Hi Chris, Thanks for working on the update.
[disclaimer: not a full review, but something jumped on while i was reading the debdiff] On Sat, Jan 05, 2019 at 09:39:38PM +0100, Chris Lamb wrote: > Hi Moritz, > > > > This also affects stable from my reading of the code. Shall I > > > prepare an upload to stretch-security? > [..] > > Please do. > > debdiff attached, awaiting [email protected] ACK to upload. > > > Best wishes, > > -- > ,''`. > : :' : Chris Lamb > `. `'` [email protected] / chris-lamb.co.uk > `- > diff --git a/debian/changelog b/debian/changelog > index b1c56f7c5..d6472a04e 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high > + > + * CVE-2019-3498: Fix a content spoofing vulnerability in the default > + 404 page. (Closes: #918230) > + > + -- Chris Lamb <[email protected]> Sat, 05 Jan 2019 21:36:27 +0100 > + > python-django (1:1.10.7-2+deb9u3) stretch; urgency=medium > > * Default to supporting Spatialite >= 4.2. (Closes: #910240) > diff --git a/debian/patches/0017-CVE-2019-3498.patch > b/debian/patches/0017-CVE-2019-3498.patch > new file mode 100644 > index 000000000..ea647e964 > --- /dev/null > +++ b/debian/patches/0017-CVE-2019-3498.patch > @@ -0,0 +1,401 @@ > +From: Tom Hacohen <[email protected]> > +Date: Fri, 4 Jan 2019 02:21:55 +0000 > +Subject: Fixed #30070, > + CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. > + > +Co-Authored-By: Tim Graham <[email protected]> > +Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master. > +--- > + ...0006-Default-to-supporting-Spatialite-4.2.patch | 4 +-- > + debian/patches/0013-CVE-2018-7536.patch | 6 ++-- > + debian/patches/0015-CVE-2018-14574.patch | 2 +- > + .../patches/02_disable-sources-in-sphinxdoc.diff | 5 ++-- > + .../06_use_debian_geoip_database_as_default.diff | 3 +- > + debian/patches/fix-migration-fake-initial-1.patch | 20 ++++++++++---- > + debian/patches/fix-migration-fake-initial-2.patch | 32 > ++++++++++++++++------ > + .../fix-test-middleware-classes-headers.patch | 7 ++--- > + debian/patches/series | 1 + > + django/views/defaults.py | 8 ++++-- > + tests/handlers/tests.py | 12 +++++--- > + 11 files changed, 65 insertions(+), 35 deletions(-) With the 0017-CVE-2019-3498.patch patch there is something strange. While it touches correctly the files django/views/defaults.py and the tests, it touches and modifies files in debian/*, other patches and series file. Can you recheck what went wrong here? Were you able to test resulting packages under stretch on production systems or any other tests which were performed? Regards, Salvatore
