Your message dated Fri, 30 May 2025 00:19:06 +0000
with message-id <[email protected]>
and subject line Bug#1106747: fixed in django-select2 7.10.0-2
has caused the Debian Bug report #1106747,
regarding django-select2: CVE-2025-48383
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1106747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106747
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: django-select2
Version: 7.10.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for django-select2.
CVE-2025-48383[0]:
| Django-Select2 is a Django integration for Select2. Prior to version
| 8.4.1, instances of HeavySelect2Mixin subclasses like the
| ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret
| access tokens across requests. This can allow users to access
| restricted query sets and restricted data. This issue has been
| patched in version 8.4.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48383
https://www.cve.org/CVERecord?id=CVE-2025-48383
[1]
https://github.com/codingjoe/django-select2/security/advisories/GHSA-wjrh-hj83-3wh7
[2]
https://github.com/codingjoe/django-select2/commit/e5f41e6edba004d35f94915ff5e2559f44853412
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: django-select2
Source-Version: 7.10.0-2
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
django-select2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated django-select2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 30 May 2025 00:53:51 +0100
Source: django-select2
Architecture: source
Version: 7.10.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1106747
Changes:
django-select2 (7.10.0-2) unstable; urgency=medium
.
* Team upload.
* CVE-2025-48383: Fix leak of secret access tokens across requests
(closes: #1106747).
* use-local-select2.patch: Update tests to match.
* Fix running of tests during build.
* Enable autopkgtest-pkg-pybuild.
Checksums-Sha1:
d6aa56ec16a0c70dd87053f16f1e4a997d24214d 2437 django-select2_7.10.0-2.dsc
5a0fe3a029e7fdc163085cdeb7e936398c0d1de2 4592
django-select2_7.10.0-2.debian.tar.xz
Checksums-Sha256:
ad2a5de52c579003f397e0239eedf0f2d87a74e3e515f5f49385ff42b87eef82 2437
django-select2_7.10.0-2.dsc
a2d69101c608a7f0417704c028efa3cdd6059cbf29b7639b2d16c0f76e89eab2 4592
django-select2_7.10.0-2.debian.tar.xz
Files:
0b383d65385ea28f1a80defc32a3d13d 2437 python optional
django-select2_7.10.0-2.dsc
a1a6ee2e2149b79d18ddcef806466d3f 4592 python optional
django-select2_7.10.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmg48+0ACgkQOTWH2X2G
UAvkGw/+Ma2B7BgxuwH7yFituc8hDja/5Y+Kw1mrNYdXs8ReOZJLTvcLRt/82AaD
U35y9uaxqn9TPeSqOy/GtT6Wkz23KcrzBtKB1Fkttnkd69bTcs2p2RduYV2q3I1C
FC6nRPwgNBPv0J93WwU3ibOfv8lR7IuJCE8JSiPw5SC90Jtnv8VNqzC9uhaKcfce
2mzYdJpp4EO7dISYj/EVvF+FwEESlYE9LJ23JakozIkqMyV/1geh1P1iMECf1vzi
DaoGa6dRtAnAG9lZJpGx2maWHIPaUXYU44XxbVMsqTj5FHvgPVmUGUSXTC0CW0lO
YSTWNJvk3POXSje2VDMG4KleSX5XjcQrMjteFV6eeSPJ0z4o+JSdY9GT2gnVJKdE
WTUvUXe9VqZZWbqIJqbUlW/cBsvCW1VFrU0Gna/Nbneb+wzGbxktmjGUpRZJTDXv
srchKzRtJOkVJKAdXj67ehkY4G5Rjmq5kF9OwHvdmwEzborkpo57vp2PybntRuC8
RATZm6My2fChPDUGIH7d61XuAfT+FlzIHHNRD/SBRhnAa9up5FXoepmBL7P+aa4G
62PdjGKLNY7LOwy8Cair4JRSgdqD12NKQpRf/7FDlakY7QbjKVZiTkZcb8lUDsCd
AbuGX13/jII1l8kyWmwGOSE+8x6uUY06Qih7tFkwKLAt1PCwBAk=
=eBuK
-----END PGP SIGNATURE-----
pgphCfT9zth5z.pgp
Description: PGP signature
--- End Message ---
