Your message dated Sat, 8 Jun 2024 10:21:35 +0200
with message-id <[email protected]>
and subject line Re: Accepted social-auth-app-django 5.4.1-1 (source) into
unstable
has caused the Debian Bug report #1070374,
regarding social-auth-app-django: CVE-2024-32879
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1070374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070374
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: social-auth-app-django
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for social-auth-app-django.
CVE-2024-32879[0]:
| Python Social Auth is a social authentication/registration
| mechanism. Prior to version 5.4.1, due to default case-insensitive
| collation in MySQL or MariaDB databases, third-party authentication
| user IDs are not case-sensitive and could cause different IDs to
| match. This issue has been addressed by a fix released in version
| 5.4.1. An immediate workaround would be to change collation of the
| affected field.
https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3
https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138
(5.4.1)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-32879
https://www.cve.org/CVERecord?id=CVE-2024-32879
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: social-auth-app-django
Source-Version: 5.4.1-1
On Sat, Jun 08, 2024 at 06:50:34AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Sat, 08 Jun 2024 08:21:57 +0200
> Source: social-auth-app-django
> Architecture: source
> Version: 5.4.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <[email protected]>
> Changed-By: Carsten Schoenert <[email protected]>
> Changes:
> social-auth-app-django (5.4.1-1) unstable; urgency=medium
> .
> * Team upload.
> * [bd55d80] New upstream version 5.4.1
> Fixes CVE-2024-32879
> * [d458518] d/control: Update Standards-Version to 4.7.0
> Checksums-Sha1:
> 85bc6711243581c83dfbb3603138f6267f09ef47 2378
> social-auth-app-django_5.4.1-1.dsc
> b2c7e152898899d409d9d080cfeb1cb10474feea 27823
> social-auth-app-django_5.4.1.orig.tar.gz
> 481a5b33b918eabc3b2d45b02e048ad1adebbc4f 4164
> social-auth-app-django_5.4.1-1.debian.tar.xz
> a41046bf0a15b92ead18445d6ef28f98c4619fdd 7483
> social-auth-app-django_5.4.1-1_amd64.buildinfo
> Checksums-Sha256:
> 81491676f16a1c4b00dcb48fe63fd6c21d61c4165e82f9c98bb3f15cced02ace 2378
> social-auth-app-django_5.4.1-1.dsc
> 7b7ea8daf0dccf068d83c05e73c9c34fbb736181332c4cf8bbd06256a63f6f95 27823
> social-auth-app-django_5.4.1.orig.tar.gz
> 31ca6d9a2714708c2738f18711bbfc291c3d3944664c6bc2fc02e8a5af4e7c66 4164
> social-auth-app-django_5.4.1-1.debian.tar.xz
> 55ad2d30f1cfec9bc099270691cbbe00c4c59ce0379133056bcb59344c4bde9c 7483
> social-auth-app-django_5.4.1-1_amd64.buildinfo
> Files:
> 5e4304d709c82ef3fdb01f20053ab185 2378 python optional
> social-auth-app-django_5.4.1-1.dsc
> cc35b45c85cced3a180f50c9907d2a34 27823 python optional
> social-auth-app-django_5.4.1.orig.tar.gz
> e38f30766e23d4868a971bfcce0cabbe 4164 python optional
> social-auth-app-django_5.4.1-1.debian.tar.xz
> 1532f24568399435c1aedccbc773f63c 7483 python optional
> social-auth-app-django_5.4.1-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJMBAEBCgA2FiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmZj+c8YHGMuc2Nob2Vu
> ZXJ0QHQtb25saW5lLmRlAAoJEIMBYBQlHR2wbP8P/2ip4XG24L8JJgW8E0wd4TPr
> zlIKrlEN+WZJk+cVe1sNrY8mg5cE7dFFIEXK6NX6JaGPALbiYYcXXzu8VqVzDz1T
> vWlEwirHmbRh8hIvIJ8wp6hxONZnRP9/jCXwVIt9Pd2M/SVEpVSlHaH3B4m24GdG
> QtHBcYKFr45wTlieOv8nXVIpdHram/ZczphMyI1JOYcgUKcPQ7eZHuNV4rOWYBee
> RjleoGw2q+cu5Nkkf7vGGhGSzztFB9T+DLLW4u7LS5OFFQsFuVwKvAN5L7w9QdQO
> W77AVTLeIYnaLmyYvCH9dC4/FcjUkq0vpbpRN9MdtdU2wpMgqnpBr79dh0+7nbEs
> wj3RV/bs4dSCbvv9K62Pm9Lbb9nr32KxM/7Fo9Hebf4pKS7zxA1N+VibY3tZDn2z
> Djwz8fC7eXI5cl/i3lpNQwRpjYOxNXH8jpKFMp31kMaYTL+7A+N0R1eNuBTnY1wh
> tDv86WjNrMaTXrrE0ye1L+fC1JHkJ4DPgq/FExUmO46xOGSLl6OTtr/ELyOEhKIr
> D/vgg0lDplmcKfnqncvNvR9RunukR/7Kmvdj9wEkkfaM/FPwqsIOOxXpYpqgLDZh
> lHmoIqWWWEeF9kmdOC+bVheKbHr6ZBDSdT3MiT3YqzkqJ+jM/MwPcrd2LfL9G8n8
> 9lE/HL91aknt0yXk7GQs
> =jHLf
> -----END PGP SIGNATURE-----
--- End Message ---