Your message dated Thu, 06 May 2021 15:03:46 +0000 with message-id <e1lefxw-000ffz...@fasolo.debian.org> and subject line Bug#988136: fixed in python-django 2:3.2.2-1 has caused the Debian Bug report #988136, regarding python-django: CVE-2021-32052 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 988136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988136 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1:1.10.7-2+deb9u13 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+ On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn't vulnerable because HttpResponse prohibits newlines in HTTP headers. Moreover, the URLField form field which uses URLValidator silently removes newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your data only existed if you are using this validator outside of the form fields. This issue was introduced by the bpo-43882 fix. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: https://www.djangoproject.com/weblog/2021/may/06/security-releases/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:3.2.2-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 988...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 06 May 2021 13:04:03 +0100 Source: python-django Architecture: source Version: 2:3.2.2-1 Distribution: experimental Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 988136 Changes: python-django (2:3.2.2-1) experimental; urgency=medium . * New upstream security release: - CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+. (Closes: #988136) - Full release notes: <https://www.djangoproject.com/weblog/2021/may/06/security-releases/> Checksums-Sha1: dcc9f40173a38c5489cd21135be30d1334042a86 2779 python-django_3.2.2-1.dsc 67932014e89b3388eb6df61619ce65ebe49cd620 9796920 python-django_3.2.2.orig.tar.gz 43e2116ef147e1004c7cbd6791487638ef009bff 26564 python-django_3.2.2-1.debian.tar.xz 3ba9531b1370520920abaab087621392fc0acf71 12983 python-django_3.2.2-1_amd64.buildinfo Checksums-Sha256: d0bfc2da53731fb857b370419bda7e8fdff74364654c5199cdf7a546c7354207 2779 python-django_3.2.2-1.dsc 0a1d195ad65c52bf275b8277b3d49680bd1137a5f55039a806f25f6b9752ce3d 9796920 python-django_3.2.2.orig.tar.gz 60b1b8207f804aa8a8d4d080809e0eced20449af247903a999b7431b560bb41c 26564 python-django_3.2.2-1.debian.tar.xz 7b3e20d42577624a3f084fe2a2b1377f01accc5a3d5534bff8e1634c17824d7f 12983 python-django_3.2.2-1_amd64.buildinfo Files: 19cace1a83a6e5ee585e83da80a70664 2779 python optional python-django_3.2.2-1.dsc 43784c090a8805605e3d0b768cd21cb2 9796920 python optional python-django_3.2.2.orig.tar.gz 0b777794d6a3dd26d26ab65223742230 26564 python optional python-django_3.2.2-1.debian.tar.xz 072af64e2cec83453fa7c8ad2d3dfb98 12983 python optional python-django_3.2.2-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCUAgoACgkQHpU+J9Qx HljxbhAAuUI2gDXyT/VVGekE5cKt2y43Xrz33+QNsXi7QZlcz5NaqzL3T+c/1+JI +nFTQ/BG9L9uNjmMngx9WoNJxAFLl8NJuZQY3OxY9WHSa5htTiDSlKXX9dPOFrME RoFAe5CMJuqwiNrowj4yeuWcUJ1VqZMf0QUO20b95bzJV1h6w//UarnjxLPXVQi3 w/7DYDOFKHbPgu8PmGjP6gLzVXTPQbQD6+xo6N4ravljsD0XRARo4HKlFph8MSUZ 4s2ONGUx2BKVFDMv0ufketyBVmGVT1XWfsbA5lGW/WaB7He95r7zjtWfsfahQNLK +s9TEFvBGVKtday6V1OiqZYq6uHXAbTXmou74R8PbolJg2VALMUH6kky2ZBeAndn sdo/6p00brJkUmkOT45F+SrIAWc1DqXTE1TkNQqVGb/0RL04teoHdW6kEtBMknRs bX0bSh1I7D2vEVVQshhXz1iUlWcFAhIBsXOHjwMDxMW8lvDQD+iN/c9/h9jwwDu3 LkRDz6SIoGLq2nPEYvcRVw3QjMaKQiw4vkDTbTtH98Ue+ActH2hDQT5MchfBniTu TRO+7bByNS6TtIwT/VZSekNtTdY9WsaZz8X0ST2pdhMwy1e+qdYytU20u80gK2OR r9S6IqTGGNVublULd/VK4ALaY/zd7oWo9svy+RH/ZohFhbRrZzk= =ujnY -----END PGP SIGNATURE-----
--- End Message ---
