[Python-modules-team] Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

[Chris Lamb]

Hi Salvatore,

> > I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> > update for Django:
[…]
> The debdiff looks good so far, were you able to test the resulting
> package

I believe that is covered in-depth by the additional tests I also
backported (which passes here). The package installs fine for me too I
did not alter any of my in-*production* sites to *specifically* test
pre/post application of the APPEND_SLASH handling.

> There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> relevant when "DEBUG = true". But as we do an update now via a DSA, we
> can include this fix as well.

That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
another debdiff?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk
       `-