Hi Chris, Thanks for working on the update.
[disclaimer: not a full review, but something jumped on while i was reading the debdiff] On Sat, Jan 05, 2019 at 09:39:38PM +0100, Chris Lamb wrote: > Hi Moritz, > > > > This also affects stable from my reading of the code. Shall I > > > prepare an upload to stretch-security? > [..] > > Please do. > > debdiff attached, awaiting t...@security.debian.org ACK to upload. > > > Best wishes, > > -- > ,''`. > : :' : Chris Lamb > `. `'` la...@debian.org / chris-lamb.co.uk > `- > diff --git a/debian/changelog b/debian/changelog > index b1c56f7c5..d6472a04e 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high > + > + * CVE-2019-3498: Fix a content spoofing vulnerability in the default > + 404 page. (Closes: #918230) > + > + -- Chris Lamb <la...@debian.org> Sat, 05 Jan 2019 21:36:27 +0100 > + > python-django (1:1.10.7-2+deb9u3) stretch; urgency=medium > > * Default to supporting Spatialite >= 4.2. (Closes: #910240) > diff --git a/debian/patches/0017-CVE-2019-3498.patch > b/debian/patches/0017-CVE-2019-3498.patch > new file mode 100644 > index 000000000..ea647e964 > --- /dev/null > +++ b/debian/patches/0017-CVE-2019-3498.patch > @@ -0,0 +1,401 @@ > +From: Tom Hacohen <t...@users.noreply.github.com> > +Date: Fri, 4 Jan 2019 02:21:55 +0000 > +Subject: Fixed #30070, > + CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. > + > +Co-Authored-By: Tim Graham <timogra...@gmail.com> > +Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master. > +--- > + ...0006-Default-to-supporting-Spatialite-4.2.patch | 4 +-- > + debian/patches/0013-CVE-2018-7536.patch | 6 ++-- > + debian/patches/0015-CVE-2018-14574.patch | 2 +- > + .../patches/02_disable-sources-in-sphinxdoc.diff | 5 ++-- > + .../06_use_debian_geoip_database_as_default.diff | 3 +- > + debian/patches/fix-migration-fake-initial-1.patch | 20 ++++++++++---- > + debian/patches/fix-migration-fake-initial-2.patch | 32 > ++++++++++++++++------ > + .../fix-test-middleware-classes-headers.patch | 7 ++--- > + debian/patches/series | 1 + > + django/views/defaults.py | 8 ++++-- > + tests/handlers/tests.py | 12 +++++--- > + 11 files changed, 65 insertions(+), 35 deletions(-) With the 0017-CVE-2019-3498.patch patch there is something strange. While it touches correctly the files django/views/defaults.py and the tests, it touches and modifies files in debian/*, other patches and series file. Can you recheck what went wrong here? Were you able to test resulting packages under stretch on production systems or any other tests which were performed? Regards, Salvatore
