[Python-modules-team] Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 5 21:57:20 GMT 2019
Hi Chris,
Thanks for working on the update.
[disclaimer: not a full review, but something jumped on while i was
reading the debdiff]
On Sat, Jan 05, 2019 at 09:39:38PM +0100, Chris Lamb wrote:
> Hi Moritz,
>
> > > This also affects stable from my reading of the code. Shall I
> > > prepare an upload to stretch-security?
> [..]
> > Please do.
>
> debdiff attached, awaiting team at security.debian.org ACK to upload.
>
>
> Best wishes,
>
> --
> ,''`.
> : :' : Chris Lamb
> `. `'` lamby at debian.org / chris-lamb.co.uk
> `-
> diff --git a/debian/changelog b/debian/changelog
> index b1c56f7c5..d6472a04e 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high
> +
> + * CVE-2019-3498: Fix a content spoofing vulnerability in the default
> + 404 page. (Closes: #918230)
> +
> + -- Chris Lamb <lamby at debian.org> Sat, 05 Jan 2019 21:36:27 +0100
> +
> python-django (1:1.10.7-2+deb9u3) stretch; urgency=medium
>
> * Default to supporting Spatialite >= 4.2. (Closes: #910240)
> diff --git a/debian/patches/0017-CVE-2019-3498.patch b/debian/patches/0017-CVE-2019-3498.patch
> new file mode 100644
> index 000000000..ea647e964
> --- /dev/null
> +++ b/debian/patches/0017-CVE-2019-3498.patch
> @@ -0,0 +1,401 @@
> +From: Tom Hacohen <tasn at users.noreply.github.com>
> +Date: Fri, 4 Jan 2019 02:21:55 +0000
> +Subject: Fixed #30070,
> + CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page.
> +
> +Co-Authored-By: Tim Graham <timograham at gmail.com>
> +Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.
> +---
> + ...0006-Default-to-supporting-Spatialite-4.2.patch | 4 +--
> + debian/patches/0013-CVE-2018-7536.patch | 6 ++--
> + debian/patches/0015-CVE-2018-14574.patch | 2 +-
> + .../patches/02_disable-sources-in-sphinxdoc.diff | 5 ++--
> + .../06_use_debian_geoip_database_as_default.diff | 3 +-
> + debian/patches/fix-migration-fake-initial-1.patch | 20 ++++++++++----
> + debian/patches/fix-migration-fake-initial-2.patch | 32 ++++++++++++++++------
> + .../fix-test-middleware-classes-headers.patch | 7 ++---
> + debian/patches/series | 1 +
> + django/views/defaults.py | 8 ++++--
> + tests/handlers/tests.py | 12 +++++---
> + 11 files changed, 65 insertions(+), 35 deletions(-)
With the 0017-CVE-2019-3498.patch patch there is something strange.
While it touches correctly the files django/views/defaults.py and the
tests, it touches and modifies files in debian/*, other patches and
series file.
Can you recheck what went wrong here?
Were you able to test resulting packages under stretch on production
systems or any other tests which were performed?
Regards,
Salvatore
More information about the Python-modules-team
mailing list