Your message dated Tue, 25 Feb 2020 19:49:33 +0000 with message-id <e1j6gcz-000fou...@fasolo.debian.org> and subject line Bug#950581: fixed in python-django 1:1.10.7-2+deb9u8 has caused the Debian Bug report #950581, regarding python-django: CVE-2020-7471: Potential SQL injection via StringAgg(delimiter) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 950581: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950581 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-django Version: 2:2.2.9-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1:1.11.27-1~deb10u1 Hi, The following vulnerability was published for python-django. CVE-2020-7471[0]: | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 | allows SQL Injection if untrusted data is used as a StringAgg | delimiter (e.g., in Django applications that offer downloads of data | as a series of rows with a user-specified column delimiter). By | passing a suitably crafted delimiter to a | contrib.postgres.aggregates.StringAgg instance, it was possible to | break escaping and inject malicious SQL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471 [1] https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 1:1.10.7-2+deb9u8 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 950...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 15 Feb 2020 10:25:11 +0000 Source: python-django Binary: python-django python3-django python-django-common python-django-doc Built-For-Profiles: nocheck Architecture: source all Version: 1:1.10.7-2+deb9u8 Distribution: stretch-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 950581 Changes: python-django (1:1.10.7-2+deb9u8) stretch-security; urgency=high . * CVE-2020-7471: Prevent a Potential SQL injection via StringAgg(delimiter). (Closes: #950581) . Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. Checksums-Sha1: 00bec81e5c3ecfbfbe2f3a73ec54a18cdacf6b29 2804 python-django_1.10.7-2+deb9u8.dsc 5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz 863b6c87e2d2232eb1352a4e5ce73ee0bd5d7f7e 44688 python-django_1.10.7-2+deb9u8.debian.tar.xz f5310b0f95fc877f7bf092f5eeb4fa89dc42c228 1515062 python-django-common_1.10.7-2+deb9u8_all.deb dc07d0e62143cc54c4cd4f03cdf4e259cc65b0b3 2536942 python-django-doc_1.10.7-2+deb9u8_all.deb 145a80c1d0452c8986532eac529db0e20ad75ea0 905372 python-django_1.10.7-2+deb9u8_all.deb 4387ce6c4adb3850bf7ebc3a92aadbcb0215c8cc 9409 python-django_1.10.7-2+deb9u8_amd64.buildinfo 24ddd2907c9b4d4911aecdf105336c96302bf51e 886958 python3-django_1.10.7-2+deb9u8_all.deb Checksums-Sha256: 818d23d52146c8ca4584a8f9c7d5082278c0843c0c681195a3165e7a3cef41d1 2804 python-django_1.10.7-2+deb9u8.dsc 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz 4a5ea2e8f221f9ed98d47151f800a6714af622b03096e6526608eea035f97608 44688 python-django_1.10.7-2+deb9u8.debian.tar.xz 751dbac799d1c05c0fac19a20a9057da180a55578773f42a9e6bfe26803f712e 1515062 python-django-common_1.10.7-2+deb9u8_all.deb a4979fed7ac26e307f2ee77b100084dbd849ec7ee42bd2c82bb649c753363795 2536942 python-django-doc_1.10.7-2+deb9u8_all.deb 5d75d78179bc89268260f7920863e3085467b23d39a1426c35a37e278e5c9e7b 905372 python-django_1.10.7-2+deb9u8_all.deb de3b20debc5c5a27a640f603c0d5c3357ff14ab7625db16b5fd57a6f8cc291e9 9409 python-django_1.10.7-2+deb9u8_amd64.buildinfo b85dd604b7185e02f9cc054533655848bc61f8ccd173ac774fee6327bd702bad 886958 python3-django_1.10.7-2+deb9u8_all.deb Files: 7efdfb40740d516b00f9593a18b3e184 2804 python optional python-django_1.10.7-2+deb9u8.dsc 693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz a3c7f33071839a50c74a84a539cdb7bd 44688 python optional python-django_1.10.7-2+deb9u8.debian.tar.xz 9f9add011e8ecbeb1ba0936f21792a29 1515062 python optional python-django-common_1.10.7-2+deb9u8_all.deb 3096965d0d03c3bc0d57044df892c7d8 2536942 doc optional python-django-doc_1.10.7-2+deb9u8_all.deb 69dee9b642ee0eeb3f667adfd1a23edd 905372 python optional python-django_1.10.7-2+deb9u8_all.deb a4ed0fd5a6a5567e5c5794f6db7e3e58 9409 python optional python-django_1.10.7-2+deb9u8_amd64.buildinfo 38840459f9a0b623216986c3e6bdc259 886958 python optional python3-django_1.10.7-2+deb9u8_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5IDSQACgkQHpU+J9Qx Hljs3BAAs3A71u8mAEq7XL7U6OGnPHto1J5ogeQbXG3cPAJFRFH8E8/dVLYFkwbc qtQwk2qgRW2qELwQI2VTeozD7urh9OaP4T1NoJWyx+NBbm6QvoCKr+eYJABiJFrf sPqzXclS9JYJLihr7QL3TGkOAEn76zeD6cvdtASL3x1Mfib4x06aeA/Yh6UocTCv pEUfKtzbiRi1EwMbz9fbmmv5WCWM/wbx3DN2/veRZtjIeYTH38rm+k2QA7oG/5bf Fs7Df6nw6QjTb/NSbWRwVggC60Q+Pt4t/SfpMu9XgwDy8pFxyZtfVIhmy/ixL4EL +T9RCL44dqtR6KQgQcW61iEog4/NXRhFPhLpD8f8/pNTLtrww7SbpHwAbxRK0k7q BWF6b+vboDo9U2XzT9ituHALzlAxalmdcVLU2BPdijOyyGOeVU6AW/vcpFyascTX 9MDRKb60fwv3AQ9EbT5/6mAxLApIzoteZPTVw8STfrTs+RkHYVdTZfryopFGSupm 8pJUqHF5DpSNLuhWJFo3ZL82Hk2pLI4VmqetxPDHwcL7b34fr5U7edXumUqn9GNu +C0bjObB4H5A0GJPSbQLVOg07FtKT4E6nruJL5YKnQ2P+QWjkZqt+OXB9QJwr7K7 PXsRkMxvr2WWabTFVJcDAzhYIDkRPbojakpr5cTvFCDkrsIVyXU= =igYA -----END PGP SIGNATURE-----
--- End Message ---
