Your message dated Tue, 06 Apr 2021 11:04:11 +0000 with message-id <e1ltjvd-000gl3...@fasolo.debian.org> and subject line Bug#986447: fixed in python-django 2:2.2.20-1 has caused the Debian Bug report #986447, regarding python-django: CVE-2021-28658 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 986447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986447 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1.7.11-1+deb8u11 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2021-28658[0][1]: MultiPartParser allowed directory-traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. This affects all versions in Debian, including 1.7.11-1+deb8u11 in jessie ELTS. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658 [1] https://www.djangoproject.com/weblog/2021/apr/06/security-releases/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:2.2.20-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 986...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 06 Apr 2021 11:44:51 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:2.2.20-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 986447 Changes: python-django (2:2.2.20-1) unstable; urgency=medium . * New upstream security release: . - CVE-2021-28658: The MultiPartParser class allowed directory-traversal via uploaded files via maliciously crafted filenames. (Closes: #986447) Checksums-Sha1: 0469befab0a844899c20387cfcdd3cc6bc64d6dc 2779 python-django_2.2.20-1.dsc fcff4fda6d8db0d95ccc4d738f0c307930ed4770 9182853 python-django_2.2.20.orig.tar.gz 9743574f2cc908a3e11b4efb9001a3a5c3132832 26764 python-django_2.2.20-1.debian.tar.xz 93c2243bdf1a16b224fd6dce13c5f9e795df1841 7734 python-django_2.2.20-1_amd64.buildinfo Checksums-Sha256: f9b90330334cd284591347581fbeb84c27ba2a2058d62618d649937b4cffdf44 2779 python-django_2.2.20-1.dsc 2569f9dc5f8e458a5e988b03d6b7a02bda59b006d6782f4ea0fd590ed7336a64 9182853 python-django_2.2.20.orig.tar.gz 2e9fa9c26055a26c14068da560ddf1bf6d6dbd594caac9d596139a5914d42eeb 26764 python-django_2.2.20-1.debian.tar.xz 4c7ad54c65acf259d8d18f5f52bb298a2a3ba4008b0b34665648b1833e1b24b0 7734 python-django_2.2.20-1_amd64.buildinfo Files: 157521cdbabd57d8879edc0abf913da5 2779 python optional python-django_2.2.20-1.dsc 947060d96ccc0a05e8049d839e541b25 9182853 python optional python-django_2.2.20.orig.tar.gz 10f271eea8296b83bc4df25ac4e96019 26764 python optional python-django_2.2.20-1.debian.tar.xz 5010e0cf73c841aa85ff14d6809a6e91 7734 python optional python-django_2.2.20-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmBsPJ0ACgkQHpU+J9Qx HlhtjA/+Kw9h+j4+0O16EnyyAPf1mPQBjFibdT6hcvYcNno9HeVSUOL56gZm+Jwu q4Xnq5T4TE1LmS16nRg0QP2y5GDgDj7ZI1CimCNiqupL97+WTd0OAuah7RwuHE2L rbjQS+Op7Af46emGxV7MHyChk9HOl1zI+JXkDxe8BsoyswUgaIn1Q3/V/++AvwAb 7D2oZxdDssT4aFCsIGzEU24mH+H9KqF/qkl5eikcUhY+1QuUjI0kbq8FP+eej0bK NfFGRx3hDYnLYPrH3huaNW/wZve+uwm4xFPRA73EwSnrMS7zr4D3hckJRBy8/AN8 lTBBMHYnEGfP7qn8jjWZ5ASLGW6Un6T/tMCgEvMgvZkF3GeECZ+bCvMATf2TnS5A Tvq0/0+Zb5GhzfsZNch3+xBl/VR3YdP59TDBUUQHioP3TKZH6Md5bbxn1FS9RM0r V5byZCtx5SrIk5Zp8k9mSBH5IXiQIEkOmLQ/kC02wxO0eUy3Kg44ATz7FOCQpatZ xLuYQyrhDj+Ca6AW8gaqhRYADpbHQAapGd4cl8+7nB66a+RCKlA6lPUWo7wQZpem Ue8hzTt6nd45rIko/Gw6y4Sp3e0ncrmgbkFvK+AVPwObFpqW7xBIft4A4hRZNAON ge+Z8RRi/MzCbC8aNmDab3cTcpB4DqcsYo0H8XhKUx588xuJdvo= =DRhP -----END PGP SIGNATURE-----
--- End Message ---
