Update python-django to 1.2.3 version to fix an XSS vulnerability

Bug #636482 reported by Krzysztof Klimonda on 2010-09-12
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-django (Debian)
Fix Released
Unknown
python-django (Ubuntu)
High
Jamie Strandboge

Bug Description

A new vulnerability has been discovered in 1.2 branch and two new django
releases were made: 1.2.2 which fixes an xss vulnerability [1] and the
1.2.3 that fixes two regressions caused by previous release [2]. All
users are advised to update so I'm preparing an update and asking for
FFe.

[1] http://www.djangoproject.com/weblog/2010/sep/08/security-release/
[2] http://www.djangoproject.com/weblog/2010/sep/10/123/

 affects ubuntu/python-django
 severity high
 subscribe ubuntu-release

Krzysztof Klimonda (kklimonda) wrote :

Package doesn't build currently - there are failing tests that I have to investigate. Still, an ACK would be great.

Changed in python-django (Ubuntu):
status: New → Incomplete
status: Incomplete → Confirmed
importance: Undecided → High
status: Confirmed → New
Scott Kitterman (kitterman) wrote :

We want this in if there is a working / tested package.

Krzysztof Klimonda (kklimonda) wrote :

Attached is an updated branch with 1.2.3 release. I've had to do some changes to packaging and backport two patches from 1.2.x branch to make tests pass.

Scott Kitterman (kitterman) wrote :

Bug fix only, so no FFe needed.

Artur Rona (ari-tczew) wrote :

Is not easier to upload a stricte patch to fix this security issue? We can sync new upstream release in next development cycle from Debian.

On Wed, 2010-09-15 at 14:11 +0000, Artur Rona wrote:
> Is not easier to upload a stricte patch to fix this security issue? We
> can sync new upstream release in next development cycle from Debian.
>

Easier for whom? The hard part has been figuring out how to re-enable
test suite (and make it pass without disabling tests) and it still had
to be done - it has been disabled by Debian maintainer because of
failures and running test suite at build-time has been one of
requirements made during MIR process.

I don't think we have to check a full delta between 1.2.1 and 1.2.3
releases as both are bug fix only. Django developers do a lot of work to
ensure that the concurrent releases are compatible and that's what the
tests are for anyway.

--
Sent from Ubuntu

Kai Kasurinen (kai-kasurinen) wrote :

test_correct_url_value_passes will fail if there's no Internet connection

Krzysztof Klimonda (kklimonda) wrote :

@Kai: Thanks, I have disabled this test in our package (and will send it back to Debian).

Jamie Strandboge (jdstrand) wrote :

What is the status of this? 1.2.3-1 is now in Debian. Can we perform a sync to get this fixed before release?

Changed in python-django (Ubuntu):
status: New → Incomplete
Krzysztof Klimonda (kklimonda) wrote :

Not until release of 1.2.3-2 with a patch removing test mentioned by Kai Kasurinen is applied. Unless DDs decide not to apply the patch and wait for the next point release. I've opened a new bug about it on the debian BTS but, given a time frame, we may be better with updating it ourselves. The 1.2.3-1 release is basically what I've sent to Debian Maintainers and is a base for their update. The diff between 1.2.3-0ubuntu1 and 1.2.3-1 is a cosmetic one. Attached below.

Changed in python-django (Ubuntu):
status: Incomplete → New
Krzysztof Klimonda (kklimonda) wrote :

a result or running diff -uNr debian/debian/ lp.636482/debian/ > filtered.diff

Jamie Strandboge (jdstrand) wrote :

@ubuntu-release: can someone review and ACK/NAK 1.2.3-0ubuntu1 for maverick?

Scott Kitterman (kitterman) wrote :

What testing has been done to check that the new release works?

Krzysztof Klimonda (kklimonda) wrote :

On Mon, 2010-10-04 at 19:47 +0000, Scott Kitterman wrote:
> What testing has been done to check that the new release works?
>

All enabled tests have passed, this is a bug-fix only release dealing
almost entirely with the XSS vulnerability introduced in the 1.2.x
branch.

The resulting package installs and is upgradeable from 1.2.1-1, you can
create a new project and run it with use of the bundled http server.

--
Sent from Ubuntu

Jamie Strandboge (jdstrand) wrote :

What is the verdict on this sync? It would be nice to not release with an open CVE.

Scott Kitterman (kitterman) wrote :

Per comment #10, we can't sync it yet. If it's syncable before it would cause us to have a respin for Ubuntu Server, then I'm OK with this.

Scott Kitterman (kitterman) wrote :

That or if someone sponsors Krzysztof's package.

Steve Langasek (vorlon) wrote :

[Updating] python-django (1.2.1-1 [Ubuntu] < 1.2.3-1 [Debian])
 * Trying to add python-django...
2010-10-08 05:37:13 INFO - <python-django_1.2.3-1.dsc: downloading from http://ftp.debian.org/debian/>
2010-10-08 05:37:13 INFO - <python-django_1.2.3.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
2010-10-08 05:37:13 INFO - <python-django_1.2.3-1.debian.tar.gz: downloading from http://ftp.debian.org/debian/>
I: python-django [main] -> python-django_1.2.1-1 [main].
I: python-django [main] -> python-django-doc_1.2.1-1 [main].

Changed in python-django (Ubuntu):
status: New → Fix Released
status: Fix Released → New
Steve Langasek (vorlon) wrote :

whoops - not actually synced, per comment #10 and ScottK's reminder thereof.

Changed in python-django (Ubuntu):
status: New → Triaged
milestone: none → maverick-updates
Changed in python-django (Debian):
status: Unknown → Fix Released
Changed in python-django (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

Uploaded 1.2.3-1ubuntu0.1 to security PPA.

Changed in python-django (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.2.3-1ubuntu0.1

---------------
python-django (1.2.3-1ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: XSS in CSRF protections. New upstream release
    - CVE-2010-3082
  * debian/patches/01_disable_url_verify_regression_tests.diff:
    - updated to disable another test that fails without internet connection
    - patch based on work by Kai Kasurinen and Krzysztof Klimonda
  * debian/control: don't Build-Depends on locales-all, which doesn't exist
    in maverick

python-django (1.2.3-1) unstable; urgency=low

  [ Krzysztof Klimonda ]
  * New upstream release. Closes: #596893 LP: #636482
  * Fixes both a XSS vulnerability introduced in 1.2 series and
    the regressions caused by 1.2.2 release. Closes: #596205
  * debian/control:
    - depend on language packs for en_US.utf8 locales required for unit tests.
  * debian/rules:
    - re-enable build time tests.
    - set LC_ALL to en_US.utf8 for test suite.
  * debian/patches/series:
    - two new patches: 05_fix_regression_tests.diff and
      06_fix_regression_tests.diff backported from 1.2.x branch to fix
      test suite failures.

  [ Raphaël Hertzog ]
  * Update Standards-Version to 3.9.1.
  * Drop "--with quilt" and quilt build-dependency since the package is
    already using source format "3.0 (quilt)".
 -- Jamie Strandboge <email address hidden> Tue, 12 Oct 2010 11:34:35 -0500

Changed in python-django (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.