Accepted python-django 1.7.11-1+deb8u8 (source all) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 18 Dec 2019 16:30:55 +0000
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Built-For-Profiles: nocheck
Architecture: source all
Version: 1.7.11-1+deb8u8
Distribution: jessie-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 946937
Changes:
python-django (1.7.11-1+deb8u8) jessie-security; urgency=high
.
* CVE-2019-19844: Prevent a potential account hijack via the password reset
form. (Closes: #946937)
.
Django's password-reset form uses a case-insensitive query to retrieve
accounts matching the email address requesting the password reset. Because
this typically involves explicit or implicit case transformations, an
attacker who knows the email address associated with a user account can
craft an email address which is distinct from the address associated with
that account, but which -- due to the behavior of Unicode case
transformations -- ceases to be distinct after case transformation, or
which will otherwise compare equal given database case-transformation or
collation behavior. In such a situation, the attacker can receive a valid
password-reset token for the user account. To resolve this, two changes
were made in Django:
.
- After retrieving a list of potentially-matching accounts from the
database, Django's password reset functionality now also checks the email
address for equivalence in Python, using the recommended
identifier-comparison process from Unicode Technical Report 36, section
2.11.2(B)(2).
.
- When generating password-reset emails, Django now sends to the email
address retrieved from the database, rather than the email address
submitted in the password-reset request form.
.
For more information, please see:
<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>.
Checksums-Sha1:
82f125b932442a26548b2b667f443712cbc56f63 2721 python-django_1.7.11-1+deb8u8.dsc
f9abaf7eacec73bc1c5e6080e2778a7174ebf9d4 7586798 python-django_1.7.11.orig.tar.gz
c356e85eb901e97f7b40adc470ce3b4c5cb87c3d 40900 python-django_1.7.11-1+deb8u8.debian.tar.xz
598724b90fbee2ee28994c198baec33de322c362 993178 python-django_1.7.11-1+deb8u8_all.deb
ac59828a6cc8eeb07a343a78c04c7d6df8feaa8d 976382 python3-django_1.7.11-1+deb8u8_all.deb
fdbf1b5f199624e70ac94b3fa60a60317818905a 1499024 python-django-common_1.7.11-1+deb8u8_all.deb
65fad5db3f438e8a21cde9f6b6aae92a3c2613cf 2487288 python-django-doc_1.7.11-1+deb8u8_all.deb
Checksums-Sha256:
517deb1dd3e99504813f30ffbed97a51e1d618e84307e5fa8130eb7f96af88f5 2721 python-django_1.7.11-1+deb8u8.dsc
2039144fce8f1b603d03fa5a5643578df1ad007c4ed41a617f02a3943f7059a1 7586798 python-django_1.7.11.orig.tar.gz
ac06cbc6f112df95e98e2f726d55a0e6eca3e025674ff51b9c754fff8bb26237 40900 python-django_1.7.11-1+deb8u8.debian.tar.xz
f4aa15fd919d8a30ad35321ca6a8bc0fadd47749907a983ccc54b2b20733116a 993178 python-django_1.7.11-1+deb8u8_all.deb
ce66dc1d467b48c14eac2872f0b74154c6e00ddc39d889005a0a58d8bada7d55 976382 python3-django_1.7.11-1+deb8u8_all.deb
73a20fa75e10b5af5ec65504be64d9468b0b78d398ef7000285bf509b96d66b9 1499024 python-django-common_1.7.11-1+deb8u8_all.deb
1066b186381be8e7a0ab363af9f40e4c08277a1185669f7990b6d167fdb4bcbc 2487288 python-django-doc_1.7.11-1+deb8u8_all.deb
Files:
753994403360d35225485b11a3837cb9 2721 python optional python-django_1.7.11-1+deb8u8.dsc
030b2f9c99a6e4e0418eadf7dba9e235 7586798 python optional python-django_1.7.11.orig.tar.gz
0e9bacffbbd8229e9af7711f8401eeb3 40900 python optional python-django_1.7.11-1+deb8u8.debian.tar.xz
a9111fc3dac5514acdbc522d8c0086ac 993178 python optional python-django_1.7.11-1+deb8u8_all.deb
3c6d66b88067e5c9cd27e7beb50ec3f0 976382 python optional python3-django_1.7.11-1+deb8u8_all.deb
dadad054841d82b85677de01c6f89d74 1499024 python optional python-django-common_1.7.11-1+deb8u8_all.deb
bef6e000abac989eeebdb3936be8c7da 2487288 doc optional python-django-doc_1.7.11-1+deb8u8_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl36V28ACgkQHpU+J9Qx
HljBKg//fnJs8KyFeqG3OadKM+sqXznTpFmzRpZXbv/Wq74zZ9tmoPfMQ7If/eGz
chEU7huExmsLxOgrtlUt0Yow54Ve4RjNXPeXDNRVCn5onvel/T+awEbydo706rmh
yHziycLlPlG9HUZv2hU7Pdm6OERCrWhvxA+CDvBkQfTCO7qtivHzmiOXfKJk2bN1
yU2LIsj5/OaYJqPlKxEI9jEhATVNLUJYs5hyuFxGYHbkUvmJkr1ZOAhnm72WfEWo
5HIL8ovqBXoGdT00FeuqDmN+hsh6biaIUraUDTGEs2D3zDIwGFKjw1kSYrS6Lh2k
em+s8dmyMSyKSpx7UoYQCz6EQqc0J54wtwkkCIOAOeX5/BIlv2dGXRKj0cnP6etG
IT51ffweKrzxEDsPfT8zpF62RFUKHUc4KTPu2ENPfquH3E4J4wexDCFk4ZiLKzpc
28J9rbVqlTEOS/0Eur8d3vKNdpCEjC8zFLSTnoPaZ6geVn9SPhV9DPgjHZAn5CxI
Lmlm/hCk3kwYQpdbuKWlR6JTl7FFvSki2pCcN8NqtYRG4ofGdC0pddyTST7/f4PL
WGhisaV8NYE64qKRO6I47qQmGEjpmPUPxlX0ab2Fh7Gk8LMzaxIRJMbe/nW5OLsW
Wp01I++C9WDywpXt2IWBdQaKzu6B8JVJ7a/rBij/SsJEHj6wXtg=
=K5Ut
-----END PGP SIGNATURE-----
Reply to: