security vulnerability in django admin

Bug #234631 reported by Jan Claeys on 2008-05-24
268
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Medium
Unassigned
Feisty
Undecided
Andrea Gasparini
Gutsy
Undecided
Andrea Gasparini
Hardy
Undecided
Andrea Gasparini
Intrepid
Medium
Unassigned

Bug Description

Binary package hint: python-django

The Django project has released a one-line fix for a possible cross-site scripting attack against the admin interface:

See: http://groups.google.com/group/django-announce/browse_thread/thread/903d7c2af239ec42

Ralph Janke (txwikinger) wrote :

I can confirm this announcement. See also here: http://www.djangoproject.com/weblog/2008/may/14/security/

Changed in python-django:
importance: Undecided → Medium
status: New → Triaged
Andrea Gasparini (gaspa) on 2008-05-29
Changed in python-django:
assignee: nobody → gaspa
Andrea Gasparini (gaspa) wrote :

Applied upstream fix in hardy package.
so, this is the debdiff that should fix this bug in hardy,

Andrea Gasparini (gaspa) wrote :

Also fixed, with the same patch, for gutsy.

William Grant (wgrant) wrote :

For Intrepid, we should sync or merge 0.96.2 from Debian.
Andrea: can you please do that, given that you merged it last?

Changed in python-django:
assignee: nobody → gaspa
status: New → In Progress
assignee: nobody → gaspa
status: New → In Progress
status: New → Triaged
William Grant (wgrant) wrote :

Also, please use the patch system in your debdiffs, and create one for Feisty.

Andrea Gasparini (gaspa) on 2008-05-31
Changed in python-django:
assignee: nobody → gaspa
Andrea Gasparini (gaspa) wrote :

Yes, i'd like to do also for intrepid and feisty, just a few day, 'cause i'm really busy. :)
(and for intrepid it's fine a merge...)

Andrea Gasparini (gaspa) wrote :

Fixed also for feisty. :)

Andrea Gasparini (gaspa) wrote :

Debdiff that closes the bug for intrepid:

Remaining Ubuntu changes:
      - debian/patches/04_workaround_net_tests.patch run testsuite
        during build process
      - debian/control: Maintainer set to Ubuntu Motu.

Changes dropped:
      - debian/patches/03_dynamicshebang.diff: manage.py created.
        with the right python interpreter.

as discussed in: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460662
and cause debian already change hashbang in binary-post-install to a standard "/usr/bin/python" .

Andrea Gasparini (gaspa) wrote :

Argh, wrong debdiff for intrepid... this is the right one.

Morten Kjeldgaard (mok0) wrote :

Uploaded, tfyw!

Changed in python-django:
assignee: gaspa → nobody
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 0.96.2-1ubuntu1

---------------
python-django (0.96.2-1ubuntu1) intrepid; urgency=low

  * Also closes LP: #234631: "security vulnerability in django admin"
  * Merge from Debian unstable. Remaining Ubuntu changes:
      - debian/patches/04_workaround_net_tests.patch
      - debian/rules: run testsuite during build process
      - debian/control: Maintainer set to Ubuntu Motu.

python-django (0.96.2-1) unstable; urgency=low

  * New upstream security release. Closes: #481164

 -- Andrea Gasparini <email address hidden> Tue, 20 May 2008 12:31:33 +0200

Changed in python-django:
status: Fix Committed → Fix Released
William Grant (wgrant) wrote :

Andrea, you've made a single-character error in your Feisty debdiff. You left the first 1 out of the version string.

Changed in python-django:
status: Triaged → In Progress
Andrea Gasparini (gaspa) wrote :

yes, you're right! I controlled that it's only a typo, other versions number and packages are correct.

Attacching a new debdiff.

Leonel Nunez (leonelnunez) wrote :

for intrepid there is a merge in progress for Django 1.0

https://bugs.edge.launchpad.net/ubuntu/+source/python-django/+bug/264191

Jamie Strandboge (jdstrand) wrote :

The feisty-hardy debdiffs all referenced the wrong bug number. I have adjusted that and am reviewing the rest of the patch.

Changed in python-django:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 0.96.1-2ubuntu2.1

---------------
python-django (0.96.1-2ubuntu2.1) hardy-security; urgency=low

  * SECURITY UPDATE: security vulnerability in django admin
  * debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
    escaping request path in login page of admin site.(LP: #234631)
  * References:
    CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
    upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
    upstream fix: http://code.djangoproject.com/changeset/7527

 -- Andrea Gasparini <email address hidden> Thu, 29 May 2008 17:00:38 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 0.96-1ubuntu0.2

---------------
python-django (0.96-1ubuntu0.2) gutsy-security; urgency=low

  * SECURITY UPDATE: security vulnerability in django admin
  * debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
    escaping request path in login page of admin site.(LP: #234631)
  * References:
    CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
    upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
    upstream fix: http://code.djangoproject.com/changeset/7527

 -- Andrea Gasparini <email address hidden> Thu, 29 May 2008 17:00:38 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 0.95.1-1ubuntu1.2

---------------
python-django (0.95.1-1ubuntu1.2) feisty-security; urgency=low

  * SECURITY UPDATE: security vulnerability in django admin
  * debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
    escaping request path in login page of admin site.(LP: #234631)
  * References:
    CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
    upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
    upstream fix: http://code.djangoproject.com/changeset/7527

 -- Andrea Gasparini <email address hidden> Thu, 03 Jun 2008 09:08:38 +0200

Changed in python-django:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.