Your message dated Mon, 01 Jul 2019 20:34:30 +0000 with message-id <e1hi30q-000ijx...@fasolo.debian.org> and subject line Bug#931316: fixed in python-django 2:2.2.3-1 has caused the Debian Bug report #931316, regarding python-django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 931316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931316 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-django Version: 1:1.11.21-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2:2.2.1-1 Control: found -1 1:1.10.7-2+deb9u4 Control: found -1 1:1.10.7-1 Hi, The following vulnerability was published for python-django. CVE-2019-12308[0]: | An issue was discovered in Django 1.11 before 1.11.21, 2.1 before | 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed | by the AdminURLFieldWidget displays the provided value without | validating it as a safe URL. Thus, an unvalidated value stored in the | database, or a value provided as a URL query parameter payload, could | result in an clickable JavaScript link. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308 [1] https://www.djangoproject.com/weblog/2019/jul/01/security-releases/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:2.2.3-1 We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 931...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 01 Jul 2019 16:56:16 -0300 Source: python-django Binary: python-django-doc python3-django Built-For-Profiles: nocheck Architecture: source all Version: 2:2.2.3-1 Distribution: experimental Urgency: medium Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 931316 Changes: python-django (2:2.2.3-1) experimental; urgency=medium . * New upstream security release. <https://www.djangoproject.com/weblog/2019/jul/01/security-releases/> (Closes: #931316) Checksums-Sha1: c3c4a0f1e5074819b907b5efb807d3a96aa220de 2741 python-django_2.2.3-1.dsc 1d4eca8884b601e8e7dc06705b9644fb579c57f9 8992109 python-django_2.2.3.orig.tar.gz d783c7b81d926107ea00e9f084e2c3681a2af7ae 24272 python-django_2.2.3-1.debian.tar.xz a13b79ce4c3c5d0f86b61b4f0fdfd9248fb2ce6a 3088592 python-django-doc_2.2.3-1_all.deb 2bdd6120156a932366c770ef3ad2d5285f79d074 7157 python-django_2.2.3-1_amd64.buildinfo a90422b2001f16111fdc1b10ac927997a6a5ff32 2675196 python3-django_2.2.3-1_all.deb Checksums-Sha256: 56e4a7b4122c17110c5aa666427ddfe2423d8ccb0e84527da7aaf778880a029b 2741 python-django_2.2.3-1.dsc 4d23f61b26892bac785f07401bc38cbf8fa4cec993f400e9cd9ddf28fd51c0ea 8992109 python-django_2.2.3.orig.tar.gz cfa145b3f883b8337bb26cb932cc4eb08586c4b483ff91ef012069750f538a9d 24272 python-django_2.2.3-1.debian.tar.xz aef8e30160606d94aa23f999351fed4fe74942e6099cb0e595b3e1f724b373a7 3088592 python-django-doc_2.2.3-1_all.deb a1670852fe71d09d6d87da60c8f7a023f8cadc447cbcb489f5af48f52242f842 7157 python-django_2.2.3-1_amd64.buildinfo d1811f3036a4566486a0544a1d7a981de09100645f757d8961901d3bd3676566 2675196 python3-django_2.2.3-1_all.deb Files: 3d7454634b180a4a59a93b6ed934ffaf 2741 python optional python-django_2.2.3-1.dsc f152164e77d38460ee06c42c210d2f57 8992109 python optional python-django_2.2.3.orig.tar.gz c3b3cf69cdae012c8d1d3f04645c5277 24272 python optional python-django_2.2.3-1.debian.tar.xz fe2153a6efe693f40a31c7726984614e 3088592 doc optional python-django-doc_2.2.3-1_all.deb 1f6eff42b4a31d13d1dab46dbf900d32 7157 python optional python-django_2.2.3-1_amd64.buildinfo 13bfc763d401fa31cc0c51a1df4b8556 2675196 python optional python3-django_2.2.3-1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0aZuQACgkQHpU+J9Qx HlhnDg/+LpECnQOBYtSXLBjbQWYay7phWwUhM+CmNCzdaU+rakHwFdHgEqhm+dj/ qiIEtW42srLjJs1Lq+MKRCPaxc6Mz1qBwEzHsLxOo/omapzYi1YtSnxHNR9AdciX iaf+/XlRjImDMqTtC5ZYiYXO4UQB2ej4K6GIWkNaR/YKHlZA3608iwbUcCpSxxyA 7AHGUNbHlipue89QEh4OUosCFPKv+iNOYEFJNcRlRqfpTD+xMOQswDKHPG5ppb52 eveoZtYXYlv1tEgd4B/TUqGAIb26gsYJIpbhjvmMLA73XA7XXc0MdTWaOV9ci1Xe 4uAfrWJTKAuk7I3H4auZiHe/JnPpTL6VqQTlbtxsdUtUvbBZq+iFbJwpTyiHMk4G zhR+M1Uo0obzWJ+r5F9xrL0xYZx8uy2W73fA69N/mwgEV3Ox/Q/JUVstikUScC9G 3DvGajefz2/mtw5AO2v3JulDUT3Xrz6Rc2QLE/hrw4YEUUegQOBbapTabU/ZV09e clnT4wtDG/cKwLZePODPB2U9kXNVm7/wGLgADw+ylY/aOtvndB2EkfBekrdBdk+m QmUPHJw+pUUHJPqH1jqvFj/BcbwYU4omGlyOdq1NbIgqYbBqfmq+vqp6VorHo/G5 86g4A9L6ohUWqCFJzRAU1lGXCZycQe0RZylGGtccvEqycY6TK6s= =X/nb -----END PGP SIGNATURE-----
--- End Message ---
