Please backport Django 1.3.4/1.4.2 security updates

Bug #1068486 reported by Marti
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Jamie Strandboge
Oneiric
Fix Released
Undecided
Jamie Strandboge
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned

Bug Description

Django released new versions 1.3.4 and 1.4.2 yesterday, containing a security update:
https://www.djangoproject.com/weblog/2012/oct/17/security/

Please backport this fix to Ubuntu releases.

Tags: security
Marti (intgr)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-django (Ubuntu):
status: New → Confirmed
Changed in python-django (Ubuntu):
assignee: nobody → Mackenzie Morgan (maco.m)
tags: added: security
Revision history for this message
Mackenzie Morgan (maco.m) wrote :
Revision history for this message
Mackenzie Morgan (maco.m) wrote :
Changed in python-django (Ubuntu):
assignee: Mackenzie Morgan (maco.m) → nobody
Revision history for this message
Mackenzie Morgan (maco.m) wrote :

The patches being added in the debdiff are from the upstream commit to fix the security bug.

I did a test build of each in pbuilder, and I installed (upgraded to) the resulting deb on my precise server with no adverse effects to the Django app currently running on it.

A specific proof of concept was not posted by the Django project, so I do not know how to test that the problem is actually fixed.

Revision history for this message
Rodrigo Campos (rodrigocc) wrote :

Hi,

It's been almost two weeks since the official security release. Any news when an ubuntu package will be available with the fix ?

Thanks,
Rodrigo

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Raring has 1.4.2-1.

Changed in python-django (Ubuntu Raring):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! Updates need to also be prepared for Ubuntu 10.04 LTS and 11.10 and I'll publish the updates for 12.04 LTS and 12.10 when those are ready.

Changed in python-django (Ubuntu Lucid):
status: New → In Progress
Changed in python-django (Ubuntu Oneiric):
status: New → In Progress
Changed in python-django (Ubuntu Precise):
status: New → In Progress
Changed in python-django (Ubuntu Quantal):
status: New → In Progress
Changed in python-django (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Lucid):
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Mackenzie, thanks again for your patch. For future reference, the quantal debdiff had a few issues:
 * the version should be 1.4.1-2ubuntu0.1
 * the changelog format does not comply with https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
 * the patch does not contain DEP-3 comments

The precise debdiff was better, but still lacked DEP-3 comments.

I've fixed this for the update. Thanks again.

Changed in python-django (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Quantal):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.3

---------------
python-django (1.3.1-4ubuntu1.3) precise-security; urgency=low

  * SECURITY UPDATE: fix Host header poisoning
    - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
      raise django.core.exceptions.SuspiciousOperation if Host headers contain
      potentially dangerous content. Patch thanks to Mackenzie Morgan.
    - CVE-2012-4520
    - LP: #1068486
 -- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 15:56:15 -0600

Changed in python-django (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.4.1-2ubuntu0.1

---------------
python-django (1.4.1-2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: fix Host header poisoning
    - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
      raise django.core.exceptions.SuspiciousOperation if Host headers contain
      potentially dangerous content. Patch thanks to Mackenzie Morgan.
    - CVE-2012-4520
    - LP: #1068486
  * debian/patches/docs-update-httponly-cookie.diff: update documentation of
    HttpOnly cookie option to correctly describe changes to 1.4
 -- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 15:53:27 -0600

Changed in python-django (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3-2ubuntu1.4

---------------
python-django (1.3-2ubuntu1.4) oneiric-security; urgency=low

  * SECURITY UPDATE: fix Host header poisoning
    - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
      raise django.core.exceptions.SuspiciousOperation if Host headers contain
      potentially dangerous content.
    - CVE-2012-4520
    - LP: #1068486
 -- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 16:06:17 -0600

Changed in python-django (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.6

---------------
python-django (1.1.1-2ubuntu1.6) lucid-security; urgency=low

  * SECURITY UPDATE: fix Host header poisoning
    - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
      raise django.core.exceptions.SuspiciousOperation if Host headers contain
      potentially dangerous content.
    - CVE-2012-4520
    - LP: #1068486
 -- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 16:16:26 -0600

Changed in python-django (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.