Debian Bug report logs - #723043
python-django: CVE-2013-1443: denial-of-service via large passwords

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django.

Reported by: Henri Salo <henri@nerv.fi>

Date: Sun, 15 Sep 2013 18:57:02 UTC

Severity: important

Tags: fixed-upstream, security

Found in versions python-django/1.5.3-1, python-django/1.4.5-1, python-django/1.2.3-3+squeeze3

Fixed in versions python-django/1.5.4-1, python-django/1.4.5-1+deb7u4, python-django/1.2.3-3+squeeze8

Done: Luke Faraone <lfaraone@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#723043; Package python-django. (Sun, 15 Sep 2013 18:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Chris Lamb <lamby@debian.org>. (Sun, 15 Sep 2013 18:57:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: python-django: denial-of-service via large passwords
Date: Sun, 15 Sep 2013 21:52:05 +0300
[Message part 1 (text/plain, inline)]
Package: python-django
Version: 1.5.3-1
Severity: important
Tags: security, fixed-upstream

More information: https://www.djangoproject.com/weblog/2013/sep/15/security/

---
Henri Salo
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'python-django: CVE-2013-1443: denial-of-service via large passwords' from 'python-django: denial-of-service via large passwords' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 15 Sep 2013 19:39:05 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Luke Faraone <lfaraone@debian.org> to control@bugs.debian.org. (Sun, 15 Sep 2013 20:33:10 GMT) Full text and rfc822 format available.

Reply sent to Luke Faraone <lfaraone@debian.org>:
You have taken responsibility. (Sun, 15 Sep 2013 21:09:24 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Sun, 15 Sep 2013 21:09:25 GMT) Full text and rfc822 format available.

Message #14 received at 723043-close@bugs.debian.org (full text, mbox):

From: Luke Faraone <lfaraone@debian.org>
To: 723043-close@bugs.debian.org
Subject: Bug#723043: fixed in python-django 1.5.4-1
Date: Sun, 15 Sep 2013 21:05:23 +0000
Source: python-django
Source-Version: 1.5.4-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723043@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luke Faraone <lfaraone@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 15 Sep 2013 15:50:10 -0400
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.5.4-1
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Luke Faraone <lfaraone@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 723043
