Your message dated Thu, 06 May 2021 15:03:38 +0000 with message-id <e1lefxo-000fej...@fasolo.debian.org> and subject line Bug#988136: fixed in python-django 2:2.2.22-1 has caused the Debian Bug report #988136, regarding python-django: CVE-2021-32052 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 988136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988136 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1:1.10.7-2+deb9u13 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+ On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn't vulnerable because HttpResponse prohibits newlines in HTTP headers. Moreover, the URLField form field which uses URLValidator silently removes newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your data only existed if you are using this validator outside of the form fields. This issue was introduced by the bpo-43882 fix. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: https://www.djangoproject.com/weblog/2021/may/06/security-releases/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:2.2.22-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 988...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 06 May 2021 15:52:24 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:2.2.22-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 988136 Changes: python-django (2:2.2.22-1) unstable; urgency=medium . * New upstream security release: - CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+. (Closes: #988136) - Full release notes: <https://www.djangoproject.com/weblog/2021/may/06/security-releases/> Checksums-Sha1: 3363329bcb295bd6dc28bb73e9b059e31546e6cb 2779 python-django_2.2.22-1.dsc 5bdc7480887a21a335f4dda5d406e0303138825f 9182392 python-django_2.2.22.orig.tar.gz 78c0b707df3b33184461767f8435db53a7e4ce0b 26844 python-django_2.2.22-1.debian.tar.xz f57bdc87ae2793a572236c9483807d1fa34aa7a7 7732 python-django_2.2.22-1_amd64.buildinfo Checksums-Sha256: 75defb32b9ffaa29c380dfb39542456b2b46a4e173a628f2165e36c6f1b467c6 2779 python-django_2.2.22-1.dsc db2214db1c99017cbd971e58824e6f424375154fe358afc30e976f5b99fc6060 9182392 python-django_2.2.22.orig.tar.gz c34aca4e670f5f01539626936fac8320e7fadb7871ef5df83e6779375b6a7c9e 26844 python-django_2.2.22-1.debian.tar.xz 8607193af2d7b5c111bafc6231d730cd42b51b3ace56b86e9230b04248064e08 7732 python-django_2.2.22-1_amd64.buildinfo Files: b7166fbe2690098651bd3664efb4dc90 2779 python optional python-django_2.2.22-1.dsc dca447b605dcabd924ac7ba17680cf73 9182392 python optional python-django_2.2.22.orig.tar.gz b401eeb6680d80e8b06db74f24314738 26844 python optional python-django_2.2.22-1.debian.tar.xz 91ae0eb04e0be8e7fd4a9eacb09d0eeb 7732 python optional python-django_2.2.22-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCUA4QACgkQHpU+J9Qx Hliy2g//WtVc4WESlMtIyeJLleMRNtmmUAyitZzxx7nWH+D4vbGKvGaR6wdzvJMs 7sb06go0BbHBl9N+5NeBet2dhjwQu94V8Z1wAMKGFIOZSUVutuucYZTqOy0hjgdN J9QHg/zRmtfZeIPBh7B21wDilBVlDm6KZ0rsXa8jwkyI8VshZIRCx0PW89HYoCgu 39tAnyYdD26HaTY5KOw8Q+0nEocc2rAKsGib7wX5SoUqzLRf8nBz4FHwrS0EFTyj ANmP1h0TAxomt4+2k2kjXC+e7uAQN4Uu8lhKbWdHYCht3qze8ZSBW33DiZjtUZzc wl4Xcjobec4guQc7yFYggqjjOVlnrbCXySNNqK8TCl4DqjpUUX6ZrDMK2nqnuRaV slUYNd2DvqvBlyHjXTTknzb7PPES7wiazdHtQD0YUzojKntrZ/+cbjGJEAxdqMnC Nv8KhjIYimKFigKWH8gM9H0XEmkHQlgy0l1O1Z47A9PkK7c6WtVVBZMxpfdxGOk9 n5LhmRrpCVIxD7KuzhB5tQs5gAMHu1dD6eaOWMeu7XLjDxxN3wIjlnbcNzhEkkjc fQk1ZBRN8/x2XAbqqulr33AhvrXTho95z5jY891OGauJKqTJFJKIzI+K0hIAQHVJ HYgDlbNVGNRa0bDJ49z805tmVvTE5y/ua3nHteHrHi6dP3+RLBg= =jiVc -----END PGP SIGNATURE-----
--- End Message ---
