Your message dated Fri, 16 Oct 2020 16:03:58 +0000
with message-id <[email protected]>
and subject line Bug#971554: fixed in djangorestframework 3.12.1-1
has caused the Debian Bug report #971554,
regarding djangorestframework: CVE-2020-25626
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
971554: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971554
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: djangorestframework
Version: 3.11.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for djangorestframework.
CVE-2020-25626[0]:
| A flaw was found in Django REST Framework versions before 3.12.0 and
| before 3.11.2. When using the browseable API viewer, Django REST
| Framework fails to properly escape certain strings that can come from
| user input. This allows a user who can control those strings to inject
| malicious <script> tags, leading to a cross-site-scripting (XSS)
| vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-25626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25626
[1]
https://github.com/encode/django-rest-framework/commit/4121b01b912668c049b26194a9a107c27a332429
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: djangorestframework
Source-Version: 3.12.1-1
Done: Michael Fladischer <[email protected]>
We believe that the bug you reported is fixed in the latest version of
djangorestframework, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Fladischer <[email protected]> (supplier of updated djangorestframework
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 16 Oct 2020 17:27:21 +0200
Source: djangorestframework
Architecture: source
Version: 3.12.1-1
Distribution: unstable
Urgency: low
Maintainer: Debian Python Team <[email protected]>
Changed-By: Michael Fladischer <[email protected]>
Closes: 970776 971554
Changes:
djangorestframework (3.12.1-1) unstable; urgency=low
.
[ Ondřej Nový ]
* d/control: Update Maintainer field with new Debian Python Team
contact address.
* d/control: Update Vcs-* fields with new Debian Python Team Salsa
layout.
.
[ Michael Fladischer ]
* New upstream release (CVE-2020-25626) (Closes: #971554).
* Refresh patches.
* Add d/upstream/metadata.
* Remove 0001-Disable-Postgresql-tests.patch.
* Depend on libjs-bootstrap (Closes: #970776).
Checksums-Sha1:
0321dcc59316b9baf18b03889f2db1654f1a1f88 2188 djangorestframework_3.12.1-1.dsc
87d879466cce759a15cbac0c31a66f092fe4efd4 8795995
djangorestframework_3.12.1.orig.tar.gz
a27595b54fdac1013708022012468bf7df65de6a 332792
djangorestframework_3.12.1-1.debian.tar.xz
74568e08cdac5013c0ad49188f4c209fd5c2b52b 9627
djangorestframework_3.12.1-1_amd64.buildinfo
Checksums-Sha256:
49f05b2c66fd3921a3e153310f80774e28e3b845d38e95433655055b324bcba6 2188
djangorestframework_3.12.1-1.dsc
df29708dd521382e3f27e04c229f1161142f168ac3e74e8de0b30d02d8bfc95c 8795995
djangorestframework_3.12.1.orig.tar.gz
fabf31990d212f81c9b42ebf22f10ad844437876f21ed7f708d7207a8f892467 332792
djangorestframework_3.12.1-1.debian.tar.xz
73f87cab214021303f91d7dfa65f50fec1d5ab2e4533619a2cb02cfc69b8ca2f 9627
djangorestframework_3.12.1-1_amd64.buildinfo
Files:
548bfed41c51de91a37be1d375e7c498 2188 python optional
djangorestframework_3.12.1-1.dsc
ac0589af9cf3a0617916883cef529bac 8795995 python optional
djangorestframework_3.12.1.orig.tar.gz
d57d2784bc70cbdd3aa70e3b478af9e6 332792 python optional
djangorestframework_3.12.1-1.debian.tar.xz
6ee1cf41dd3ca68b44f8022d01a67d46 9627 python optional
djangorestframework_3.12.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEqVSlRXW87UkkCnJc/9PIi5l90WoFAl+JvtQACgkQ/9PIi5l9
0WqCQQf8CnjU1kETDz8Kmek0bsqyXl/1WlKxbv6zz0ibCITc4wLOb1hlTSXZ4Z4C
nTft1cRDMqJhCLASG5YcbYb3ztRaS5ZyB8UKsqGxKBMnlMFDyf3UfNVzqcIc7XEo
yM9zPVUmiE9BlyCzfnatfsdIoL09Utpq7xz7LFsGDvbeIXiiJBfM2Atxdg2nDKFB
T0hI1WSV8KkNi2kYsrhe/krvN99L7J+bpe77tOOzlrLzsxhB5sPjzAKycvRJwg0F
ZoAcIn+Kideef2SOQDw0RenV8fNTn6Atg7W0W0r5WQL2IyrHZx4bS0vCXZxux/xD
qPbBikM9Cv91riTdVPPJklpL/ixkpQ==
=n/qK
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
