Ubuntu
dajaxice package

[SRU] dajaxice crashes with django patched for the flaw in CSRF handling

Bug #723585 reported by Jorge Bastida on 2011-02-23

This bug affects 1 person

	Status	Importance	Assigned to
dajaxice (Debian)	Fix Released	Unknown	debbugs #614787
dajaxice (Ubuntu)	Fix Released	High	Unassigned
Lucid	Fix Released	High	Unassigned
Maverick	Fix Released	High	Unassigned

Bug Description

TEST CASE:

Versions: 0.1.0 (Lucid) and 0.1.5 (Maverick)

Install python-django-dajaxice

Error:
python-django-dajaxice 0.1.0(Lucid) and 0.1.5(Maverick) crashes with django patched for the flaw in CSRF handling.

Regression:
I think there is no options for regression, the patches are imported from 0.1.8.1 by upstream developer.

Related with security bug in python-django (LP: #719031)

You can find attached, the diff that fixes the bug for both versions

I'm django-dajaxice lead developer.

See original description

Tags:

Related branches

lp:ubuntu/lucid-proposed/dajaxice

lp:ubuntu/maverick-proposed/dajaxice

Revision history for this message

Jorge Bastida (me-jorgebastida) wrote on 2011-02-23:

0.1.5-crsftoken.diff Edit (1.7 KiB, text/plain)

Revision history for this message

Jorge Bastida (me-jorgebastida) wrote on 2011-02-23:

0.1.0-crsftoken.diff Edit (1.5 KiB, text/plain)

Angel Abad (angelabad) on 2011-02-23

Changed in dajaxice (Ubuntu):
importance:	Undecided → High
status:	New → Confirmed

Revision history for this message

Angel Abad (angelabad) wrote on 2011-02-23:

Fixed in 0.1.8.1-1 package upload.

Changed in dajaxice (Ubuntu Lucid):
importance:	Undecided → High
Changed in dajaxice (Ubuntu Maverick):
importance:	Undecided → High
Changed in dajaxice (Ubuntu):
status:	Confirmed → Fix Released
Changed in dajaxice (Ubuntu Lucid):
assignee:	nobody → Angel Abad (angelabad)
status:	New → In Progress
Changed in dajaxice (Ubuntu Maverick):
assignee:	nobody → Angel Abad (angelabad)
status:	New → In Progress

Angel Abad (angelabad) on 2011-02-23

summary:

- dajaxice crashes with django patched for the flaw in CSRF handling
+ [SRU] dajaxice crashes with django patched for the flaw in CSRF handling

Angel Abad (angelabad) on 2011-02-23

description:

updated

Revision history for this message

Angel Abad (angelabad) wrote on 2011-02-23:

Packages uploaded to lucid-proposed and maverick-proposed (waiting for approval)

Changed in dajaxice (Ubuntu Lucid):
assignee:	Angel Abad (angelabad) → nobody
status:	In Progress → Confirmed
Changed in dajaxice (Ubuntu Maverick):
assignee:	Angel Abad (angelabad) → nobody
status:	In Progress → Confirmed

Revision history for this message

Martin Pitt (pitti) wrote on 2011-02-25: Please test proposed package

Accepted dajaxice into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in dajaxice (Ubuntu Maverick):
status:	Confirmed → Fix Committed
tags:	added: verification-needed

Revision history for this message

Martin Pitt (pitti) wrote on 2011-02-25:

Accepted dajaxice into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in dajaxice (Ubuntu Lucid):
status:	Confirmed → Fix Committed

Revision history for this message

Angel Abad (angelabad) wrote on 2011-02-26:

Thanks Martin!

Both lucid and maverick proposed packages install well, and solves CSRF problem with django patched.

Regards,

Martin Pitt (pitti) on 2011-02-26

tags:

added: verification-done
removed: verification-needed

Bug Watch Updater (bug-watch-updater) on 2011-02-26

Changed in dajaxice (Debian):
status:	Unknown → Confirmed

Bug Watch Updater (bug-watch-updater) on 2011-03-02

Changed in dajaxice (Debian):
status:	Confirmed → Fix Committed

Bug Watch Updater (bug-watch-updater) on 2011-03-04

Changed in dajaxice (Debian):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-03-04:

This bug was fixed in the package dajaxice - 0.1.0-1ubuntu1

---------------
dajaxice (0.1.0-1ubuntu1) lucid-proposed; urgency=high

* debian/patches/fix_csrf_verification: (LP: #723585)
- Fix bug related to CSRF verification on Django
-- Angel Abad <email address hidden> Wed, 23 Feb 2011 13:24:32 +0000

Changed in dajaxice (Ubuntu Lucid):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-03-04:

This bug was fixed in the package dajaxice - 0.1.5-1ubuntu1

---------------
dajaxice (0.1.5-1ubuntu1) maverick-proposed; urgency=high

* debian/patches/fix_csrf_verification: (LP: #723585)
- Fix bug related to CSRF verification on Django
-- Angel Abad <email address hidden> Wed, 23 Feb 2011 13:09:22 +0000