security update micro-release

Bug #408825 reported by Alistair Marshall
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: python-django

Django recently released a stable micro update that fixed 2 security vulnerabilities.

Security announcement:
http://www.djangoproject.com/weblog/2009/jul/28/security

Direct download of upstream stable release:
http://www.djangoproject.com/download/1.0.3/tarball/

I have attached my attempt at packaging based on the version in jaunty though this is my fist attempt at packaging anything

Tags: patch

CVE References

Revision history for this message
Alistair Marshall (thatscottishengineer) wrote :
security vulnerability: no → yes
Revision history for this message
Kees Cook (kees) wrote :

Hi! Thanks very much for the patch. When we prepare security updates we try to produce only a minimal patch that fixes the specific vulnerability. More details here:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing%20an%20update

Changed in python-django (Ubuntu Jaunty):
status: New → Incomplete
Changed in python-django (Ubuntu):
status: New → Confirmed
Revision history for this message
Alistair Marshall (thatscottishengineer) wrote :

I'll have a go at just applying the 2 security patches to 1.0.2 and upload again tomorrow.

Is there a different procedure to get 1.0.3 with all the non-security bugs accepted?

Thanks
Alistair

Revision history for this message
Alistair Marshall (thatscottishengineer) wrote :

Here is my attempt to apply only the security patch (after looking closer, there was only one security issue fixed, the other issue was considered a feature which will be depreciated in future versions of django)

Alistair

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff.

Could you please follow the security update guidelines available here: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Specifically:
- security update versioning
- changelog format
- patch tagging

When you submit a debdiff fixing these issues, please mark this bug as "In Progress" so the automated scripts will notify us.

Thanks!

Revision history for this message
Alistair Marshall (thatscottishengineer) wrote :

Another attempt- hopefully fixing the previous issues

Alistair

Changed in python-django (Ubuntu Jaunty):
status: Incomplete → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Alistair:

The debdiff looks good. I went ahead and added the following to the change log, since we want to auto-close this bug and reference the CVE number:
    - LP: #408825
    - CVE-2009-2659

What testing was performed? I am going to upload this to the security PPA, but won't push to the archive until I hear back on the testing. Thanks for your hard work on this!

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Karmic is not affected (has 1.1-1).

Changed in python-django (Ubuntu Jaunty):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Dapper):
status: New → Invalid
Changed in python-django (Ubuntu Karmic):
status: Confirmed → Fix Released
Changed in python-django (Ubuntu Hardy):
status: New → Confirmed
Changed in python-django (Ubuntu Intrepid):
status: New → Confirmed
Revision history for this message
Alistair Marshall (thatscottishengineer) wrote :

Thanks and sorry for the delay.

Testing - unfortunately I was unable to do a full test (django includes a test-suite in 1.0.3 and all future versions but as this patch has been back ported to 1.0.2, I didn't test everything)

I did test
The package builds/installs correctly
The security vulnerability has been fixed in the new version
That two of my django based websites still work without any changes as far as I can tell.

I would recommend that due to django using minor releases for bugfixes only and the inclusion of the test-suite in all future versions, that django be treated in the same way as firefox minor updates.

Alistair

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.0.2-1ubuntu0.1

---------------
python-django (1.0.2-1ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: crafted URL can cause the development server to serve
    any file to which it has read access
    http://www.djangoproject.com/weblog/2009/jul/28/security/
    - Apply upstream security patch changeset 11353
    - LP: #408825
    - CVE-2009-2659

 -- Alistair Marshall <email address hidden> Fri, 07 Aug 2009 14:06:30 +0100

Changed in python-django (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Artur Rona (ari-tczew)
tags: added: patch
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Changed in python-django (Ubuntu Intrepid):
status: Confirmed → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in python-django (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.