Your message dated Tue, 18 Jan 2011 20:16:03 +0100
with message-id <[email protected]>
and subject line Re: Bug#610447: python-django: reenable test for
09_fix_dos_password_reset.diff
has caused the Debian Bug report #610447,
regarding python-django: reenable test for 09_fix_dos_password_reset.diff
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
610447: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610447
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 1.2.3-3
Severity: normal
Tags: patch
Usertags: origin-ubuntu ubuntu-patch
1.2.3-3 added a fix for a denial of service attack in the password-reset
mechanism. The upstream fixes for the 1.2 branch included a test case,
but it did not apply against 1.2.3. The test case for this issue in the
1.1[1] branch does apply though, and the attached patch adds this test
case back to 09_fix_dos_password_reset.diff.
[1]http://code.djangoproject.com/changeset/15036
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.37-12-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru python-django-1.2.3/debian/changelog python-django-1.2.3/debian/changelog
--- python-django-1.2.3/debian/changelog 2011-01-01 14:51:19.000000000 -0600
+++ python-django-1.2.3/debian/changelog 2011-01-18 09:00:56.000000000 -0600
@@ -1,3 +1,10 @@
+python-django (1.2.3-4) testing; urgency=low
+
+ * update 09_fix_dos_password_reset.diff to include the dropped test by using
+ the test from 1.1 series (http://code.djangoproject.com/changeset/15036)
+
+ -- Jamie Strandboge <[email protected]> Tue, 18 Jan 2011 08:58:19 -0600
+
python-django (1.2.3-3) testing; urgency=high
* Squeeze upload with security fixes only:
diff -Nru python-django-1.2.3/debian/patches/09_fix_dos_password_reset.diff python-django-1.2.3/debian/patches/09_fix_dos_password_reset.diff
--- python-django-1.2.3/debian/patches/09_fix_dos_password_reset.diff 2011-01-01 14:48:07.000000000 -0600
+++ python-django-1.2.3/debian/patches/09_fix_dos_password_reset.diff 2011-01-18 08:57:47.000000000 -0600
@@ -2,15 +2,17 @@
http://www.djangoproject.com/weblog/2010/dec/22/security/
Origin: upstream, http://code.djangoproject.com/changeset/15034
---- a/django/contrib/auth/urls.py
-+++ b/django/contrib/auth/urls.py
+Index: python-django-1.2.3/django/contrib/auth/urls.py
+===================================================================
+--- python-django-1.2.3.orig/django/contrib/auth/urls.py 2011-01-18 08:57:06.000000000 -0600
++++ python-django-1.2.3/django/contrib/auth/urls.py 2011-01-18 08:57:09.000000000 -0600
@@ -1,4 +1,4 @@
-# These URLs are normally mapped to /admin/urls.py. This URLs file is
+# These URLs are normally mapped to /admin/urls.py. This URLs file is
# provided as a convenience to those who want to deploy these URLs elsewhere.
# This file is also used to provide a reliable view deployment for test purposes.
-@@ -11,7 +11,7 @@ urlpatterns = patterns('',
+@@ -11,7 +11,7 @@
(r'^password_change/done/$', 'django.contrib.auth.views.password_change_done'),
(r'^password_reset/$', 'django.contrib.auth.views.password_reset'),
(r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done'),
@@ -19,9 +21,11 @@
(r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete'),
)
---- a/django/utils/http.py
-+++ b/django/utils/http.py
-@@ -73,8 +73,13 @@ def http_date(epoch_seconds=None):
+Index: python-django-1.2.3/django/utils/http.py
+===================================================================
+--- python-django-1.2.3.orig/django/utils/http.py 2011-01-18 08:57:06.000000000 -0600
++++ python-django-1.2.3/django/utils/http.py 2011-01-18 08:57:09.000000000 -0600
+@@ -73,8 +73,13 @@
def base36_to_int(s):
"""
@@ -36,3 +40,17 @@
return int(s, 36)
def int_to_base36(i):
+Index: python-django-1.2.3/django/contrib/auth/tests/tokens.py
+===================================================================
+--- python-django-1.2.3.orig/django/contrib/auth/tests/tokens.py 2011-01-18 08:57:34.000000000 -0600
++++ python-django-1.2.3/django/contrib/auth/tests/tokens.py 2011-01-18 08:57:40.000000000 -0600
+@@ -34,4 +34,9 @@
+ >>> p2.check_token(u, tk1)
+ False
+
++This will put a 14-digit base36 timestamp into the token, which is too large.
++>>> tk1 = p0._make_token_with_timestamp(u, 175455491841851871349)
++>>> p0.check_token(u, tk1)
++False
++
+ """
--- End Message ---
--- Begin Message ---
Version: 1.2.4-1
On Tue, 18 Jan 2011, Jamie Strandboge wrote:
> Package: python-django
> Version: 1.2.3-3
> Severity: normal
> Tags: patch
> Usertags: origin-ubuntu ubuntu-patch
>
> 1.2.3-3 added a fix for a denial of service attack in the password-reset
> mechanism. The upstream fixes for the 1.2 branch included a test case,
> but it did not apply against 1.2.3. The test case for this issue in the
> 1.1[1] branch does apply though, and the attached patch adds this test
> case back to 09_fix_dos_password_reset.diff.
I noticed this while diffing with the Ubuntu security update. But I don't
see the point to update the package in testing just to add this
non-regression test. It would not pass the criteria of the release team.
And unstable has 1.2.4 anyway.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Follow my Debian News ▶ http://RaphaelHertzog.com (English)
▶ http://RaphaelHertzog.fr (Français)
--- End Message ---
