Your message dated Tue, 04 Apr 2017 16:19:06 +0000
with message-id <[email protected]>
and subject line Bug#859515: fixed in python-django 1:1.10.7-1
has caused the Debian Bug report #859515,
regarding python-django: CVE-2017-7233: Open redirect and possible XSS attack
via user-supplied numeric redirect URLs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859515: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859515
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-django
Version: 1.7.7-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for python-django.
CVE-2017-7233[0]:
|Open redirect and possible XSS attack via user-supplied numeric
|redirect URLs
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7233
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 1:1.10.7-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 Apr 2017 17:53:30 +0200
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Built-For-Profiles: nocheck
Architecture: source
Version: 1:1.10.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Chris Lamb <[email protected]>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 859515 859516
Changes:
python-django (1:1.10.7-1) unstable; urgency=medium
.
* New upstream security release:
.
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs.
.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
"on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) "safe" when they shouldn't be.
.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack. (Closes: #859515)
.
- CVE-2017-7234: Open redirect vulnerability in
django.views.static.serve().
.
A maliciously crafted URL to a Django site using the
django.views.static.serve() view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known,
useful functionality.
.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a development
aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516)
Checksums-Sha1:
d406edb4c81726a0b444782d049eb21a771d2a6c 2776 python-django_1.10.7-1.dsc
5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654
python-django_1.10.7.orig.tar.gz
c0fe41bec64979d747cce197aa1e55e3833b3eb1 25376
python-django_1.10.7-1.debian.tar.xz
11694d5548b43df4ff6ffad4b413fe1224bb1ff4 8723
python-django_1.10.7-1_amd64.buildinfo
Checksums-Sha256:
e16cb37402b30421fecc2241e51c148cdedb724312c5c669cd703078cce1bdb4 2776
python-django_1.10.7-1.dsc
593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654
python-django_1.10.7.orig.tar.gz
a0c646be8d148c8dd00849b7cc712d06267e551f320da39d5e3f58aa3f549f04 25376
python-django_1.10.7-1.debian.tar.xz
81783deada27b44fde2a387e375a139c2c5f61a86d0535b1183a8aa281340354 8723
python-django_1.10.7-1_amd64.buildinfo
Files:
113fb9a8538eff5ce750b8775f8e9b15 2776 python optional
python-django_1.10.7-1.dsc
693dfeabad62c561cb205900d32c2a98 7737654 python optional
python-django_1.10.7.orig.tar.gz
46c5ed3063181c29f9f280097850bc4a 25376 python optional
python-django_1.10.7-1.debian.tar.xz
9a0df9dc3e696e19514347411699da20 8723 python optional
python-django_1.10.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljjwngACgkQHpU+J9Qx
Hlj62xAAtZS1+jZHdH8b+MAbJvxmwYMMkrhk/COwtHSHzbreOoiTUSr5hAKTRXlK
mvQPvnwjlhKqSY6513GMkHFwQk6HCnzZgPpQkqn+7sBW4hZIkKlPMOx+jT5AlyVX
o7qAUuTpzxQRZ++mo6BKglAtw9Iu8t8b6BnsW3jY7kTKmGYMIuQldumkfxLi1dyN
f6Vm1vVLp0caTz3I4x2W7UCLzFO5K5jnJHYjwfXJdBkjltifZuCUDvX8/6lPK67d
EvcuAqsCmH6MHPI91G9QDdycpyIBFND2o5EXntS1Ldx4w6/ucbtCuU8bUB4njT/v
thlz5RYgX3dKkPRaaWZ3d4H3ynD+KuUMtVgQYhT6pc79q6G7dUHEzzSpvkCqmnw0
jkUCycY8+7RIu0n/393EsxEdNCZwVCpQAZOGKuatKP8qshCi1QXkmBXIJxE+SyY4
mEbtmmSKUG+8FHDrtJJtkT95yixfEp9DPqPHKR6wuLkWWxux2vZ5q1POLf7g4VhJ
1icuh9YTrOeMPEN+v6TRSg4nc82hJb6tDNFKzP1ArxpUeQVb4fsMIQ+foEQsVgjb
p031KMDi2e7LdYNPW8SICyu9c+PE/U6PcuaQl78V+sR15tdpwuaFgfthhbJe8PIa
os7qiuQrsSNw6dnbVx0jKGTpIzI7jECU3XvygphS8FebwgnvhpM=
=Tv/P
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
