Ubuntu
python-django package

Please backport Django 1.3.4/1.4.2 security updates

Bug #1068486 reported by Marti on 2012-10-19

266

This bug affects 3 people

	Status	Importance	Assigned to
python-django (Ubuntu)	Fix Released	Undecided	Unassigned
Lucid	Fix Released	Undecided	Jamie Strandboge
Oneiric	Fix Released	Undecided	Jamie Strandboge
Precise	Fix Released	Undecided	Unassigned
Quantal	Fix Released	Undecided	Unassigned
Raring	Fix Released	Undecided	Unassigned

Bug Description

Django released new versions 1.3.4 and 1.4.2 yesterday, containing a security update:
https://www.djangoproject.com/weblog/2012/oct/17/security/

Please backport this fix to Ubuntu releases.

Tags:

Related branches

lp:ubuntu/lucid-security/python-django

lp:ubuntu/oneiric-security/python-django

lp:ubuntu/precise-security/python-django

lp:ubuntu/quantal-security/python-django

lp:ubuntu/lucid-updates/python-django

CVE References

2012-4520

Marti (intgr) on 2012-10-19

information type:

Private Security → Public Security

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-10-19:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-django (Ubuntu):
status:	New → Confirmed

Mackenzie Morgan (maco.m) on 2012-10-23

Changed in python-django (Ubuntu):
assignee:	nobody → Mackenzie Morgan (maco.m)
tags:	added: security

Revision history for this message

Mackenzie Morgan (maco.m) wrote on 2012-10-23:

Precise debdiff Edit (5.6 KiB, text/plain)

Revision history for this message

Mackenzie Morgan (maco.m) wrote on 2012-10-23:

Quantal debdiff Edit (5.7 KiB, text/plain)

Changed in python-django (Ubuntu):
assignee:	Mackenzie Morgan (maco.m) → nobody

Revision history for this message

Mackenzie Morgan (maco.m) wrote on 2012-10-23:

The patches being added in the debdiff are from the upstream commit to fix the security bug.

I did a test build of each in pbuilder, and I installed (upgraded to) the resulting deb on my precise server with no adverse effects to the Django app currently running on it.

A specific proof of concept was not posted by the Django project, so I do not know how to test that the problem is actually fixed.

Revision history for this message

Rodrigo Campos (rodrigocc) wrote on 2012-10-29:

Hi,

It's been almost two weeks since the official security release. Any news when an ubuntu package will be available with the fix ?

Thanks,
Rodrigo

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-09:

Raring has 1.4.2-1.

Changed in python-django (Ubuntu Raring):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-09:

Thanks for the debdiffs! Updates need to also be prepared for Ubuntu 10.04 LTS and 11.10 and I'll publish the updates for 12.04 LTS and 12.10 when those are ready.

Changed in python-django (Ubuntu Lucid):
status:	New → In Progress
Changed in python-django (Ubuntu Oneiric):
status:	New → In Progress
Changed in python-django (Ubuntu Precise):
status:	New → In Progress
Changed in python-django (Ubuntu Quantal):
status:	New → In Progress
Changed in python-django (Ubuntu Oneiric):
assignee:	nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Lucid):
assignee:	nobody → Jamie Strandboge (jdstrand)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-09:

Mackenzie, thanks again for your patch. For future reference, the quantal debdiff had a few issues:
* the version should be 1.4.1-2ubuntu0.1
* the changelog format does not comply with https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
* the patch does not contain DEP-3 comments

The precise debdiff was better, but still lacked DEP-3 comments.

I've fixed this for the update. Thanks again.

Jamie Strandboge (jdstrand) on 2012-11-09

Changed in python-django (Ubuntu Lucid):
status:	In Progress → Fix Committed
Changed in python-django (Ubuntu Oneiric):
status:	In Progress → Fix Committed
Changed in python-django (Ubuntu Precise):
status:	In Progress → Fix Committed
Changed in python-django (Ubuntu Quantal):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-15:

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.3

---------------
python-django (1.3.1-4ubuntu1.3) precise-security; urgency=low

  * SECURITY UPDATE: fix Host header poisoning
    - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
      raise django.core.exceptions.SuspiciousOperation if Host headers contain
      potentially dangerous content. Patch thanks to Mackenzie Morgan.
    - CVE-2012-4520
    - LP: #1068486
-- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 15:56:15 -0600

Changed in python-django (Ubuntu Precise):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-15:

#10

This bug was fixed in the package python-django - 1.4.1-2ubuntu0.1

---------------
python-django (1.4.1-2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: fix Host header poisoning
    - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
      raise django.core.exceptions.SuspiciousOperation if Host headers contain
      potentially dangerous content. Patch thanks to Mackenzie Morgan.
    - CVE-2012-4520
    - LP: #1068486
  * debian/patches/docs-update-httponly-cookie.diff: update documentation of
    HttpOnly cookie option to correctly describe changes to 1.4
-- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 15:53:27 -0600

Changed in python-django (Ubuntu Quantal):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-15:

#11

This bug was fixed in the package python-django - 1.3-2ubuntu1.4

---------------
python-django (1.3-2ubuntu1.4) oneiric-security; urgency=low

  * SECURITY UPDATE: fix Host header poisoning
    - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
      raise django.core.exceptions.SuspiciousOperation if Host headers contain
      potentially dangerous content.
    - CVE-2012-4520
    - LP: #1068486
-- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 16:06:17 -0600

Changed in python-django (Ubuntu Oneiric):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-15:

#12

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.6

---------------
python-django (1.1.1-2ubuntu1.6) lucid-security; urgency=low

  * SECURITY UPDATE: fix Host header poisoning
    - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
      raise django.core.exceptions.SuspiciousOperation if Host headers contain
      potentially dangerous content.
    - CVE-2012-4520
    - LP: #1068486
-- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 16:16:26 -0600

Changed in python-django (Ubuntu Lucid):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntupython-django package

Please backport Django 1.3.4/1.4.2 security updates

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
python-django package