Your message dated Wed, 08 Jan 2020 21:47:11 +0000 with message-id <e1ipjav-000g8e...@fasolo.debian.org> and subject line Bug#946937: fixed in python-django 1:1.11.27-1~deb10u1 has caused the Debian Bug report #946937, regarding python-django: CVE-2019-19844: Potential account hijack via password reset form to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 946937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946937 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1:1.10.7-2+deb9u6 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2019-19844[0][1]: Potential account hijack via password reset form If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-19844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844 [1] https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 1:1.11.27-1~deb10u1 We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 946...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 06 Jan 2020 15:35:55 +0000 Source: python-django Binary: python-django python-django-common python-django-doc python3-django Architecture: source all Version: 1:1.11.27-1~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 946937 Changes: python-django (1:1.11.27-1~deb10u1) buster-security; urgency=high . * New upstream security release. (Closes: #946937) <https://www.djangoproject.com/weblog/2019/dec/18/security-releases/> . - CVE-2019-19844: Potential account hijack via password reset form. . By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account. . In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address. Checksums-Sha1: dbd523d34605a28fb3880e870aab6809b230cb68 3267 python-django_1.11.27-1~deb10u1.dsc 8f0ad184cbae6e69dbe2a1f4d7ec32d842657001 7976980 python-django_1.11.27.orig.tar.gz c8fbb06f8c6368f596d80e332c7518a537e7697f 27276 python-django_1.11.27-1~deb10u1.debian.tar.xz 4e7b6cb564fcbc0cadf3d8de400d39c9282c3654 1538076 python-django-common_1.11.27-1~deb10u1_all.deb a054fee1e86f82030397bd841dfa5c78e968dc6a 2689580 python-django-doc_1.11.27-1~deb10u1_all.deb bc8a14f1b1b3569da28028f4ec01806e7352dd77 917320 python-django_1.11.27-1~deb10u1_all.deb 9ac9abed0738fed7e8d951c7fa98cd43ae4a2298 14208 python-django_1.11.27-1~deb10u1_amd64.buildinfo 565b60900064d136e3d1a2b0b436cdf5c017c453 917472 python3-django_1.11.27-1~deb10u1_all.deb Checksums-Sha256: d8db6a86b018830d089524a77c5dbe35e2e5ee86fd7f66bbf6061e28a0f740cb 3267 python-django_1.11.27-1~deb10u1.dsc 20111383869ad1b11400c94b0c19d4ab12975316cd058eabd17452e0546169b8 7976980 python-django_1.11.27.orig.tar.gz 4b24466c413d6f80fd8b8fe511b9401c650daca17a253cce6047eaffabf1e8eb 27276 python-django_1.11.27-1~deb10u1.debian.tar.xz 05d843f7f396663203161af92ddc98c3643bcf492169e5e07ff7eef5c32527a8 1538076 python-django-common_1.11.27-1~deb10u1_all.deb 14f2cee56e3a359ad438fe8c05acd6f3c8037778f18fc7f8a4d2e4dcc5bba911 2689580 python-django-doc_1.11.27-1~deb10u1_all.deb 67157d719ec22ee8df031edc93789dcc03b22df43080496ce400809021f5ace5 917320 python-django_1.11.27-1~deb10u1_all.deb 1a48a9763ce0c184440396ee4b82b8576a81cce26a1690e5533031e38a704e44 14208 python-django_1.11.27-1~deb10u1_amd64.buildinfo 5a201f2d3e2117ccad111b89afd941bac8dd4e174f61fdddc31057730d9f9773 917472 python3-django_1.11.27-1~deb10u1_all.deb Files: de97d0a2ce04ea9bb4e87ad3c3b17071 3267 python optional python-django_1.11.27-1~deb10u1.dsc e75626654c7d92ff8bafa2a36d137372 7976980 python optional python-django_1.11.27.orig.tar.gz d1fa1f59ff05d9cc2a70d2e6c1461f3a 27276 python optional python-django_1.11.27-1~deb10u1.debian.tar.xz 602d59aa85f11c7830c714ae8e2a00f1 1538076 python optional python-django-common_1.11.27-1~deb10u1_all.deb 4209972a157dd5b2c0b0d5edd12f4b83 2689580 doc optional python-django-doc_1.11.27-1~deb10u1_all.deb c0500947c8ab6f5f6fc544417fe4e33e 917320 python optional python-django_1.11.27-1~deb10u1_all.deb 0f72d705e397a1d8ef744e88f727352e 14208 python optional python-django_1.11.27-1~deb10u1_amd64.buildinfo a10adf7165cc6f501e14f5bb734246b7 917472 python optional python3-django_1.11.27-1~deb10u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl4TcC8ACgkQHpU+J9Qx HljL2g//QofqKYGSnlXdY5iIJdqGbZcx17ApDnlgOqJr6cq9KGgDkbaJn8RK4IgL Gnpf2xTJpKvxRDIUyNFrmG6e7Ga9bqHepUkRa/svlI/0yW61IS6EBGXQ5oDLho4R F6eh/O0FcQckSHusKY5y235QjlNv1aHDwcW1Gzxreo7ko2PaIIzViSDDYozoPA92 WwXpbJZoPqnBS+ySwDxGT5eFJp8qjg93Ht1e1wVolpADXrfMZL0Qki2/1RHV50jP SIKjQvCqwtriaQD4lGB/TbIcsjfqii98a+PYC2QxuI/AmQqu9VEuyxkYjzw2PrDv G2vLGIdlJmb4SkF4Z4ss26JKDm1+79APkpWlBug/d7+SoKwMrYjO8QC3yVZlrW2B +CeNJoCkDXclqv4qQK+D9fg/hERKzdAyxEvx0VtssJ9apDF58EveC4AgRVuiYJME /kWYmsz4bBmLTE9hrntyTuqyC1OMWKWYCNZ0u+ZQBqECc5edr6YjgWYuE9RqTbE7 pMLC1KjBqSS4R/3wbAYDfvsfKTCfseN18yPH3eHDpcWgrsZqmSmYy506WDHVFcPw DrKNRJRi9elJ39bnJCiledbfqxPGvz2KhkfCN+8l281JRUBI3X9pHP11jJZfO4vV UYLy6Pgdp7GIfDy1Nm7F4nxhsjpC518sFHEspRBgieNrw+v7+TI= =4EQD -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