Changes: 
 python-django (1.5.4-1) unstable; urgency=high
 .
   * New upstream security release. Fixes CVE-2013-1443. Closes: #723043.
     https://www.djangoproject.com/weblog/2013/sep/15/security/
     - Denial-of-service via large passwords. CVE-2013-1443
Checksums-Sha1: 
 de38e88c73c39ce226d3c8a8986065b2ecdbc9c5 2230 python-django_1.5.4-1.dsc
 18fcab95cebb8588ba827469837e7a81ad976cb9 8050758 python-django_1.5.4.orig.tar.gz
 be5b4934da585278f1c68b8e951c9acfa7c6f077 20412 python-django_1.5.4-1.debian.tar.gz
 7fe969569dc7459571ff23248ac549adf4f45845 2691202 python-django_1.5.4-1_all.deb
 dcc3a40cc49c6c1a078af0a5a5097298b5877b0c 1812292 python-django-doc_1.5.4-1_all.deb
Checksums-Sha256: 
 493fc1b840ea0c0367e26673366be96941f486ce33762308c971c03c887d53e6 2230 python-django_1.5.4-1.dsc
 428defe3fd515dfc8613039bb0a80622a13fb4b988c5be48db07ec098ea1704e 8050758 python-django_1.5.4.orig.tar.gz
 9882eca69767023be36f84c201b7be6fdb2edc51760306d09fd7218c492a0c82 20412 python-django_1.5.4-1.debian.tar.gz
 5949550488e0e459d0c9f0470c76ecb733ce216777dedf0a6688bcfed2d90f12 2691202 python-django_1.5.4-1_all.deb
 ec40df854ffd0ceb9cd5c0566a56fc0864f449baa41ce98adf2f584eced0746f 1812292 python-django-doc_1.5.4-1_all.deb
Files: 
 1d48f6db6ee34bafa02b6ca6ab488ac9 2230 python optional python-django_1.5.4-1.dsc
 b2685469bb4d1fbb091316e21f4108de 8050758 python optional python-django_1.5.4.orig.tar.gz
 b5838c7de7bcc9f4fd2761186784a84c 20412 python optional python-django_1.5.4-1.debian.tar.gz
 a31aa1f3538e30e1e650d415030a7207 2691202 python optional python-django_1.5.4-1_all.deb
 7347c5ce5be925deb921dd2752805e9e 1812292 doc optional python-django-doc_1.5.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJSNhUcAAoJEJcyXdj5/dUGszEP/1saV1X24wgH/YL0BD3x+yRn
vBmQlCl2ebKoxd8shJ8avZzSKvYgfAQNStz1nRrvrN4j19VmRf2UiplbcNzPJ53S
cSzPFYlXE3CSFE+Vji4CONF94btYo9nK5AiJJmZFPOIzjFvtkQ09cAFnP2VYrOpG
LN2jnjjksu1PeheJwHopY+TjTmHiz4C1rsT7aAxqRGCD10m7M0XFVkgOK/XIYBam
FDw8invqXs3KTTIXqnqDS6LHtQ1fuY35EivoUYZi6sG2EreoRRhudGpv5Om3pV6N
IKyy7fARb+fcPUZMdoXLYxJQq70PgpXLcFTuzosfz/WvEeMFtxjxSwUujUPKZoBg
V8wvayxdQB399A8AKuV8yoI+sGp0GrpvhsDQzixiKrEemjw3FZakLH2VdiN63pf2
zpdDeSfBn3XEy/uSlOrDq861ywTUbFRJZ3EBUPYNvQb6tCCpBHLZxykFARHttHj/
C+dLHtewEgjsEDEabEoi8xch9VAfQM1iuYc3dK5agIlB3ISdhWnbU4mWzD0jGLTK
Grc1UXZcNzKHJ2Fz2GEEJpTesjsHhfeVPgqCBWL9UJWPSEULB9Soeinhc4l+cPKO
cBKAFhefHAth8CqaLzxBWK8vvTVK8B9TpLX3jveeJs2mZCWpE+9Vrug/5MRAlaTa
jMs6Z2GDYWzdCRCOscHd
=wZT0
-----END PGP SIGNATURE-----




