Your message dated Tue, 04 Jan 2022 12:34:02 +0000 with message-id <e1n4j0s-0000z0...@fasolo.debian.org> and subject line Bug#1003113: fixed in python-django 2:4.0.1-1 has caused the Debian Bug report #1003113, regarding python-django: CVE-2021-45115, CVE-2021-45116 & CVE-2021-45452 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1003113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003113 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1:1.10.7-2+deb9u14 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for python-django: * CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator [0] UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. * CVE-2021-45116: Potential information disclosure in dictsort template filter [1] Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. * CVE-2021-45452: Potential directory-traversal via Storage.save() [2] Storage.save() allowed directory-traversal if directly passed suitably crafted file names. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-45115 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45115 [1] https://security-tracker.debian.org/tracker/CVE-2021-45116 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45116 [2] https://security-tracker.debian.org/tracker/CVE-2021-45452 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45452 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:4.0.1-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1003...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 04 Jan 2022 12:03:13 +0000 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:4.0.1-1 Distribution: experimental Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 1003113 Changes: python-django (2:4.0.1-1) experimental; urgency=medium . * New upstream security release: . - CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator . UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. . In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. . - CVE-2021-45116: Potential information disclosure in dictsort template filter . Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. . In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. . - CVE-2021-45452: Potential directory-traversal via Storage.save() . Storage.save() allowed directory-traversal if directly passed suitably crafted file names. . See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/> for more information. (Closes: #1003113) Checksums-Sha1: 334bd0b96016d136e5bc06320821020a4f815256 2779 python-django_4.0.1-1.dsc ab735671359bdcbf65caaf3bdb961496567ce28f 9995484 python-django_4.0.1.orig.tar.gz 5767ddee131607a56ea08a89fa869c43d6effc12 27684 python-django_4.0.1-1.debian.tar.xz 93e3e17c02a32b94ba62a76ee50a9d5db0cdede0 7805 python-django_4.0.1-1_amd64.buildinfo Checksums-Sha256: 1358b6fd15630370c9ae35cee1bf79d68139f1256e5b85f18231cd42a51219d4 2779 python-django_4.0.1-1.dsc 2485eea3cc4c3bae13080dee866ebf90ba9f98d1afe8fda89bfb0eb2e218ef86 9995484 python-django_4.0.1.orig.tar.gz 26b583bff2255b3f21d91ab6cff92f95e14a3d148e62ca2243e8590236d45e26 27684 python-django_4.0.1-1.debian.tar.xz b883033dcda5cf69aa967e4bfa5cddb8ff00a3761cc6e50bfd3d826ecadd5a7b 7805 python-django_4.0.1-1_amd64.buildinfo Files: a710a9b6dae09b45f4ff9a5f961cc459 2779 python optional python-django_4.0.1-1.dsc 6d0fba754d678f69b573dd9fbf5e6fa6 9995484 python optional python-django_4.0.1.orig.tar.gz 93b3143810f1b5e994e863736f258220 27684 python optional python-django_4.0.1-1.debian.tar.xz 1c9551d076b824ca0963a03e8dadd6f7 7805 python optional python-django_4.0.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHUPf8ACgkQHpU+J9Qx HlhcLBAAnVMrwDWYLjx46NYwI54kRJ+CxHKYH8ZMw0mxog/S0VI16T3mSS11az/M qKf2B4K0AxRklhiaQIGT/qz+jSe+fB90uWtZ1Kcw/iekOcA/SwVHdIsYoe3qNXrc GMJlbO5y4/zcO7kuHAUQyypI//MSXhPQZ10nxcac4x5xzJ/k5NxZVms2mS+D9moW nXyOIjkWeKc4CrxjFFkEqv0A5HduWhAOCSErEF6Wx2CRYfbUfOyle1euAFHsZowh XMXE23rwbasLFKeBATeTsOChMVV9yKOkSLQX7+4q/blTWucDLwjoObcnjNhngAi5 RRiIP9oadjgO2fggdgz/s0TI5yFQRMpCmuxCSqOZg6vrRvZrAOofgr0yRU3hqd0x ux/JQMRMU7dnoY8V79nvEnTknq5aYAwUhPcy2v8vcJQ3v7eJoZscVwC40O2bqcFg yq7DzlCAHfNcugEGXqA4ZJ6F6qU7nR/PNQCddMkQWy90vSORp1p12rzFTms8QcrS bA7d2W/Eygs0PucT/wNthQmhYjmPknOv5e66RUyV5CMjAZubDR+VHdFncEtGWhtz 0CANPxjPV7UqST8mLLVrniHXRUtzKnDoJhJuhkHpLFlD5L1/aUWVHLXdXR1yI6of 3WgJOKt9b68ihsuwWIsQ33TUmPq+l8S6G7Q3JuVL5a2xIp3qw3o= =owU4 -----END PGP SIGNATURE-----
--- End Message ---
