Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: djo...@packages.debian.org
Control: affects -1 + src:djoser
[ Reason ]
I'm currently onboarding for doing LTS updates and picked
djoser as my first target from the "dla-needed.txt" list
as it seemed low impact and a good first candidate.
(I also have team commit access to the python-team/packages
salsa group, where djoser is maintained.)
It feels natural to me that we fix the problem in stable before we
fix it in oldstable... thus I'm filing this to get approval for
stable.
Please note that djoser has the same version/revision in both stable
and oldstable, thus the fix will be the same (but debian/changelog
suite will differ, and debian/gbp.conf branch name will differ).
[ Impact ]
djoser has a very low popcon, so impact should thus be low.
[ Tests ]
not covered by testsuite.
[ Risks ]
The patch cherry-picked from upstream is a revert to a previous state of
the code (before introducing the breakage which wasn't know to have
security implications).
The risks should thus be very low, since it's not "new" code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
(except debian/gbp.conf branch name, which I think is changelog
clutter)
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
(via a new upstream release)
[ Changes ]
Revert validation code to previous working code with proper
auth validation.
[ Other info ]
n/a
diff --git a/debian/changelog b/debian/changelog
index 288cf0c..9986a08 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+djoser (2.1.0-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * Cherry-pick upstream commit fixing CVE-2024-21543
+ (Closes: #1089915)
+
+ -- Andreas Henriksson <andr...@fatal.se> Fri, 14 Feb 2025 22:07:53 +0100
+
djoser (2.1.0-1) unstable; urgency=low
* New upstream release.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index b19af52..bc516cd 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,3 @@
[DEFAULT]
-debian-branch=debian/master
+debian-branch=debian/bookworm
pristine-tar=True
diff --git a/debian/patches/0001-rollback-8f65bfff16577c7fb0f52bbabf5fb69f6809ba62-ad.patch b/debian/patches/0001-rollback-8f65bfff16577c7fb0f52bbabf5fb69f6809ba62-ad.patch
new file mode 100644
index 0000000..1f55363
--- /dev/null
+++ b/debian/patches/0001-rollback-8f65bfff16577c7fb0f52bbabf5fb69f6809ba62-ad.patch
@@ -0,0 +1,36 @@
+From: Tom Wojcik <m...@tomwojcik.com>
+Date: Fri, 3 May 2024 22:32:45 +0200
+Subject: rollback 8f65bfff16577c7fb0f52bbabf5fb69f6809ba62,
+ add support for ModelBackend.user_can_authenticate
+
+(cherry picked from commit d33c3993c0c735f23cbedc60fa59fce69354f19d)
+(excluded testproject/* parts of commit, since not in our source)
+---
+ djoser/serializers.py | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/djoser/serializers.py b/djoser/serializers.py
+index 9385bed..6178bbd 100644
+--- a/djoser/serializers.py
++++ b/djoser/serializers.py
+@@ -113,17 +113,13 @@ class TokenCreateSerializer(serializers.Serializer):
+
+ def validate(self, attrs):
+ password = attrs.get("password")
+- params = {settings.LOGIN_FIELD: attrs.get(settings.LOGIN_FIELD)}
++ params = {"username": attrs.get(settings.LOGIN_FIELD)}
+ self.user = authenticate(
+ request=self.context.get("request"), **params, password=password
+ )
+ if not self.user:
+- self.user = User.objects.filter(**params).first()
+- if self.user and not self.user.check_password(password):
+- self.fail("invalid_credentials")
+- if self.user and self.user.is_active:
+- return attrs
+- self.fail("invalid_credentials")
++ self.fail("invalid_credentials")
++ return attrs
+
+
+ class UserFunctionsMixin:
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..2b52878
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-rollback-8f65bfff16577c7fb0f52bbabf5fb69f6809ba62-ad.patch