Marked as found in versions python-django/1.2.3-3+squeeze3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Sep 2013 17:15:11 GMT) Full text and rfc822 format available.

Marked as found in versions python-django/1.4.5-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Sep 2013 17:15:12 GMT) Full text and rfc822 format available.

Reply sent to Luke Faraone <lfaraone@debian.org>:
You have taken responsibility. (Wed, 18 Sep 2013 09:51:12 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Wed, 18 Sep 2013 09:51:12 GMT) Full text and rfc822 format available.

Message #23 received at 723043-close@bugs.debian.org (full text, mbox):

From: Luke Faraone <lfaraone@debian.org>
To: 723043-close@bugs.debian.org
Subject: Bug#723043: fixed in python-django 1.4.5-1+deb7u4
Date: Wed, 18 Sep 2013 09:47:05 +0000
Source: python-django
Source-Version: 1.4.5-1+deb7u4

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723043@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luke Faraone <lfaraone@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 15 Sep 2013 16:42:19 -0400
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.4.5-1+deb7u4
Distribution: stable-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Luke Faraone <lfaraone@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 723043
Changes: 
 python-django (1.4.5-1+deb7u4) stable-security; urgency=high
 .
   * Stable security update. Fixes CVE-2013-1443. Closes: #723043.
     https://www.djangoproject.com/weblog/2013/sep/15/security/
     - Denial-of-service via large passwords.
Checksums-Sha1: 
 c534266f4cc030927b13968bfb4de983097a44bb 2256 python-django_1.4.5-1+deb7u4.dsc
 1bfaa4643c6775fbf394137f1533659be45441e7 7735582 python-django_1.4.5.orig.tar.gz
 3179adaa1819059b20074051ce4465e1955f7f21 26173 python-django_1.4.5-1+deb7u4.debian.tar.gz
 7fd3232ef5a9f0a6af550a72dfc266ff3ac76030 5389406 python-django_1.4.5-1+deb7u4_all.deb
 f6e9dd0512585ff7d7c6178a1e5239b3a9b5aede 2440286 python-django-doc_1.4.5-1+deb7u4_all.deb
Checksums-Sha256: 
 ba30eb0383ecd714e207232bd3a77df34da488cae9d8d6c59ed049861f195aad 2256 python-django_1.4.5-1+deb7u4.dsc
 0e1e8c4217299672bbf9404994717fca2d8d4b7a4f7b8b3b74d413e1fda81428 7735582 python-django_1.4.5.orig.tar.gz
 fb3bd32982af24df8b1e57f03061d46c9dbb922a52b53de3aa2fa2bad39fa284 26173 python-django_1.4.5-1+deb7u4.debian.tar.gz
 e7852262b8451c3328e6169840ac565b321b2809eea8320ff62b916851b55dea 5389406 python-django_1.4.5-1+deb7u4_all.deb
 3f95c9a9968dd9bd63532b216897d2e128c9e2b11b299f93c120c53f1a09d24d 2440286 python-django-doc_1.4.5-1+deb7u4_all.deb
Files: 
 beb07a52d4ad1ac24772048166085073 2256 python optional python-django_1.4.5-1+deb7u4.dsc
 851d00905eb70e4aa6384b3b8b111fb7 7735582 python optional python-django_1.4.5.orig.tar.gz
 426c3be3e3ee82af934c46fff1c64b08 26173 python optional python-django_1.4.5-1+deb7u4.debian.tar.gz
 a70adec048fe9431adfef61e0d00b6fa 5389406 python optional python-django_1.4.5-1+deb7u4_all.deb
 2c35b371d38eb14a7f1a875a0406214d 2440286 doc optional python-django-doc_1.4.5-1+deb7u4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJSNzYyAAoJEJcyXdj5/dUGILUP/1zBUjFswyMddYQ2W3+Q3YQa
ZVI8PsWQUsQHYIeGKcEtHrzRiH2tlJ93mB9aHZYLcU6JKj9dmUrwmK5kzu280Tzt
OKkWxIIsYCYj5woLVaE/tFTzq7iNUD7ZqgyWcHefbaOOqQ8XPsqqysR9Smazlvkk
86TGbwUuW3Y0RMH0aQLppySV8GvPQi+GMs5G3/P6hYXEDe/m5ZOHEZE+ysvrHW+w
WwIZrv31Ii0w1geb5Xb+vA3+Th6nLbSg/JCjmT0FFfY9/qKH5In6/gp55/e2PogO
boIhYZMiWl34l/EvTdOe82AOH4A+Xg/mLVACW2uiDfP4vDeaU+aPnww9E51jw6sF
fMxbqToKJTFqQFAGfXgH83UaqBf7KOn2y2I+VU8jdDnOJ/mjWvczyOx9UGsbnxzH
5amScCyFzVwrUeH072z5RGIwrmrff1ytGSrQtvXMMBK4qyec+187ii6jbotMoZx9
YEtwJ0vTPsJ/tlcR81eniJydTQIARgGVPt2Uk5z+6bSbANIlMTOfqaErSJCxWNtP
QmNQtO8DqIHC+DY6VLxpuEbgkrkeiQghEHe9UX6BouTZTN6h5PJCJrm+OQoLkwHS
xbwF4HZdHWHS67qXy7f+J5qlCxxHsZHP+PNgzHfMd79gh9evCkEeJ4IXOtZWKZGJ
CvgjoIwf2RDD+QOowh8o
=XChc
-----END PGP SIGNATURE-----




Reply sent to Luke Faraone <lfaraone@debian.org>:
You have taken responsibility. (Wed, 18 Sep 2013 09:51:16 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Wed, 18 Sep 2013 09:51:16 GMT) Full text and rfc822 format available.

Message #28 received at 723043-close@bugs.debian.org (full text, mbox):

From: Luke Faraone <lfaraone@debian.org>
To: 723043-close@bugs.debian.org
Subject: Bug#723043: fixed in python-django 1.2.3-3+squeeze8
Date: Wed, 18 Sep 2013 09:47:38 +0000
Source: python-django
Source-Version: 1.2.3-3+squeeze8

