Your message dated Thu, 29 Jan 2015 11:33:49 +0000
with message-id <[email protected]>
and subject line Bug#775375: fixed in python-django 1.2.3-3+squeeze12
has caused the Debian Bug report #775375,
regarding python-django: CVE-2015-0219 CVE-2015-0220 CVE-2015-0221 CVE-2015-0222
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
775375: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775375
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-django
Version: 1.7.1-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for python-django.
CVE-2015-0219[0]:
WSGI header spoofing via underscore/dash conflation
CVE-2015-0220[1]:
Mitigated possible XSS attack via user-supplied redirect URLs
CVE-2015-0221[2]:
Denial-of-service attack against django.views.static.serve
CVE-2015-0222[3]:
Database denial-of-service with ModelMultipleChoiceField
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-0219
[1] https://security-tracker.debian.org/tracker/CVE-2015-0220
[2] https://security-tracker.debian.org/tracker/CVE-2015-0221
[3] https://security-tracker.debian.org/tracker/CVE-2015-0222
[4] https://www.djangoproject.com/weblog/2015/jan/13/security/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 1.2.3-3+squeeze12
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 28 Jan 2015 18:39:56 +0100
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze12
Distribution: squeeze-lts
Urgency: medium
Maintainer: Chris Lamb <[email protected]>
Changed-By: Raphaël Hertzog <[email protected]>
Description:
python-django - High-level Python web development framework
python-django-doc - High-level Python web development framework (documentation)
Closes: 775375
Changes:
python-django (1.2.3-3+squeeze12) squeeze-lts; urgency=medium
.
* Backport multiple security fixes released in 1.4 branch:
https://www.djangoproject.com/weblog/2015/jan/13/security/
- WSGI header spoofing via underscore/dash conflation (CVE-2015-0219)
- Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220)
- Denial-of-service attack against django.views.static.serve
(CVE-2015-0221)
* Also include a fix for a regression introduced by the patch for
CVE-2015-0221: https://code.djangoproject.com/ticket/24158
Checksums-Sha1:
a4e19ad8e3ea56a1d3c5d8c8f5feaac8eb8679da 1891
python-django_1.2.3-3+squeeze12.dsc
ff188c8d5b1bdbd8f3892ad9d1af26eae846e3f2 70273
python-django_1.2.3-3+squeeze12.debian.tar.gz
d587c5e226f47f83f873f9e07240aad0d566e1ff 4219974
python-django_1.2.3-3+squeeze12_all.deb
87d87e891c4456db470ceaf16ea8e1edb91c1a43 1898772
python-django-doc_1.2.3-3+squeeze12_all.deb
Checksums-Sha256:
7e87aa2d4de87ec5312a80e46e5c41b2cec5725f1de20345bb443cb677dc7a77 1891
python-django_1.2.3-3+squeeze12.dsc
e55a5d0987c1dbdded3a5381c523c87d3e44558f7bb45d7cf92c523319a95c06 70273
python-django_1.2.3-3+squeeze12.debian.tar.gz
2b8b8de356125d2a0e3afd451d4edfce689699904b49681d6b537c8010cf7365 4219974
python-django_1.2.3-3+squeeze12_all.deb
f549a3b504c073e73a385e02f7894f9889193fc29948093e8badc598ae1a1441 1898772
python-django-doc_1.2.3-3+squeeze12_all.deb
Files:
97497708e02acb6cf77b189e3eacf8b6 1891 python optional
python-django_1.2.3-3+squeeze12.dsc
a78e708f15953fc6bfb5d93739916a53 70273 python optional
python-django_1.2.3-3+squeeze12.debian.tar.gz
5f938f3163216dd982007fcb1486510f 4219974 python optional
python-django_1.2.3-3+squeeze12_all.deb
2d75254e01f944ee7594327b8d2e12f6 1898772 doc optional
python-django-doc_1.2.3-3+squeeze12_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog
iQEcBAEBCAAGBQJUyhTRAAoJEAOIHavrwpq5s78H/j6jj77THwki34bg4Vs5AJKe
Xz1k5eDEkutmhIrUePfFQFDLEEW8DlAehUSgTzAeq1v9FaRF4NRDWN0CVRA1v/FV
0I94zirL0Edl5dV9DQX7WLvc3IjjBJ6HPiaUFjcajvnqYQqVInjviRwJ27467jRQ
c8Aab8wtaX9oWXCr/J31p4zrNNKhiv8r0C69448e8HfllsPCfmfllRABTFZ9ATOU
jVKHKCKlElqf/7ZgqTEP1eSCAecEo8rSE49+VQEpfYOkG8wANGbLQ0zZGrKPtgr9
hpT/rzRBnwTBnep6yqkZwFmjbnsLxExGSLkmA94JIOdgYpQkJHFrLduVxvsYBfQ=
=dCBp
-----END PGP SIGNATURE-----
--- End Message ---
