Bug #234631 “security vulnerability in django admin” : Bugs : python-django package : Ubuntu

Revision history for this message

Ralph Janke (txwikinger) wrote on 2008-05-24:

#1

I can confirm this announcement. See also here: http://www.djangoproject.com/weblog/2008/may/14/security/

Changed in python-django:
importance:	Undecided → Medium
status:	New → Triaged

Andrea Gasparini (gaspa) on 2008-05-29

Changed in python-django:
assignee:	nobody → gaspa

Revision history for this message

Andrea Gasparini (gaspa) wrote on 2008-05-29:

#2

python-django_0.96.1-2ubuntu2.1.debdiff Edit (2.0 KiB, text/plain)

Applied upstream fix in hardy package.
so, this is the debdiff that should fix this bug in hardy,

Revision history for this message

Andrea Gasparini (gaspa) wrote on 2008-05-29:

#3

python-django_0.96-1ubuntu0.2.debdiff Edit (2.0 KiB, text/plain)

Also fixed, with the same patch, for gutsy.

Revision history for this message

William Grant (wgrant) wrote on 2008-05-31:

#4

For Intrepid, we should sync or merge 0.96.2 from Debian.
Andrea: can you please do that, given that you merged it last?

Changed in python-django:
assignee:	nobody → gaspa
status:	New → In Progress
assignee:	nobody → gaspa
status:	New → In Progress
status:	New → Triaged

Revision history for this message

William Grant (wgrant) wrote on 2008-05-31:

#5

Also, please use the patch system in your debdiffs, and create one for Feisty.

Andrea Gasparini (gaspa) on 2008-05-31

Changed in python-django:
assignee:	nobody → gaspa

Revision history for this message

Andrea Gasparini (gaspa) wrote on 2008-05-31:

#6

Yes, i'd like to do also for intrepid and feisty, just a few day, 'cause i'm really busy. :)
(and for intrepid it's fine a merge...)

Revision history for this message

Andrea Gasparini (gaspa) wrote on 2008-06-03:

#7

python-django_0.95.1-ubuntu1.2.debdiff Edit (2.0 KiB, text/plain)

Fixed also for feisty. :)

Revision history for this message

Andrea Gasparini (gaspa) wrote on 2008-06-03:

#8

python-django_0.96.2-1ubuntu1.debdiff Edit (7.0 KiB, text/plain)

Debdiff that closes the bug for intrepid:

Remaining Ubuntu changes:
      - debian/patches/04_workaround_net_tests.patch run testsuite
        during build process
      - debian/control: Maintainer set to Ubuntu Motu.

Changes dropped:
- debian/patches/03_dynamicshebang.diff: manage.py created.
with the right python interpreter.

as discussed in: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460662
and cause debian already change hashbang in binary-post-install to a standard "/usr/bin/python" .

Revision history for this message

Andrea Gasparini (gaspa) wrote on 2008-06-03:

#9

python-django_0.96.2-1ubuntu1.debdiff Edit (5.4 KiB, text/plain)

Argh, wrong debdiff for intrepid... this is the right one.

Revision history for this message

Morten Kjeldgaard (mok0) wrote on 2008-06-04:

#10

Uploaded, tfyw!

Changed in python-django:
assignee:	gaspa → nobody
status:	Triaged → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-06-04:

#11

This bug was fixed in the package python-django - 0.96.2-1ubuntu1

---------------
python-django (0.96.2-1ubuntu1) intrepid; urgency=low

  * Also closes LP: #234631: "security vulnerability in django admin"
  * Merge from Debian unstable. Remaining Ubuntu changes:
      - debian/patches/04_workaround_net_tests.patch
      - debian/rules: run testsuite during build process
      - debian/control: Maintainer set to Ubuntu Motu.

python-django (0.96.2-1) unstable; urgency=low

* New upstream security release. Closes: #481164

-- Andrea Gasparini <email address hidden> Tue, 20 May 2008 12:31:33 +0200

Changed in python-django:
status:	Fix Committed → Fix Released

Revision history for this message

William Grant (wgrant) wrote on 2008-06-25:

#12

Andrea, you've made a single-character error in your Feisty debdiff. You left the first 1 out of the version string.

Changed in python-django:
status:	Triaged → In Progress

Revision history for this message

Andrea Gasparini (gaspa) wrote on 2008-06-25:

#13

python-django_0.95.1-ubuntu1.2.debdiff Edit (2.0 KiB, text/plain)

yes, you're right! I controlled that it's only a typo, other versions number and packages are correct.

Attacching a new debdiff.

Revision history for this message

Leonel Nunez (leonelnunez) wrote on 2008-09-06:

#14

for intrepid there is a merge in progress for Django 1.0

https://bugs.edge.launchpad.net/ubuntu/+source/python-django/+bug/264191

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-09-15:

#15

The feisty-hardy debdiffs all referenced the wrong bug number. I have adjusted that and am reviewing the rest of the patch.

Jamie Strandboge (jdstrand) on 2008-09-15

Changed in python-django:
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-09-16:

#16

This bug was fixed in the package python-django - 0.96.1-2ubuntu2.1

---------------
python-django (0.96.1-2ubuntu2.1) hardy-security; urgency=low

  * SECURITY UPDATE: security vulnerability in django admin
  * debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
    escaping request path in login page of admin site.(LP: #234631)
  * References:
    CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
    upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
    upstream fix: http://code.djangoproject.com/changeset/7527

-- Andrea Gasparini <email address hidden> Thu, 29 May 2008 17:00:38 +0200

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-09-16:

#17

This bug was fixed in the package python-django - 0.96-1ubuntu0.2

---------------
python-django (0.96-1ubuntu0.2) gutsy-security; urgency=low

  * SECURITY UPDATE: security vulnerability in django admin
  * debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
    escaping request path in login page of admin site.(LP: #234631)
  * References:
    CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
    upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
    upstream fix: http://code.djangoproject.com/changeset/7527

-- Andrea Gasparini <email address hidden> Thu, 29 May 2008 17:00:38 +0200

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-09-16:

#18

This bug was fixed in the package python-django - 0.95.1-1ubuntu1.2

---------------
python-django (0.95.1-1ubuntu1.2) feisty-security; urgency=low

  * SECURITY UPDATE: security vulnerability in django admin
  * debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
    escaping request path in login page of admin site.(LP: #234631)
  * References:
    CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
    upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
    upstream fix: http://code.djangoproject.com/changeset/7527

-- Andrea Gasparini <email address hidden> Thu, 03 Jun 2008 09:08:38 +0200

Changed in python-django:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Ubuntu
python-django package

security vulnerability in django admin

Bug Description

Related branches

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Bug attachments

Remote bug watches

	Status	Importance	Assigned to
python-django (Ubuntu)	Fix Released	Medium	Unassigned
Feisty	Fix Released	Undecided	Andrea Gasparini
Gutsy	Fix Released	Undecided	Andrea Gasparini
Hardy	Fix Released	Undecided	Andrea Gasparini
Intrepid	Fix Released	Medium	Unassigned

Ubuntupython-django package

security vulnerability in django admin

Bug Description

Related branches

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
python-django package