Ubuntu
python-django package

USN-2915-1 introduced a regression in is_safe_url()

Bug #1553251 reported by Marc Deslauriers on 2016-03-04

256

This bug affects 1 person

	Status	Importance	Assigned to
Django	Unknown	Unknown	django-bugs #26308
python-django (Ubuntu)	Fix Released	Undecided	Marc Deslauriers
Trusty	Fix Released	Undecided	Marc Deslauriers
Wily	Fix Released	Undecided	Marc Deslauriers
Xenial	Fix Released	Undecided	Marc Deslauriers

Bug Description

See https://github.com/claudep/django/commit/7ee019b60ab696930c8b692bff7d29c0f4cea885

CVE References

2016-2512

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-03-04:

https://github.com/django/django/pull/6242

Changed in python-django (Ubuntu Precise):
status:	New → Confirmed
Changed in python-django (Ubuntu Trusty):
status:	New → Confirmed
Changed in python-django (Ubuntu Wily):
status:	New → Confirmed
Changed in python-django (Ubuntu Xenial):
status:	New → Confirmed
Changed in python-django (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Trusty):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Wily):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Xenial):
assignee:	nobody → Marc Deslauriers (mdeslaur)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-03-04:

This bug was fixed in the package python-django - 1.8.7-1ubuntu3

---------------
python-django (1.8.7-1ubuntu3) xenial; urgency=medium

  * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
    - debian/patches/CVE-2016-2512-regression.patch: force url to unicode
      in django/utils/http.py, added test to
      tests/utils_tests/test_http.py.
    - CVE-2016-2512

-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 11:03:43 -0500

Changed in python-django (Ubuntu Xenial):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-03-07:

This bug was fixed in the package python-django - 1.6.1-2ubuntu0.13

---------------
python-django (1.6.1-2ubuntu0.13) trusty-security; urgency=medium

-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 11:07:40 -0500

Changed in python-django (Ubuntu Trusty):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-03-07:

This bug was fixed in the package python-django - 1.7.9-1ubuntu5.3

---------------
python-django (1.7.9-1ubuntu5.3) wily-security; urgency=medium

-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 11:06:58 -0500

Changed in python-django (Ubuntu Wily):
status:	Confirmed → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-03-07:

Ubuntu 12.04 LTS isn't affected by the regression.

Changed in python-django (Ubuntu Precise):
status:	Confirmed → Invalid

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-03-07:

First round of regression fixes used incomplete patch. Proper upstream commits are:

https://github.com/django/django/commit/ada7a4aefb9bec4c34667b511022be6057102f98
https://github.com/django/django/commit/552f03869ea7f3072b3fa19ffb6cb2d957fd8447

Mathew Hodson (mhodson) on 2016-03-08

no longer affects:

python-django (Ubuntu Precise)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

django-bugs #26308 Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntupython-django package

USN-2915-1 introduced a regression in is_safe_url()

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
python-django package