-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 18 Dec 2019 16:30:55 +0000 Source: python-django Binary: python-django python3-django python-django-common python-django-doc Built-For-Profiles: nocheck Architecture: source all Version: 1.7.11-1+deb8u8 Distribution: jessie-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 946937 Changes: python-django (1.7.11-1+deb8u8) jessie-security; urgency=high . * CVE-2019-19844: Prevent a potential account hijack via the password reset form. (Closes: #946937) . Django's password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this typically involves explicit or implicit case transformations, an attacker who knows the email address associated with a user account can craft an email address which is distinct from the address associated with that account, but which -- due to the behavior of Unicode case transformations -- ceases to be distinct after case transformation, or which will otherwise compare equal given database case-transformation or collation behavior. In such a situation, the attacker can receive a valid password-reset token for the user account. To resolve this, two changes were made in Django: . - After retrieving a list of potentially-matching accounts from the database, Django's password reset functionality now also checks the email address for equivalence in Python, using the recommended identifier-comparison process from Unicode Technical Report 36, section 2.11.2(B)(2). . - When generating password-reset emails, Django now sends to the email address retrieved from the database, rather than the email address submitted in the password-reset request form. . For more information, please see: <https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>. Checksums-Sha1: 82f125b932442a26548b2b667f443712cbc56f63 2721 python-django_1.7.11-1+deb8u8.dsc f9abaf7eacec73bc1c5e6080e2778a7174ebf9d4 7586798 python-django_1.7.11.orig.tar.gz c356e85eb901e97f7b40adc470ce3b4c5cb87c3d 40900 python-django_1.7.11-1+deb8u8.debian.tar.xz 598724b90fbee2ee28994c198baec33de322c362 993178 python-django_1.7.11-1+deb8u8_all.deb ac59828a6cc8eeb07a343a78c04c7d6df8feaa8d 976382 python3-django_1.7.11-1+deb8u8_all.deb fdbf1b5f199624e70ac94b3fa60a60317818905a 1499024 python-django-common_1.7.11-1+deb8u8_all.deb 65fad5db3f438e8a21cde9f6b6aae92a3c2613cf 2487288 python-django-doc_1.7.11-1+deb8u8_all.deb Checksums-Sha256: 517deb1dd3e99504813f30ffbed97a51e1d618e84307e5fa8130eb7f96af88f5 2721 python-django_1.7.11-1+deb8u8.dsc 2039144fce8f1b603d03fa5a5643578df1ad007c4ed41a617f02a3943f7059a1 7586798 python-django_1.7.11.orig.tar.gz ac06cbc6f112df95e98e2f726d55a0e6eca3e025674ff51b9c754fff8bb26237 40900 python-django_1.7.11-1+deb8u8.debian.tar.xz f4aa15fd919d8a30ad35321ca6a8bc0fadd47749907a983ccc54b2b20733116a 993178 python-django_1.7.11-1+deb8u8_all.deb ce66dc1d467b48c14eac2872f0b74154c6e00ddc39d889005a0a58d8bada7d55 976382 python3-django_1.7.11-1+deb8u8_all.deb 73a20fa75e10b5af5ec65504be64d9468b0b78d398ef7000285bf509b96d66b9 1499024 python-django-common_1.7.11-1+deb8u8_all.deb 1066b186381be8e7a0ab363af9f40e4c08277a1185669f7990b6d167fdb4bcbc 2487288 python-django-doc_1.7.11-1+deb8u8_all.deb Files: 753994403360d35225485b11a3837cb9 2721 python optional python-django_1.7.11-1+deb8u8.dsc 030b2f9c99a6e4e0418eadf7dba9e235 7586798 python optional python-django_1.7.11.orig.tar.gz 0e9bacffbbd8229e9af7711f8401eeb3 40900 python optional python-django_1.7.11-1+deb8u8.debian.tar.xz a9111fc3dac5514acdbc522d8c0086ac 993178 python optional python-django_1.7.11-1+deb8u8_all.deb 3c6d66b88067e5c9cd27e7beb50ec3f0 976382 python optional python3-django_1.7.11-1+deb8u8_all.deb dadad054841d82b85677de01c6f89d74 1499024 python optional python-django-common_1.7.11-1+deb8u8_all.deb bef6e000abac989eeebdb3936be8c7da 2487288 doc optional python-django-doc_1.7.11-1+deb8u8_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl36V28ACgkQHpU+J9Qx HljBKg//fnJs8KyFeqG3OadKM+sqXznTpFmzRpZXbv/Wq74zZ9tmoPfMQ7If/eGz chEU7huExmsLxOgrtlUt0Yow54Ve4RjNXPeXDNRVCn5onvel/T+awEbydo706rmh yHziycLlPlG9HUZv2hU7Pdm6OERCrWhvxA+CDvBkQfTCO7qtivHzmiOXfKJk2bN1 yU2LIsj5/OaYJqPlKxEI9jEhATVNLUJYs5hyuFxGYHbkUvmJkr1ZOAhnm72WfEWo 5HIL8ovqBXoGdT00FeuqDmN+hsh6biaIUraUDTGEs2D3zDIwGFKjw1kSYrS6Lh2k em+s8dmyMSyKSpx7UoYQCz6EQqc0J54wtwkkCIOAOeX5/BIlv2dGXRKj0cnP6etG IT51ffweKrzxEDsPfT8zpF62RFUKHUc4KTPu2ENPfquH3E4J4wexDCFk4ZiLKzpc 28J9rbVqlTEOS/0Eur8d3vKNdpCEjC8zFLSTnoPaZ6geVn9SPhV9DPgjHZAn5CxI Lmlm/hCk3kwYQpdbuKWlR6JTl7FFvSki2pCcN8NqtYRG4ofGdC0pddyTST7/f4PL WGhisaV8NYE64qKRO6I47qQmGEjpmPUPxlX0ab2Fh7Gk8LMzaxIRJMbe/nW5OLsW Wp01I++C9WDywpXt2IWBdQaKzu6B8JVJ7a/rBij/SsJEHj6wXtg= =K5Ut -----END PGP SIGNATURE-----