKKMhJyu/pPWxAp930RnwObfotc1X8x7Pq2FD0Qkprqe+D85pI6xDJ
cUj9xyint4FZJEOjcFT7wP8UgckPaTb7+7gnlTfSkVD4JjKjhhkX8JsuD1lRjJwi
HzulXKeTLHmEe6uYKZj8a0Yt9x9bgpdgkN1rknO4NVyGbFRSuoawxxrDz5ylmTbe
eIqMrwqrovsH1vVgCIA+Icn5iwhZp/JsMpphpBIYsgNrLo9KydmqXthc+x9KkBCW
a9jYDae00Im0PYjgoSK7wU7zLq8dmPtqvCY5xhlVkk2RgALzPMjl7V/yzRKEQEDe
Qct9QRKrsqrhgC1C0Axu/p0/OCiLRCQz53CwJneXzEQfS5zJ+lt3VhSIF4ZlWMlr
0beD/vxLr0W0BVMeGTmBukjqeM6Oc2e86HUqV4FvqC9LEP8zX7UKHJ1JMZhlePcQ
S+c+BGbW9gebV/3YcFHYAZQszUL0VnMschE9MT3+SMpyH4J53ejkP6hocfZFpHV3
Y7VM01lRmJqu+jYtrb4RD6vqf9YAJaUaBsR5NnLVPw0Er6mceMKUjQ1m+hx7Eu+A
hHqXsFYUWejwWF12zkJ4
=XsQO
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#701186; Package python-django. (Sun, 24 Feb 2013 18:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Sun, 24 Feb 2013 18:06:03 GMT) Full text and rfc822 format available.

Message #17 received at 701186@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 701186@bugs.debian.org
Cc: team@security.debian.org, thijs@debian.org
Subject: Re: Bug#701186: python-django: CVE-2013-0305 CVE-2013-0306
Date: Sun, 24 Feb 2013 19:03:53 +0100
Hi,

On Fri, 22 Feb 2013, Moritz Muehlenhoff wrote:
> Please see
> https://www.djangoproject.com/weblog/2013/feb/19/security/

I have uploaded 1.4.5-1 to unstable and I have prepared 1.2.3-3+squeeze5
for stable, you can get it here:
http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze5_amd64.changes

Thijs, can you do some testing before releasing it as DSA? I had to
backport the patches and most of them required some changes to apply
and/or pass the test suite.

I have also included the fixes for the last security update that didn't
get any DSA.

The above .changes is signed so you can dput it yourself if it's
good. Otherwise tell me and I'll upload it myself.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#701186; Package python-django. (Mon, 25 Feb 2013 08:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Mon, 25 Feb 2013 08:36:03 GMT) Full text and rfc822 format available.

Message #22 received at 701186@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Raphael Hertzog" <hertzog@debian.org>
Cc: 701186@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#701186: python-django: CVE-2013-0305 CVE-2013-0306
Date: Mon, 25 Feb 2013 09:32:59 +0100
On Sun, February 24, 2013 19:03, Raphael Hertzog wrote:
> I have uploaded 1.4.5-1 to unstable and I have prepared 1.2.3-3+squeeze5
> for stable, you can get it here:
> http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze5_amd64.changes
>
> Thijs, can you do some testing before releasing it as DSA? I had to
> backport the patches and most of them required some changes to apply
> and/or pass the test suite.

Yes, will let you know.


Thijs



Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#701186; Package python-django. (Mon, 25 Feb 2013 10:21:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Mon, 25 Feb 2013 10:21:14 GMT) Full text and rfc822 format available.

Message #27 received at 701186@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Raphael Hertzog" <hertzog@debian.org>
Cc: 701186@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#701186: python-django: CVE-2013-0305 CVE-2013-0306
Date: Mon, 25 Feb 2013 11:11:51 +0100
On Mon, February 25, 2013 09:32, Thijs Kinkhorst wrote:
> On Sun, February 24, 2013 19:03, Raphael Hertzog wrote:
>> I have uploaded 1.4.5-1 to unstable and I have prepared 1.2.3-3+squeeze5
>> for stable, you can get it here:
>> http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze5_amd64.changes
>>
>> Thijs, can you do some testing before releasing it as DSA? I had to
>> backport the patches and most of them required some changes to apply
>> and/or pass the test suite.
>
> Yes, will let you know.

No problems spotted in our environment.


Thijs



Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#701186; Package python-django. (Mon, 25 Feb 2013 10:48:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Mon, 25 Feb 2013 10:48:08 GMT) Full text and rfc822 format available.

Message #32 received at 701186@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 701186@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#701186: python-django: CVE-2013-0305 CVE-2013-0306
Date: Mon, 25 Feb 2013 11:45:52 +0100
On Mon, 25 Feb 2013, Thijs Kinkhorst wrote:
> No problems spotted in our environment.

Thanks, uploaded to security-master.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Sat, 02 Mar 2013 19:06:18 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 02 Mar 2013 19:06:18 GMT) Full text and rfc822 format available.

