Your message dated Fri, 28 Feb 2025 22:32:09 +0000
with message-id <e1to8tt-001ffe...@fasolo.debian.org>
and subject line Bug#1089915: fixed in djoser 2.1.0-1+deb12u1
has caused the Debian Bug report #1089915,
regarding djoser: CVE-2024-21543
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1089915: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089915
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: djoser
Version: 2.1.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/sunscrapers/djoser/issues/795
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for djoser.
Making it RC to be on safe side.
CVE-2024-21543[0]:
| Versions of the package djoser before 2.3.0 are vulnerable to
| Authentication Bypass when the authenticate() function fails. This
| is because the system falls back to querying the database directly,
| granting access to users with valid credentials, and eventually
| bypassing custom authentication checks such as two-factor
| authentication, LDAP validations, or requirements from configured
| AUTHENTICATION_BACKENDS.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21543
https://www.cve.org/CVERecord?id=CVE-2024-21543
[1] https://github.com/sunscrapers/djoser/issues/795
[2]
https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: djoser
Source-Version: 2.1.0-1+deb12u1
Done: Andreas Henriksson <andr...@fatal.se>
We believe that the bug you reported is fixed in the latest version of
djoser, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1089...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Henriksson <andr...@fatal.se> (supplier of updated djoser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Feb 2025 22:07:53 +0100
Source: djoser
Architecture: source
Version: 2.1.0-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Andreas Henriksson <andr...@fatal.se>
Closes: 1089915
Changes:
djoser (2.1.0-1+deb12u1) bookworm; urgency=medium
.
* Team upload.
* Cherry-pick upstream commit fixing CVE-2024-21543
(Closes: #1089915)
Checksums-Sha1:
072eebf971c5a5d3ab4738330925a64ba3e3e8f3 2109 djoser_2.1.0-1+deb12u1.dsc
bafc03c4a085b2c527a87b1f8f4b3a391328bc58 4008
djoser_2.1.0-1+deb12u1.debian.tar.xz
f0c561f41dd7b5ed6814f3f7468a758a54d1b2eb 8209
djoser_2.1.0-1+deb12u1_source.buildinfo
Checksums-Sha256:
efe9f57e1c0f3806a38bebd087e8c85ad7bb45e5d1aaea857d7384ee95269da3 2109
djoser_2.1.0-1+deb12u1.dsc
52f5d8b7ef80ff7aa93100da786ff72362a3fd86e3379c13a1b232ec317af555 4008
djoser_2.1.0-1+deb12u1.debian.tar.xz
78154393b4c239e962839662bcae1cdb9816099903300a73e8e4343ba6029340 8209
djoser_2.1.0-1+deb12u1_source.buildinfo
Files:
4f3d25e9062d71dad43de6f93cce2da2 2109 python optional
djoser_2.1.0-1+deb12u1.dsc
b02b05e9406195bbe3376fd2c0ba981e 4008 python optional
djoser_2.1.0-1+deb12u1.debian.tar.xz
9dfbf148a9c3926836f4a5328ec3f69c 8209 python optional
djoser_2.1.0-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAme3bzQACgkQC8R9xk0T
UwbyrQ//S7+aKiej5MWg5ASc1YtBRhWkq3f+x/SwKTSVmU4YjydY2ceeBMRnWZa9
EithQ5C1w3VIW0c4RpWfKi/iWjNPksMtsBQ3ykgCUxWbPLH0lNeAjiMdNe4k6qvf
/B0qDlq0kRv3vnibh4vbk3Ay+DwYJYoXtmSxL21/LHHFPrIZ6A6dAkaN7fm1NCqA
cMwXbebZTMER5k7y4pLef5SdlSHtwP0PedPgTFe3m95JZ6nvLPOuhI6JV7RVUW1n
fuT4KRe0b+X1LDjwYl/lSGPDDQMJetfFCu9gFOd4kEYBJH5IyBjh/htHJxK1aIWF
7u2HrbNHpPPkBDxxncaIEuhOSO3EAafu9CoYlXWCOqaHONQnhR0jpa4WUYfanEN2
PWEgRrX9QszCYLKVTL5bYUkccrt9eS1eShPU6a8NZxIG8jKfkexsg05g1cElqOQM
qzUyzGN8faldsox2gSBInuXqSOk49gfpHpswDz8vGOVlTA3D2e7P3Qrjm57F51BA
jVZgIFzmY/lm8WJw+DitTWSfe0W/cRUYj62fJiB+Fal/JZuVgpeFGnb9fVsTFFPm
auh58hdL4WFpggIL7oZYbVtvMwM067FWlo49W4iOWI7lrDB1kHgMfyNUk6h6Pyvp
qqQOjHvpZK8Lg8riHsBoiZkA0mbOsYAz4cEwMQp3UDv8RSVkcBA=
=TOpj
-----END PGP SIGNATURE-----
pgphi7Q23lFLF.pgp
Description: PGP signature
--- End Message ---
