Your message dated Fri, 23 Jan 2015 11:33:51 +0000
with message-id <[email protected]>
and subject line Bug#775375: fixed in python-django 1.7.3-1~exp1
has caused the Debian Bug report #775375,
regarding python-django: CVE-2015-0219 CVE-2015-0220 CVE-2015-0221 CVE-2015-0222
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
775375: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775375
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-django
Version: 1.7.1-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for python-django.
CVE-2015-0219[0]:
WSGI header spoofing via underscore/dash conflation
CVE-2015-0220[1]:
Mitigated possible XSS attack via user-supplied redirect URLs
CVE-2015-0221[2]:
Denial-of-service attack against django.views.static.serve
CVE-2015-0222[3]:
Database denial-of-service with ModelMultipleChoiceField
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-0219
[1] https://security-tracker.debian.org/tracker/CVE-2015-0220
[2] https://security-tracker.debian.org/tracker/CVE-2015-0221
[3] https://security-tracker.debian.org/tracker/CVE-2015-0222
[4] https://www.djangoproject.com/weblog/2015/jan/13/security/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 1.7.3-1~exp1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 21 Jan 2015 09:56:19 +0100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1.7.3-1~exp1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Raphaël Hertzog <[email protected]>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 775375
Changes:
python-django (1.7.3-1~exp1) experimental; urgency=high
.
[ Luke Faraone ]
* New upstream security release.
- WSGI header spoofing via underscore/dash conflation (CVE-2015-0219)
- Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220)
- DoS attack against django.views.static.serve (CVE-2015-0221)
- Database DoS with ModelMultipleChoiceField (CVE-2015-0222)
Closes: #775375
.
[ Raphaël Hertzog ]
* Add patch fix-24193-python34-test-failure.diff to fix a test failure with
Python3.4.
Checksums-Sha1:
71dfe01131bd6780d2b232be9b0f70adb40e2920 2360 python-django_1.7.3-1~exp1.dsc
2577e8e40999f5120b091c17e8cabfb518917ca2 7589559
python-django_1.7.3.orig.tar.gz
44bf7f31f2914dfed151c0d77d09635511c7f815 23068
python-django_1.7.3-1~exp1.debian.tar.xz
bfb8e1c9d77c635a21a5772d94a3db9b259801c1 986154
python-django_1.7.3-1~exp1_all.deb
1e607ed73007bdfb043faadef9fd43164994a630 966204
python3-django_1.7.3-1~exp1_all.deb
904c44ee1497c9c99310f645505d46fa7dcb8c86 1488282
python-django-common_1.7.3-1~exp1_all.deb
4826d69e9910a7ea9c71ec4a49b56f9753f50c20 2460952
python-django-doc_1.7.3-1~exp1_all.deb
Checksums-Sha256:
c4abbb38ff0be5e786f50e87605befeb119de683d87e4d4ed4e6944a79d04b13 2360
python-django_1.7.3-1~exp1.dsc
f226fb8aa438456968d403f6739de1cf2dad128db86f66ee2b41dfebe3645c5b 7589559
python-django_1.7.3.orig.tar.gz
e2c0e96bdd7f51b70c0f3b637316f0529a868132eb7e2c3b7d3b7255aa9def84 23068
python-django_1.7.3-1~exp1.debian.tar.xz
e52653e11d254c5fd3a329326e8d13400e9e0f309c9a2f61759087e96992335b 986154
python-django_1.7.3-1~exp1_all.deb
9bbee09ca6f1349e4697f6142bacdff5476055286ace2980dc1873d48644136c 966204
python3-django_1.7.3-1~exp1_all.deb
6e6efd55e7fdea437a620d7dd1b9fa2372c35e72c8896eb15c6a6f4823564598 1488282
python-django-common_1.7.3-1~exp1_all.deb
d4d06840f39677e201641d6f5415e89fc30c19667825d7c328a5f8efbe296992 2460952
python-django-doc_1.7.3-1~exp1_all.deb
Files:
9b5590433a5e142ea5cafa4b4250e574 2360 python optional
python-django_1.7.3-1~exp1.dsc
ea9a3fe7eca2280b233938a98c4a35a0 7589559 python optional
python-django_1.7.3.orig.tar.gz
1cb939d2ad60fa52e84361706fa5b77a 23068 python optional
python-django_1.7.3-1~exp1.debian.tar.xz
538ea401006a4129596eeb1878d03b98 986154 python optional
python-django_1.7.3-1~exp1_all.deb
f4dc800d9dcbb5d5c037e2bff1c06c8e 966204 python optional
python3-django_1.7.3-1~exp1_all.deb
32c5ab85528d51053f153aa9e6007670 1488282 python optional
python-django-common_1.7.3-1~exp1_all.deb
c54f76ccb2e404456f51b41db3ae0db9 2460952 doc optional
python-django-doc_1.7.3-1~exp1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog
iQEcBAEBAgAGBQJUwi0vAAoJEAOIHavrwpq5wPgH/0XpND1C8NWauoruKN6OMn5Z
yb3xISqlXwtH0e75Iju3H79b1WXECEAYnuSbl++TDLYZb5lzMxYbvhmr/vblZMFU
jh/EO9vl6hTcmy5w7CPF1/E7zoJhyCOmI3sY3/u6rT21DaQbn8ztKPEZ0PDodG97
X8kD2B2U9r9dycqwm8KAzvS4+aHP3m4elZuaY6LFOnx2y+WwxZx82WoF7YBWR28I
PGyR+r0bBCWwBg6Ktwi7Y2VDQT7KYPI8ZGIbkApzAL8zpYATd2HYFnhlRELdgRxI
S8vLm276PTe72GJZixkX2FvqttC2s5Lmv98Hc+LEQrhCIGNZmvsIS6t2FnCEH6E=
=Jql6
-----END PGP SIGNATURE-----
--- End Message ---
