Your message dated Mon, 30 Dec 2024 00:49:30 +0000
with message-id <[email protected]>
and subject line Bug#1089915: fixed in djoser 2.3.1-1
has caused the Debian Bug report #1089915,
regarding djoser: CVE-2024-21543
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1089915: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089915
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: djoser
Version: 2.1.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/sunscrapers/djoser/issues/795
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for djoser.
Making it RC to be on safe side.
CVE-2024-21543[0]:
| Versions of the package djoser before 2.3.0 are vulnerable to
| Authentication Bypass when the authenticate() function fails. This
| is because the system falls back to querying the database directly,
| granting access to users with valid credentials, and eventually
| bypassing custom authentication checks such as two-factor
| authentication, LDAP validations, or requirements from configured
| AUTHENTICATION_BACKENDS.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21543
https://www.cve.org/CVERecord?id=CVE-2024-21543
[1] https://github.com/sunscrapers/djoser/issues/795
[2]
https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: djoser
Source-Version: 2.3.1-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
djoser, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated djoser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Dec 2024 23:58:20 +0000
Source: djoser
Architecture: source
Version: 2.3.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1089915
Changes:
djoser (2.3.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-21543: Fix vulnerability where users were given tokens if the
given password was correct, but they haven't passed Django internal
AUTHENTICATION_BACKENDS (closes: #1089915).
* Fix typo in package description.
Checksums-Sha1:
7ad8fca858a2218f8aaae306d8b933c97577dcd3 2188 djoser_2.3.1-1.dsc
713c685f1cc53682007787f8f504256548f2a095 33806 djoser_2.3.1.orig.tar.gz
824fcec3cbec4aed9bf7c88e11feade157d2695f 3428 djoser_2.3.1-1.debian.tar.xz
Checksums-Sha256:
a10b936a37bb44aa5ea6f683fde509d28bb03e9d28c21977d75ba66bce2ba218 2188
djoser_2.3.1-1.dsc
4e7e2716b5b961f1289b5e49b2216ba5c18eb2a3b4b597dd6430638716ff5107 33806
djoser_2.3.1.orig.tar.gz
65db46d59f5c2566fc409f1c487699f270babcb4d223ee4e236eb42d506d2bf5 3428
djoser_2.3.1-1.debian.tar.xz
Files:
d80a3ad502e4d69a241e7ef5765efbe9 2188 python optional djoser_2.3.1-1.dsc
81ffbf91ea74c14c90a79c3ceac6e941 33806 python optional djoser_2.3.1.orig.tar.gz
b8e34c9a146a1cd4c659d0912f0813b4 3428 python optional
djoser_2.3.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmdx4mcACgkQOTWH2X2G
UAseoA/9E0NLRUb9hTnI0XWF376jm6X9KNK7ksPW7VjCdYUQUkrTLKhKJ74TQBge
BpDJ0xUYfqez1ykiFVkj/G8nEr9R68aOn+f4RW5vcOeT16CcIV9QK7bdXJ9PAZJ9
4+8fw/vrH0OUQYZjTiMLPePEMl3V8ErzUY3hpCbdFlgqBcf1nqzVh0WFAaRuZB5r
am6t/b3otQ4wAnn3GkvSBOjf1ejaOCTZpd6rQTYdeIA5rwI75awjIudFtnwYRg9u
V4ytKzD0xaARkTIoWvBZPdJm0S1ufae+hok0acLJtxeQbAWb0ZpMqA6ygua5cFm2
prHND5bn9XB+3yEjr2FQDPno+Y9G+Qxf6mXk/NUU9FF2MqsR7M+vh/pZEKVwXpOt
K2rDhpmqjvOXkRWoItmuLtVrWwADUx2kUWp4+GsoS5eHYOVt9snzRkP5OXz2gfcS
aIWiClcUmANZm82oH9PcqUtaBKnjSNbHsX0agVuU7iBE8IaRq8LxBVvXRruAhkT+
pI8ARpKSAq46lrU5XolPtzAxXdF8S71qFqDImASgcL1GR/R1AJWSfp7eBi7O066q
nGQeG79ldA2DrzIJSzsKpo5T980vXa8XGA8jtAF8pTp2g2IIym1i54L7wReDI3NK
bLMt1lT0tKEH9NboQ0YuHhuIugBQjm6KMcx51BRaFy1r1gIDkbo=
=aEXH
-----END PGP SIGNATURE-----
pgpNuWLCh3OiU.pgp
Description: PGP signature
--- End Message ---
