Your message dated Sat, 15 Mar 2025 09:44:44 +0000 with message-id <e1tto4s-005kil...@coccia.debian.org> and subject line Close 1096201 has caused the Debian Bug report #1096201, regarding bookworm-pu: package djoser/2.1.0-1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1096201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1096201 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: djo...@packages.debian.org Control: affects -1 + src:djoser [ Reason ] I'm currently onboarding for doing LTS updates and picked djoser as my first target from the "dla-needed.txt" list as it seemed low impact and a good first candidate. (I also have team commit access to the python-team/packages salsa group, where djoser is maintained.) It feels natural to me that we fix the problem in stable before we fix it in oldstable... thus I'm filing this to get approval for stable. Please note that djoser has the same version/revision in both stable and oldstable, thus the fix will be the same (but debian/changelog suite will differ, and debian/gbp.conf branch name will differ). [ Impact ] djoser has a very low popcon, so impact should thus be low. [ Tests ] not covered by testsuite. [ Risks ] The patch cherry-picked from upstream is a revert to a previous state of the code (before introducing the breakage which wasn't know to have security implications). The risks should thus be very low, since it's not "new" code. [ Checklist ] [x] *all* changes are documented in the d/changelog (except debian/gbp.conf branch name, which I think is changelog clutter) [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable (via a new upstream release) [ Changes ] Revert validation code to previous working code with proper auth validation. [ Other info ] n/adiff --git a/debian/changelog b/debian/changelog index 288cf0c..9986a08 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +djoser (2.1.0-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * Cherry-pick upstream commit fixing CVE-2024-21543 + (Closes: #1089915) + + -- Andreas Henriksson <andr...@fatal.se> Fri, 14 Feb 2025 22:07:53 +0100 + djoser (2.1.0-1) unstable; urgency=low * New upstream release. diff --git a/debian/gbp.conf b/debian/gbp.conf index b19af52..bc516cd 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,3 +1,3 @@ [DEFAULT] -debian-branch=debian/master +debian-branch=debian/bookworm pristine-tar=True diff --git a/debian/patches/0001-rollback-8f65bfff16577c7fb0f52bbabf5fb69f6809ba62-ad.patch b/debian/patches/0001-rollback-8f65bfff16577c7fb0f52bbabf5fb69f6809ba62-ad.patch new file mode 100644 index 0000000..1f55363 --- /dev/null +++ b/debian/patches/0001-rollback-8f65bfff16577c7fb0f52bbabf5fb69f6809ba62-ad.patch @@ -0,0 +1,36 @@ +From: Tom Wojcik <m...@tomwojcik.com> +Date: Fri, 3 May 2024 22:32:45 +0200 +Subject: rollback 8f65bfff16577c7fb0f52bbabf5fb69f6809ba62, + add support for ModelBackend.user_can_authenticate + +(cherry picked from commit d33c3993c0c735f23cbedc60fa59fce69354f19d) +(excluded testproject/* parts of commit, since not in our source) +--- + djoser/serializers.py | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/djoser/serializers.py b/djoser/serializers.py +index 9385bed..6178bbd 100644 +--- a/djoser/serializers.py ++++ b/djoser/serializers.py +@@ -113,17 +113,13 @@ class TokenCreateSerializer(serializers.Serializer): + + def validate(self, attrs): + password = attrs.get("password") +- params = {settings.LOGIN_FIELD: attrs.get(settings.LOGIN_FIELD)} ++ params = {"username": attrs.get(settings.LOGIN_FIELD)} + self.user = authenticate( + request=self.context.get("request"), **params, password=password + ) + if not self.user: +- self.user = User.objects.filter(**params).first() +- if self.user and not self.user.check_password(password): +- self.fail("invalid_credentials") +- if self.user and self.user.is_active: +- return attrs +- self.fail("invalid_credentials") ++ self.fail("invalid_credentials") ++ return attrs + + + class UserFunctionsMixin: diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..2b52878 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +0001-rollback-8f65bfff16577c7fb0f52bbabf5fb69f6809ba62-ad.patch
--- End Message ---
--- Begin Message ---Version: 12.10 This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
