Package: python-django Version: 1.2.3-3 Severity: normal Tags: patch Usertags: origin-ubuntu ubuntu-patch
1.2.3-3 added a fix for a denial of service attack in the password-reset mechanism. The upstream fixes for the 1.2 branch included a test case, but it did not apply against 1.2.3. The test case for this issue in the 1.1[1] branch does apply though, and the attached patch adds this test case back to 09_fix_dos_password_reset.diff. [1]http://code.djangoproject.com/changeset/15036 -- System Information: Debian Release: squeeze/sid APT prefers natty-updates APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-12-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru python-django-1.2.3/debian/changelog python-django-1.2.3/debian/changelog --- python-django-1.2.3/debian/changelog 2011-01-01 14:51:19.000000000 -0600 +++ python-django-1.2.3/debian/changelog 2011-01-18 09:00:56.000000000 -0600 @@ -1,3 +1,10 @@ +python-django (1.2.3-4) testing; urgency=low + + * update 09_fix_dos_password_reset.diff to include the dropped test by using + the test from 1.1 series (http://code.djangoproject.com/changeset/15036) + + -- Jamie Strandboge <[email protected]> Tue, 18 Jan 2011 08:58:19 -0600 + python-django (1.2.3-3) testing; urgency=high * Squeeze upload with security fixes only: diff -Nru python-django-1.2.3/debian/patches/09_fix_dos_password_reset.diff python-django-1.2.3/debian/patches/09_fix_dos_password_reset.diff --- python-django-1.2.3/debian/patches/09_fix_dos_password_reset.diff 2011-01-01 14:48:07.000000000 -0600 +++ python-django-1.2.3/debian/patches/09_fix_dos_password_reset.diff 2011-01-18 08:57:47.000000000 -0600 @@ -2,15 +2,17 @@ http://www.djangoproject.com/weblog/2010/dec/22/security/ Origin: upstream, http://code.djangoproject.com/changeset/15034 ---- a/django/contrib/auth/urls.py -+++ b/django/contrib/auth/urls.py +Index: python-django-1.2.3/django/contrib/auth/urls.py +=================================================================== +--- python-django-1.2.3.orig/django/contrib/auth/urls.py 2011-01-18 08:57:06.000000000 -0600 ++++ python-django-1.2.3/django/contrib/auth/urls.py 2011-01-18 08:57:09.000000000 -0600 @@ -1,4 +1,4 @@ -# These URLs are normally mapped to /admin/urls.py. This URLs file is +# These URLs are normally mapped to /admin/urls.py. This URLs file is # provided as a convenience to those who want to deploy these URLs elsewhere. # This file is also used to provide a reliable view deployment for test purposes. -@@ -11,7 +11,7 @@ urlpatterns = patterns('', +@@ -11,7 +11,7 @@ (r'^password_change/done/$', 'django.contrib.auth.views.password_change_done'), (r'^password_reset/$', 'django.contrib.auth.views.password_reset'), (r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done'), @@ -19,9 +21,11 @@ (r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete'), ) ---- a/django/utils/http.py -+++ b/django/utils/http.py -@@ -73,8 +73,13 @@ def http_date(epoch_seconds=None): +Index: python-django-1.2.3/django/utils/http.py +=================================================================== +--- python-django-1.2.3.orig/django/utils/http.py 2011-01-18 08:57:06.000000000 -0600 ++++ python-django-1.2.3/django/utils/http.py 2011-01-18 08:57:09.000000000 -0600 +@@ -73,8 +73,13 @@ def base36_to_int(s): """ @@ -36,3 +40,17 @@ return int(s, 36) def int_to_base36(i): +Index: python-django-1.2.3/django/contrib/auth/tests/tokens.py +=================================================================== +--- python-django-1.2.3.orig/django/contrib/auth/tests/tokens.py 2011-01-18 08:57:34.000000000 -0600 ++++ python-django-1.2.3/django/contrib/auth/tests/tokens.py 2011-01-18 08:57:40.000000000 -0600 +@@ -34,4 +34,9 @@ + >>> p2.check_token(u, tk1) + False + ++This will put a 14-digit base36 timestamp into the token, which is too large. ++>>> tk1 = p0._make_token_with_timestamp(u, 175455491841851871349) ++>>> p0.check_token(u, tk1) ++False ++ + """
