Your message dated Tue, 06 Apr 2021 10:48:45 +0000 with message-id <e1ltjgh-000e2q...@fasolo.debian.org> and subject line Bug#986447: fixed in python-django 2:3.2-1 has caused the Debian Bug report #986447, regarding python-django: CVE-2021-28658 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 986447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986447 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1.7.11-1+deb8u11 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2021-28658[0][1]: MultiPartParser allowed directory-traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. This affects all versions in Debian, including 1.7.11-1+deb8u11 in jessie ELTS. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658 [1] https://www.djangoproject.com/weblog/2021/apr/06/security-releases/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:3.2-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 986...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 06 Apr 2021 11:38:48 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:3.2-1 Distribution: experimental Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 986447 Changes: python-django (2:3.2-1) experimental; urgency=medium . * New upstream major release: . - Full release notes: <https://docs.djangoproject.com/en/3.2/releases/3.2/> - CVE-2021-28658: The MultiPartParser class allowed directory-traversal via uploaded files via maliciously crafted filenames. (Closes: #986447) Checksums-Sha1: 3226dac62dc09fdfb17ff35ff2f737f12d3464ef 2765 python-django_3.2-1.dsc 00abafe8e50230aa41892b28456c35ae18c16b8b 9819119 python-django_3.2.orig.tar.gz 9d5bb398767edd9622b483e7e4efeb03334a0b21 26444 python-django_3.2-1.debian.tar.xz 30af278f69307584dd05b045c80b772302d8c26d 7542 python-django_3.2-1_amd64.buildinfo Checksums-Sha256: 18b2a604dc7eeddd83fadfc743bcda7c1114e1e323879e1bf57d39fc095d6722 2765 python-django_3.2-1.dsc 21f0f9643722675976004eb683c55d33c05486f94506672df3d6a141546f389d 9819119 python-django_3.2.orig.tar.gz 6b1c2fb6079a05a6a1f3453e4708fd82ca96bba9651ad786d1b3235e9a1ef20e 26444 python-django_3.2-1.debian.tar.xz 3185c782e891274a8ef3470637222c5a328107c0b23b79c314de2d011f4bece6 7542 python-django_3.2-1_amd64.buildinfo Files: 40a2aa2e8d12cf00e363f07db342d64a 2765 python optional python-django_3.2-1.dsc 0db580470a6a1dc20ccb805f94479ffa 9819119 python optional python-django_3.2.orig.tar.gz 25a9427609467fd1cced3e10f260e1f2 26444 python optional python-django_3.2-1.debian.tar.xz 85483eceb99eb4ed3d79ec49b8d2439d 7542 python optional python-django_3.2-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmBsOxoACgkQHpU+J9Qx HlgqLA//apKKEf1jmiOgywq5b/+Yy4Ea5SMpMruSP1rOwxvYVbbhWHAd5RYRfHMu 51fu2+4Zf9W9sXjEti2FuXqDjbpkXQkyz+NfDUkzcLGicXlTOirUytj/PcXZTzxS /QPJgM8wjBG5a+YsioIgemkIkukzVKeAfo97W5faDCn/c8B9VfualYc2MAow2lmY nbzzqz/O1UyFcqVLyjStf76QNFk4lJ8HP1cSiNwkyG8XdFRO0NT421pvkFyqod4R EkV56l+7dss+LzoXVa1MU/gfVf/fd/xnbKRa3x2eaQj5Xj66JD7yiXcAQ7QXjow0 gMs9SSRAO//+9Cukf6ApqKUe92Pmv2wvVLyQniLIK6fGIOvgvJIl/DL74BDdbM0s 6Y4vadpfHn2quXFwApMgFJwWpOH+FXMI7VTHjOgrlQnUXAdgRiCOw5D60psUf16d wq+bWXUcXgfXtKsO7uTefDj+toS03C75nIsIvVyrRqon8FFGnOYhWS6wsi3RQT8W sDYuncuCUtXTAA+fe248oQQ/4xJ/ArBhjP3tb5Mg/RyzaXyYOSchTUBxX2A/azC4 0GCqSXk+XOnSVPpBcmOzLotIwi0ALt+Li8ATJyWeYy3wOqrL6uywwcqTx8czGfA5 9pzNXUIY0FGTmSJ98W7cH3IVtN3uSwENvk2+Yhtza/6uNwAvs8M= =BlTR -----END PGP SIGNATURE-----
--- End Message ---