Message #37 received at 701186-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 701186-close@bugs.debian.org
Subject: Bug#701186: fixed in python-django 1.2.3-3+squeeze5
Date: Sat, 02 Mar 2013 19:02:07 +0000
Source: python-django
Source-Version: 1.2.3-3+squeeze5

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701186@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 24 Feb 2013 16:08:14 +0100
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze5
Distribution: stable-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 696535 701186
Changes: 
 python-django (1.2.3-3+squeeze5) stable-security; urgency=high
 .
   * Stable security upload:
     https://www.djangoproject.com/weblog/2013/feb/19/security/
     https://www.djangoproject.com/weblog/2012/dec/10/security/
     Fixes mulptiple security issues:
     - Further fixes for Host header poisoning. CVE-2012-4520
     - XML attacks via entity expansion. CVE-2013-1665
     - Data leakage via admin history log. CVE-2013-0305
     - Formset denial-of-service. CVE-2013-0306
     - Redirect poisoning.
   * Backport all the upstream security patches:
     - debian/patches/20_fix_get_host.diff
     - debian/patches/21_fix_redirect_poisoning.diff
     - debian/patches/22_add_allowed_hosts.diff
     - debian/patches/23_restrict_xml_deserializer.diff
     - debian/patches/24_check_perms_admin_history_view.diff
     - debian/patches/25_limit_number_of_forms_in_formset.diff
     Closes: #701186, #696535
Checksums-Sha1: 
 a4f42ef815b135dbf1042f716176ca5a57616db6 2214 python-django_1.2.3-3+squeeze5.dsc
 640f68aede24ba2a551b8df250b95c433529c59c 42360 python-django_1.2.3-3+squeeze5.debian.tar.gz
 563c0bc0f7db517eacce9eea950224d86ae46fa0 4221694 python-django_1.2.3-3+squeeze5_all.deb
 27280ed48bfbecabcf11cfae907a82f2e402dbc0 1894256 python-django-doc_1.2.3-3+squeeze5_all.deb
Checksums-Sha256: 
 687331ff1b155d173c9a6c2b007de511e82d33037f10d42bb0c1e07a5f073f45 2214 python-django_1.2.3-3+squeeze5.dsc
 48141b4a6dd8658a70c38cc121150c6820a4e94f300780811345c9ea122f9745 42360 python-django_1.2.3-3+squeeze5.debian.tar.gz
 051594c912a37a83b6ade6cf7d2220b384e43948f9ee1c9da9d91d00fbf31d64 4221694 python-django_1.2.3-3+squeeze5_all.deb
 9a53b14aa03ad16ac22e942c2ae7dd8f47d59d210bdf3855342efbcee9adeaf9 1894256 python-django-doc_1.2.3-3+squeeze5_all.deb
Files: 
 b05ebf26e797b17186d01f1ec5949a69 2214 python optional python-django_1.2.3-3+squeeze5.dsc
 9abd6f6c22823b72b7dcc19895191d14 42360 python optional python-django_1.2.3-3+squeeze5.debian.tar.gz
 266ee387a3f40ec3c5fa9c4e48d62974 4221694 python optional python-django_1.2.3-3+squeeze5_all.deb
 17781f4fff60bf76d08397c7375fa75b 1894256 doc optional python-django-doc_1.2.3-3+squeeze5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJRK4EXAAoJEOYZBF3yrHKa1mkQAKbdZUNP+Ih0RObcytq16vHO
m0MnHrEs9d99tx/iwWoBayiOshy01G75bNNsKQkStarz3OrHssJs313hhn7mxVua
CfCpLCVRzwEDNmUMqITvogkKBsdH8/l6smrKdc1yo4iC36wELi0h6P+8KTy4rKXF
e1mBzkrHPySODUngve1nMGr5nlcB48/lVUKLpWzfzI58OkqEvVurm7Pc7sQJtTTl
TkRgiw7yUpSADGHM/fRa+jklOPo2/jBM4HRHvvL0mHJcwIOeXu0WaLpsJoTjZ89o
L/nZukdaFLrrzPROaOCekS1w2X5thNEbCx9pJ6890o5COuu3AsGhIjQSyKuSMVmN
930xjI+vWOP6MCb1bfIYiOklwvggMULQ73a0hwUEcSIFCSf7Ruh0j/AhQSLjQTqp
RH+sMVSulGrkwf5xaDBkdvNvTEs0eLDLI+g+BB21QH1lNv7MU2TAbV8xhVAYgx2m
DDTVP7Dmqc1PYKFVYkvvxGIpFd+pBh/jeEn9vP31428zxpm5IzHOFbvuXM5xg7dX
lvEq7lfyaIgsJ0RHIiVOZVzLmOxj3SN3axBnuwuGEguItgqhD72D651c6K3cwJpT
KZllCGqb5PWOLZD61sAjtdJFE08poXxtCp+yTmyK4cnWv8x6Kha32cOjIJ4jFUbE
hOL0gWmUOAcaIesB0aAr
=+KTN
-----END PGP SIGNATURE-----




Marked as found in versions python-django/1.2.3-3. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sun, 03 Mar 2013 03:09:05 GMT) Full text and rfc822 format available.

No longer marked as found in versions python-django/1.2.3-3. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sun, 03 Mar 2013 03:15:04 GMT) Full text and rfc822 format available.

Marked as found in versions python-django/1.2.3-1. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sun, 03 Mar 2013 03:15:05 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:24:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:34:45 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.