Your message dated Sun, 11 Oct 2009 19:57:55 +0000
with message-id <e1mx4yf-0002kp...@ries.debian.org>
and subject line Bug#550457: fixed in python-django 1.0.2-1+lenny2
has caused the Debian Bug report #550457,
regarding Remote denial of service via pathological performance of regular
expressions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
550457: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-django
Version: 1.0.2-1+lenny1
Severity: serious
Tags: security
> Django's forms library included field types which perform
> regular-expression based validation of email addresses and URLs. Certain
> addresses/URLs could trigger a pathological performance case in this
> regular expression, resulting in the server process/thread becoming
> unresponsive, and consuming excessive CPU over an extended period of time.
> If deliberately triggered, this could result in an effective
> denial-of-service attack.
[..]
> This issue was disclosed publicly by a third party on a high-traffic
> mailing list, and attempts have been made to exploit it against live Django
> installations.
<http://www.djangoproject.com/weblog/2009/oct/09/security/>
Does not affect unstable (once 1.1.1-1 lands).
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org
`-
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 1.0.2-1+lenny2
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:
python-django_1.0.2-1+lenny2.diff.gz
to pool/main/p/python-django/python-django_1.0.2-1+lenny2.diff.gz
python-django_1.0.2-1+lenny2.dsc
to pool/main/p/python-django/python-django_1.0.2-1+lenny2.dsc
python-django_1.0.2-1+lenny2_all.deb
to pool/main/p/python-django/python-django_1.0.2-1+lenny2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 550...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 10 Oct 2009 10:33:24 +0100
Source: python-django
Binary: python-django
Architecture: source all
Version: 1.0.2-1+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Brett Parker <idu...@sommitrealweird.co.uk>
Changed-By: Chris Lamb <la...@debian.org>
Description:
python-django - A high-level Python Web framework
Closes: 550457
Changes:
python-django (1.0.2-1+lenny2) stable-security; urgency=high
.
* Add patch to fix remote denial of service by exploiting pathological
performance of regular expressions (Closes: #550457)
.
Upstream writes:
.
SECURITY ALERT: Corrected regular expressions for URL and email fields.
.
Certain email addresses/URLs could trigger a catastrophic backtracking
situation, causing 100% CPU and server overload. If deliberately
triggered, this
could be the basis of a denial-of-service attack.
.
<http://www.djangoproject.com/weblog/2009/oct/09/security/>
Checksums-Sha1:
466095f33104f5379f4a00619c37404cc48a9875 1606 python-django_1.0.2-1+lenny2.dsc
f2d9088f17aff47ea17e5767740cab67b2a73b6b 4649433
python-django_1.0.2.orig.tar.gz
f9e69917b7555014724957707f1fe775fd11e5aa 15789
python-django_1.0.2-1+lenny2.diff.gz
648979e26b4d850626538d27f6365942acd26048 4706950
python-django_1.0.2-1+lenny2_all.deb
Checksums-Sha256:
4848234afbdb076d8dc4156b1424df1d12f30a218038030cefc214cb19a7bbd0 1606
python-django_1.0.2-1+lenny2.dsc
50a5d228743a69a682899b20141194bf8fd3fd75eaf33ba5f2932f43ea93ea0d 4649433
python-django_1.0.2.orig.tar.gz
27239a86821dde3e9e843ebc744040a0515c81b362273d9d8cc962c8e83b3076 15789
python-django_1.0.2-1+lenny2.diff.gz
e1e5258f4ac75e42c9ade6eb68fe537ac52fe5500c6a6bc605253e5476cb67a6 4706950
python-django_1.0.2-1+lenny2_all.deb
Files:
7d335038ed1c10264a8ae9089574397c 1606 python optional
python-django_1.0.2-1+lenny2.dsc
89353e3749668778f1370d2e444f3adc 4649433 python optional
python-django_1.0.2.orig.tar.gz
586cdeaa9d99dc74240a16d1c40803fb 15789 python optional
python-django_1.0.2-1+lenny2.diff.gz
f01133963dbac73a87e9a209f85cb38d 4706950 python optional
python-django_1.0.2-1+lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkrQXksACgkQ5/8uW2NPmiDlWQCeOn6qOAvqreyQ9eO+xGpvHUpO
QvgAoJaqaz1XTSydUpu8ce9YrwS3yK9L
=kWDt
-----END PGP SIGNATURE-----
--- End Message ---
