Bug#407521: Security fix for Django auth
Thanks for the explanation, maybe in 500~1000 more I'll know how to tag them properly!! hehehe. By the way, thanks a lot for packaging django for debian On 1/19/07, Raphael Hertzog [EMAIL PROTECTED] wrote: On Fri, 19 Jan 2007, Marc Fargas wrote: Hi Raphael, Hi Marc, I just read at http://www.us.debian.org/Bugs/Developer.en.html#severities and took the one that made more sense to me, there the only severity that talks about security is critical so I took that. I'm not a bug vodoo, I was just trying to give a hand marking bugs. Thanks for trying! However there's always some judgment to be made. The initial bug submitter didn't speak of security risk even though it's clear that it is a security risk in principle. So before being definitive on the issue, one always need to know how often we're exposed to the security risk. And while this information was not available, you shouldn't have increased the severity. Anyway, I've prepared updates that I'll upload to unstable and we'll see with further discussion if the package needs to go to etch or not. Anyway, it's always good to learn a bit more on every matter, so thanks for the lesson and accept my appologies for messing up your bug reports. Accepted of course. :) Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#407521: Security fix for Django auth
On Fri, 19 Jan 2007, Marc Fargas wrote: Hi Raphael, Hi Marc, I just read at http://www.us.debian.org/Bugs/Developer.en.html#severities and took the one that made more sense to me, there the only severity that talks about security is critical so I took that. I'm not a bug vodoo, I was just trying to give a hand marking bugs. Thanks for trying! However there's always some judgment to be made. The initial bug submitter didn't speak of security risk even though it's clear that it is a security risk in principle. So before being definitive on the issue, one always need to know how often we're exposed to the security risk. And while this information was not available, you shouldn't have increased the severity. Anyway, I've prepared updates that I'll upload to unstable and we'll see with further discussion if the package needs to go to etch or not. Anyway, it's always good to learn a bit more on every matter, so thanks for the lesson and accept my appologies for messing up your bug reports. Accepted of course. :) Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#407521: Security fix for Django auth
Hi Raphael, I just read at http://www.us.debian.org/Bugs/Developer.en.html#severities and took the one that made more sense to me, there the only severity that talks about security is critical so I took that. I'm not a bug vodoo, I was just trying to give a hand marking bugs. Anyway, it's always good to learn a bit more on every matter, so thanks for the lesson and accept my appologies for messing up your bug reports. Sincerelly, Marc. On 1/19/07, Raphael Hertzog [EMAIL PROTECTED] wrote: severity 407521 important thanks On Fri, 19 Jan 2007, Marc Fargas wrote: severity critical tags +patch thanks The current Django versión in Debian has a security hole, so this bug should be critical, and the patch recommended by the submitter should be applied and brought to etch, I think. Same story than before. Nobody has explained under which circumstances this bug constitutes a security risk. And you're inflating the severity without proper justification. The upstream ticket http://code.djangoproject.com/ticket/2702 doesn't mention the possible security risk. James has mentionned the problem to be that one could be granted rights that have been granted to a previous HTTP request. If such a behaviour was happening all the time, I bet it would be a very important bug... but since I see no mention of that in the upstream ticket, I believe it probably happens seldom. Has there been discussion of this problem somewhere else ? Can you tell us under which circumstances this can happen ? In the mean time, I'm downgrading. Depending on the answer to the question above, I may agree to change it back to serious. Opinions are welcome of course. Regards, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#407521: Security fix for Django auth
severity 407521 important thanks On Fri, 19 Jan 2007, Marc Fargas wrote: severity critical tags +patch thanks The current Django versión in Debian has a security hole, so this bug should be critical, and the patch recommended by the submitter should be applied and brought to etch, I think. Same story than before. Nobody has explained under which circumstances this bug constitutes a security risk. And you're inflating the severity without proper justification. The upstream ticket http://code.djangoproject.com/ticket/2702 doesn't mention the possible security risk. James has mentionned the problem to be that one could be granted rights that have been granted to a previous HTTP request. If such a behaviour was happening all the time, I bet it would be a very important bug... but since I see no mention of that in the upstream ticket, I believe it probably happens seldom. Has there been discussion of this problem somewhere else ? Can you tell us under which circumstances this can happen ? In the mean time, I'm downgrading. Depending on the answer to the question above, I may agree to change it back to serious. Opinions are welcome of course. Regards, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#407521: Security fix for Django auth
severity critical tags +patch thanks The current Django versión in Debian has a security hole, so this bug should be critical, and the patch recommended by the submitter should be applied and brought to etch, I think. Cheers, Marc.
Bug#407521: Security fix for Django auth system
Package: python-django Version: 0.95-2 A bug in Django's AuthenticationMiddleware was discovered and patched after the 0.95 release; this bug can cause apparent caching of the value of request.user between requests, possibly resulting in inappropriate access when a user is perceived to be logged in as someone else. This was fixed in revision 3754 of Django trunk[1], and that changeset applies cleanly to stock Django 0.95. [1] http://code.djangoproject.com/changeset/3754 -- James Bennett [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
