Your message dated Mon, 01 Jul 2019 20:34:05 +0000 with message-id <e1hi301-000ifd...@fasolo.debian.org> and subject line Bug#931316: fixed in python-django 1:1.11.22-1 has caused the Debian Bug report #931316, regarding python-django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 931316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931316 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-django Version: 1:1.11.21-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2:2.2.1-1 Control: found -1 1:1.10.7-2+deb9u4 Control: found -1 1:1.10.7-1 Hi, The following vulnerability was published for python-django. CVE-2019-12308[0]: | An issue was discovered in Django 1.11 before 1.11.21, 2.1 before | 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed | by the AdminURLFieldWidget displays the provided value without | validating it as a safe URL. Thus, an unvalidated value stored in the | database, or a value provided as a URL query parameter payload, could | result in an clickable JavaScript link. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308 [1] https://www.djangoproject.com/weblog/2019/jul/01/security-releases/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 1:1.11.22-1 We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 931...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 01 Jul 2019 17:09:52 -0300 Source: python-django Binary: python-django python-django-common python-django-doc python3-django Built-For-Profiles: nocheck Architecture: source all Version: 1:1.11.22-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 931316 Changes: python-django (1:1.11.22-1) unstable; urgency=medium . * New upstream security release. <https://www.djangoproject.com/weblog/2019/jul/01/security-releases/> (Closes: #931316) Checksums-Sha1: df9760ebaa9cab89a15f790c376cc0d8f33ef419 3235 python-django_1.11.22-1.dsc 450a784b288c6ec89a8fedebeeb9c4a2746f3243 7972885 python-django_1.11.22.orig.tar.gz 530489499b6dfbabb327f12efbaf5f3944c8af04 26208 python-django_1.11.22-1.debian.tar.xz 1fc7e7d357e7a3474456054701d8dde0fbceb1d5 1536632 python-django-common_1.11.22-1_all.deb 8f3fe209ed9927efd3c62839d53e08cb128efae9 2640020 python-django-doc_1.11.22-1_all.deb f9b464e7efeaef0fbbb6e12ed697d516d79831c0 916028 python-django_1.11.22-1_all.deb d496669d7c617c308d4ecc21f20d93db35312d56 8321 python-django_1.11.22-1_amd64.buildinfo 0d9c078c4528d22cd30f31963c9ff6707389d935 915860 python3-django_1.11.22-1_all.deb Checksums-Sha256: 604f4964a40f4321ff2d55438caf14438c9409c3c2dd081a2c6a386d143a2f7e 3235 python-django_1.11.22-1.dsc 830d5d40a1705089502bba70605ab3246831440ffc16d1501dfeeef5f4b9c845 7972885 python-django_1.11.22.orig.tar.gz 1e94d156a57222e933f61617a70cc802de992bf2fe59fdd6dfd66099891488cd 26208 python-django_1.11.22-1.debian.tar.xz 9d195260f8a07512eae940b2334a4c2439909278975dfec77c347c55502b7a6b 1536632 python-django-common_1.11.22-1_all.deb 38d409c7e052346bdfe0fae1e90c1851c3daa2a740d0869c21e50b661a686490 2640020 python-django-doc_1.11.22-1_all.deb fc104654d5cc5b7e7d3ac8f9e16d4407052b5d503af4f5e325bd49bd228de386 916028 python-django_1.11.22-1_all.deb 66c39214963ecd9ae159a0c06ec84899acb518d9eca23ee5fafb851b0a63426d 8321 python-django_1.11.22-1_amd64.buildinfo ee3e019b94effebbd8e9e24a312edc3091759c5d8b966b13b2add2127478407d 915860 python3-django_1.11.22-1_all.deb Files: 4087dac9b8572802cafcf1bd7febc5d2 3235 python optional python-django_1.11.22-1.dsc d3a20b27a0cfb562bac46a06605b29af 7972885 python optional python-django_1.11.22.orig.tar.gz 0376d25ffa47c310cb0074a51403819d 26208 python optional python-django_1.11.22-1.debian.tar.xz e3c1c30c53f8499059f4681bc23b01e9 1536632 python optional python-django-common_1.11.22-1_all.deb 035910102b11f403739945d8b64d0b46 2640020 doc optional python-django-doc_1.11.22-1_all.deb 072c722958857ee40a8f243f99583ba8 916028 python optional python-django_1.11.22-1_all.deb f174cdc7581f26f22bfd90ffc5659cac 8321 python optional python-django_1.11.22-1_amd64.buildinfo 0306122c4a943a6bf4328d528e791450 915860 python optional python3-django_1.11.22-1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0aac8ACgkQHpU+J9Qx HljLMhAAoeISl8O3B9BrJsTEPE7aI8/kaPyPQ/6Y3RjztiJdpcbvrslLeyCVy3Tm uTpDWjhpwUbu3btqVmld7n1LWxxjL8ilil4x37qn4TzzxIaLAq1BoPh1HcKMtFBx WEjSJyB96tSOpQkadrNbH+T82KbaKXnh8BR87Lf5MUxu4DMAxBwp9KFuf1EcqMkU 8EAHTQs0LoQ8ULBRwjP1YSdgfVGsYQTnBDsSdXSet/Oj1I4SdhCDM3icTP/Bmc2N wP01U0pivEJQVmKE3a6nIqfOSX6DTlGwOBTWgx/6FSWZ0rBFpeNjqFOqTiVszvHh 4xrAjkWKlzLP4N8Z6mnZQ8g18CWP8/aatoiZIr8eaCUJognmYJcBiAczxlrn+xlB Y1VP0n+RSwc0ssUKsCc6xXSOU0VH6P5yjhyirvvEDMH9MeieEENPTld5THgruz+0 2hl9VXFEBbfaD5BOfs0ZFV/G85dAP8JfDEa4ddWvZj+6L7tQNBTNv6eDp03EdVPz acA2Pl3SJZx+UHJr2wRsRJLDVVBuIzJQO4EtHlrkGMhK9cxiXVm7rWQVAP026JBm ApPMV8xRNiFxp3LXCDx4t+giSNe/yzfWfIp/Kk9ivhCJiuh0LlVd+t7cuBhYoDOv 61K6ITWHjyol9CfbqT9dEqkzfhpYSDm8zvvqQekg7zlpVBaJSoA= =ziuq -----END PGP SIGNATURE-----
--- End Message ---
