Your message dated Tue, 03 Feb 2015 21:32:18 +0000 with message-id <e1yil50-0008pl...@franck.debian.org> and subject line Bug#775375: fixed in python-django 1.4.5-1+deb7u9 has caused the Debian Bug report #775375, regarding python-django: CVE-2015-0219 CVE-2015-0220 CVE-2015-0221 CVE-2015-0222 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775375: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775375 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-django Version: 1.7.1-1 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerabilities were published for python-django. CVE-2015-0219[0]: WSGI header spoofing via underscore/dash conflation CVE-2015-0220[1]: Mitigated possible XSS attack via user-supplied redirect URLs CVE-2015-0221[2]: Denial-of-service attack against django.views.static.serve CVE-2015-0222[3]: Database denial-of-service with ModelMultipleChoiceField If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-0219 [1] https://security-tracker.debian.org/tracker/CVE-2015-0220 [2] https://security-tracker.debian.org/tracker/CVE-2015-0221 [3] https://security-tracker.debian.org/tracker/CVE-2015-0222 [4] https://www.djangoproject.com/weblog/2015/jan/13/security/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 1.4.5-1+deb7u9 We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Raphaël Hertzog <hert...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 28 Jan 2015 10:24:59 +0100 Source: python-django Binary: python-django python-django-doc Architecture: source all Version: 1.4.5-1+deb7u9 Distribution: wheezy-security Urgency: high Maintainer: Chris Lamb <la...@debian.org> Changed-By: Raphaël Hertzog <hert...@debian.org> Description: python-django - High-level Python web development framework python-django-doc - High-level Python web development framework (documentation) Closes: 775375 Changes: python-django (1.4.5-1+deb7u9) wheezy-security; urgency=high . * New upstream security release: https://www.djangoproject.com/weblog/2015/jan/13/security/ - WSGI header spoofing via underscore/dash conflation (CVE-2015-0219) - Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220) - Denial-of-service attack against django.views.static.serve (CVE-2015-0221) Closes: #775375 * Also include a fix for a regression introduced by the patch for CVE-2015-0221: https://code.djangoproject.com/ticket/24158 Checksums-Sha1: c8c1760f38e043f5ad67871a8cf1d39086327026 1928 python-django_1.4.5-1+deb7u9.dsc 72e7794a049795d2a16bfa070336046276e17544 53052 python-django_1.4.5-1+deb7u9.debian.tar.gz a865f776c70540e8af70316299946d437473a134 5398024 python-django_1.4.5-1+deb7u9_all.deb 9cd42699ef94932983c537d3d2ae39cf59a44b03 2436772 python-django-doc_1.4.5-1+deb7u9_all.deb Checksums-Sha256: c5f3ac951c2ab826259684a57ea745b72aba073dc1002b2071e77641128ac9ac 1928 python-django_1.4.5-1+deb7u9.dsc bdd28da574424d333b7797e4bb8cb4f27a11e4c201decd8d10b189c0e35b9258 53052 python-django_1.4.5-1+deb7u9.debian.tar.gz 3734fe7cebccdf651098997ac8c9f76df49cc8d2585de232e3ed3ce232bf1565 5398024 python-django_1.4.5-1+deb7u9_all.deb ec7b1ed7b77932e54244a2e71463213a52587eff043114c5fe779258663d9b1c 2436772 python-django-doc_1.4.5-1+deb7u9_all.deb Files: 2a628d741213ad706a136698fc9f3334 1928 python optional python-django_1.4.5-1+deb7u9.dsc 5a169beef36a78db87c87e26fdc5df10 53052 python optional python-django_1.4.5-1+deb7u9.debian.tar.gz f56d65e6f8d01e06003ddbde3a8b82b3 5398024 python optional python-django_1.4.5-1+deb7u9_all.deb 16fcc053ace64ba0af18540d5de46af6 2436772 doc optional python-django-doc_1.4.5-1+deb7u9_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Signed by Raphael Hertzog iQEcBAEBCAAGBQJUyVshAAoJEAOIHavrwpq5hkMH/2hwFx8C7RDqPIZ4Sv24yyG7 pFWOy6GZBNA187LWXnozlkI+1N9qnHwEwN6gqsGKpwn/IF5iAJWbiOHWoFL9C/bl 6l8P8OsHF+Uej/SkZo4b0RgEuFWs/TU6SrL20U7+v6VusLs6pT3iqz5EaRsrPbZT bnZsW+41/QTPOtJS6cG/VOlswOjqiOrZxorsyejMe0FV2QWZJddTWQIKnvrymVLJ drfZebGlg2+/Q31bHuBEbhdqbnL7PdmNI1RWP+E9HyG0+mTDl+Lv4H0ioS0lxea3 MvwDHSc/ASPew5j0XC4LhQdEKD5d47NJHtC3omfLJoW+6jC87QGqmR3PSNBjZaU= =IFSj -----END PGP SIGNATURE-----
--- End Message ---