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723043@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luke Faraone <lfaraone@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 15 Sep 2013 15:57:34 -0400
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze8
Distribution: oldstable-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Luke Faraone <lfaraone@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 723043
Changes: 
 python-django (1.2.3-3+squeeze8) oldstable-security; urgency=high
 .
   * Stable security upload:
     https://www.djangoproject.com/weblog/2013/sep/15/security/
     - Denial-of-service via large passwords. CVE-2013-1443
     Closes: #723043
Checksums-Sha1: 
 44b1865ef2b98551d68a754399c7bd0de3e4d317 2215 python-django_1.2.3-3+squeeze8.dsc
 f65146218ab61bf5efe715db3fc3a177a24fba0d 6306760 python-django_1.2.3.orig.tar.gz
 f5d93f58aca1b8b2744ecdab049c3b50b1d96b05 45881 python-django_1.2.3-3+squeeze8.debian.tar.gz
 8d14159b254b5095f833492f62821a0cef5f4327 4201164 python-django_1.2.3-3+squeeze8_all.deb
 c6b442a6e25305ff573af4e34dadbcd8458e2f1e 1909898 python-django-doc_1.2.3-3+squeeze8_all.deb
Checksums-Sha256: 
 dc90e962c6a950877747220e976f29e9455d328e20d0f797bf377f4e95e7f8c8 2215 python-django_1.2.3-3+squeeze8.dsc
 cb830f6038b78037647150d977f6cd5cf2bfd731f1788ecf8758a03c213a0f84 6306760 python-django_1.2.3.orig.tar.gz
 0303f14503c4ecf7ce9c0247c7d09c17409cae4709025048dfd46438bb49f72c 45881 python-django_1.2.3-3+squeeze8.debian.tar.gz
 7da7e48dc37ab9ac59f6833fd50950cb7d82d42a408f996acc97c5dc8ae17778 4201164 python-django_1.2.3-3+squeeze8_all.deb
 d8c40a9c987cd1539f647117578caf727cf0a5f433bee67bf2174440d5c7062d 1909898 python-django-doc_1.2.3-3+squeeze8_all.deb
Files: 
 2e1e4cee6d8b8f4ed2de6fadbde2e9f7 2215 python optional python-django_1.2.3-3+squeeze8.dsc
 10bfb5831bcb4d3b1e6298d0e41d6603 6306760 python optional python-django_1.2.3.orig.tar.gz
 6357a8b1ec826d8703c811565b10a772 45881 python optional python-django_1.2.3-3+squeeze8.debian.tar.gz
 2c3f6e27a3a5b731fee6b73458a27e4a 4201164 python optional python-django_1.2.3-3+squeeze8_all.deb
 8f31bbe44cefcaf04fc7c57f3988f3ae 1909898 doc optional python-django-doc_1.2.3-3+squeeze8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJSNzQpAAoJEJcyXdj5/dUGFxsQAJFniwnQTDRjsaAPyvBbEcjB
ObAnf05tW03YvdxbVmEL8JlzQQVbkhVugjIOohoAWkk0kqXnvrwvb5+N9jYs1YrL
YJpo8icyEIFLtwyiuZZPOEzFHjALN9lCjSNuPYDHRw1mIDnMbvkrniesYfDWy9sw
xgTryCI+jziy1nV4tK02vOWbJxX09y5uFJpSckK4VP0cxV6pr+gMOvv9/Mry/oZZ
kIFyDMPLDfZUboHbXCyEI5QXBmlIg9wzyFCwIrFqvp/0kgoBLjMoxI8AmxmJwkTH
N8ZmDlQwFNnqBxQRH4dN280xkKnFk1mC8H0tfWvvOnBA0B7KeaUsvYci3uIyzZuo
rbBqy00TL+TBu5/BrogmFE+vLORca7FOYfJE0O1kUX/gNgLLfJPygor3o2fu1W3b
JyRVZ4+1O/lO/uH0pJCrRfXc+d1U/pdnNfJ2Cjp/+uKtArekSjmbZt899DvC/UUk
jmcr+1KCZHnKPPNJguCiew2dJCSB55Uu+R0Wc7kauhM14e2BHSk5PrKjhbA6/+ok
4GfhUvDZz6v/tNg6MQFxxFSqJiFJ43ZcGKyjHOsgToDas1h/N29bkaAiS24ty/W+
VWsm/4WE5H88KKwAUYoexdZrX4y5Ol8f4rA5P3r0zuk3drZ92LxwP2mf3qCIF3Jz
+KJ/jt4XSZ07R415+nsH
=tlOY
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 17 Oct 2013 07:32:04 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:08:31 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.