Your message dated Tue, 25 Feb 2020 19:47:34 +0000 with message-id <e1j6gb4-000f9q...@fasolo.debian.org> and subject line Bug#950581: fixed in python-django 1:1.11.28-1~deb10u1 has caused the Debian Bug report #950581, regarding python-django: CVE-2020-7471: Potential SQL injection via StringAgg(delimiter) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 950581: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950581 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-django Version: 2:2.2.9-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1:1.11.27-1~deb10u1 Hi, The following vulnerability was published for python-django. CVE-2020-7471[0]: | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 | allows SQL Injection if untrusted data is used as a StringAgg | delimiter (e.g., in Django applications that offer downloads of data | as a series of rows with a user-specified column delimiter). By | passing a suitably crafted delimiter to a | contrib.postgres.aggregates.StringAgg instance, it was possible to | break escaping and inject malicious SQL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471 [1] https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 1:1.11.28-1~deb10u1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 950...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 14 Feb 2020 10:00:33 +0000 Source: python-django Binary: python-django python-django-common python-django-doc python3-django Built-For-Profiles: nocheck Architecture: source all Version: 1:1.11.28-1~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 950581 Changes: python-django (1:1.11.28-1~deb10u1) buster-security; urgency=high . * New upstream security release. (Closes: #950581) <https://www.djangoproject.com/weblog/2020/feb/03/security-releases/> . - CVE-2020-7471: Potential SQL injection via StringAgg(delimiter) . Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. Checksums-Sha1: 68aff58b16ac698d772f1d208ff3b7e4d8ccebfd 3267 python-django_1.11.28-1~deb10u1.dsc 1537a67692f9f724d005631cc035d9a58648934a 7852525 python-django_1.11.28.orig.tar.gz 0aaf74684fec34304800795dfce4c38c4c2fa9e2 27456 python-django_1.11.28-1~deb10u1.debian.tar.xz 76770ff673fe837ec2bb661baf1190d8ef5685aa 1538384 python-django-common_1.11.28-1~deb10u1_all.deb 4d2baa4d8c66f3a35628c60344789c4d47894199 2645532 python-django-doc_1.11.28-1~deb10u1_all.deb bc275075c3758ed659057adae9f1bb83ddc3dffe 917656 python-django_1.11.28-1~deb10u1_all.deb c9307b5a4d69d3f31c860c2cea6a11a0a8b36860 8678 python-django_1.11.28-1~deb10u1_amd64.buildinfo 8d9554ac05abc114dcd6a60b6f667ed0ee42d609 917484 python3-django_1.11.28-1~deb10u1_all.deb Checksums-Sha256: df53495eff61862bd3dba2a95b6c7eb169cdc413acb525b531d53c3739d816c3 3267 python-django_1.11.28-1~deb10u1.dsc b33ce35f47f745fea6b5aa3cf3f4241069803a3712d423ac748bd673a39741eb 7852525 python-django_1.11.28.orig.tar.gz 7f6ca2dceae94f9393b8bae039a4a4979a8d23b26aff818d528d116287ddc9fb 27456 python-django_1.11.28-1~deb10u1.debian.tar.xz 2ca93d4d6a12ae6953a5c41856a571b36e3152fdff07a6f45c1168b7cfc8be9e 1538384 python-django-common_1.11.28-1~deb10u1_all.deb 48c91a5ccc05f6621a90cf5b66c35c3886b6e93107d19fe4b2f79a4fd3ab22db 2645532 python-django-doc_1.11.28-1~deb10u1_all.deb 65b9375cff1c68e2216d780d23d4fdc12601175606a8360caafc2ffface1adc2 917656 python-django_1.11.28-1~deb10u1_all.deb 5f359d846ff740e9d0578782eff958894ef078c709a20391d7f11a457417ee45 8678 python-django_1.11.28-1~deb10u1_amd64.buildinfo 702b9447162c29715b6e014a939adda36dfec3f373d860e0cacbd9f5483f8be8 917484 python3-django_1.11.28-1~deb10u1_all.deb Files: 4bab6ea2e61b6b067bb829c1368bc8f7 3267 python optional python-django_1.11.28-1~deb10u1.dsc 8a21a5148aece7f6110d6ff3a9f57652 7852525 python optional python-django_1.11.28.orig.tar.gz a7c38bbc02b1eaf89d10a8bb852e51fa 27456 python optional python-django_1.11.28-1~deb10u1.debian.tar.xz df07c5aef8148a3a88f5e6ad6e61a5ad 1538384 python optional python-django-common_1.11.28-1~deb10u1_all.deb ec5d842323a6ae29dda74e34b4b80df2 2645532 doc optional python-django-doc_1.11.28-1~deb10u1_all.deb 9994ae8ef25687386a5fcc9e85daaf32 917656 python optional python-django_1.11.28-1~deb10u1_all.deb c1dd520478b5ac657c62e285c52b84f0 8678 python optional python-django_1.11.28-1~deb10u1_amd64.buildinfo 56d81f601c692c2d10c179a8e46e159b 917484 python optional python3-django_1.11.28-1~deb10u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5HufcACgkQHpU+J9Qx HlhPSg/+MKd8OxXFA7vQ6dzMUOD3dItGDZKx88gJANS/jlQQ2gnkWZ57j/7LbR46 bY1DWQU1AabDxMQLnlDWY0t0dQlwyxb7xm9HrSDBdHDtxEKOq0horC7yljLUNjuv sAR4Xx7N1rU+tDsE7/L3GWAZTC7P5jKrx3rqavCh4Xl/KmGPqxSjNJrurixfAnjo HdtbxiwAvuCpiFNFFusdB4sk7TBkahegin6VOZgWaNGfpoZsIsMBhAMeyCkVE1vc t1K35ZNX5ijAr5tnPkLkhIMcJUpny1IbANAOWDeKxo4+dqeX4voVGU56BNOs3a9l jwKjYe81OaiQKh5paq7eX95EgwPlZB7OmCO/biYwqtsv5D1xQqJr/sjBeIzHlxwD RUp26ENyEnPH+wSV91vpV7E529bQiPC4jHH2yNiv/j0A8bOXZ1FZgXavdizG731f uw2jehTlmxDm7ZLvuaNReEu+gAVJki055Q0Vcfm39KTxi6SCIgbuxIlblI7RKWtm y1opGV9orSrN/LwUeR6vuiQYd+GzBJLPYoO5tyoX57M2PMq01B79VOVtqRlZYl1/ xKA6HFLp5G/ewtd+7pTGe/osKpn+Fkd0Y9YKOfIOfv3ODvx/q8YfSCds2QirdJDk /d6Rm+dUXuuOuvm0ge3FyfInWfA+XDogmR0WrIZtAmev+rzNjhA= =t4TZ -----END PGP SIGNATURE-----
--- End Message ---
