-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 03 Aug 2018 15:11:16 +0800 Source: python-django Binary: python-django python3-django python-django-common python-django-doc Architecture: source all Version: 1:1.10.7-2+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 874415 905216 Changes: python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware. If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting were both enabled, and if the project has a URL pattern that accepted any path ending in a slash then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks. (Closes: #905216) * CVE-2017-12794: Fix a cross-site scripting attack in the technical HTTP 500 page. This vulnerability did not affect production sites as they typically do not run with "DEBUG = True". (Closes: #874415) Checksums-Sha1: d4d06dbb55c65852065648f3c52c3549b9dfb070 2804 python-django_1.10.7-2+deb9u2.dsc 5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz 3199a75fd024170733fbf2e37594ac63e337c0ed 36080 python-django_1.10.7-2+deb9u2.debian.tar.xz b8ddf9e3b3f62f25cf37c6302b46af6b0d81a783 1513558 python-django-common_1.10.7-2+deb9u2_all.deb db77dfc3afd2f56d4651ed097b8b1e81c182602e 2532012 python-django-doc_1.10.7-2+deb9u2_all.deb 2e23e245432e6542b46754a907ad5cd7e9c3cc8b 903406 python-django_1.10.7-2+deb9u2_all.deb d5b065462ec015c0880f0498531f28d09b65d491 9264 python-django_1.10.7-2+deb9u2_amd64.buildinfo 1d44e145cb74b7b15b41078a61b1d928075648e6 885284 python3-django_1.10.7-2+deb9u2_all.deb Checksums-Sha256: ebc070b0ac89ef5366033ed3a65d7186cb69e50439f141c3453a4e28339ef381 2804 python-django_1.10.7-2+deb9u2.dsc 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz c6635a5f8952d2b955c7e3bcfe41035055ed2962992d5221d99d224d7e16886b 36080 python-django_1.10.7-2+deb9u2.debian.tar.xz 39c5353d2b3340cf89003bf55b4dc7f8a2e286586d282fc4d8e583ed1ecbc969 1513558 python-django-common_1.10.7-2+deb9u2_all.deb f1675e269447784180af0ea000034237b7d38d1b1f5374332dcae597d010502a 2532012 python-django-doc_1.10.7-2+deb9u2_all.deb 2340be6efff9397bb824dc01b58088aac847212e84c2d7a0cc01efdd062a83a5 903406 python-django_1.10.7-2+deb9u2_all.deb 642f82f6d6afb6a6f5f1ba1d68275c1f999019ef5d000dadc0b93f2d2bd006e4 9264 python-django_1.10.7-2+deb9u2_amd64.buildinfo 1574f3e292dff909d1e05418c7a38c4003bff69f28456a847cbeadd17eac5673 885284 python3-django_1.10.7-2+deb9u2_all.deb Files: 0deb756e1e4525802024155e7e57a34d 2804 python optional python-django_1.10.7-2+deb9u2.dsc 693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz 462ff484065d741dfc4ddd100a9d5c03 36080 python optional python-django_1.10.7-2+deb9u2.debian.tar.xz d9d238ed3a2ce33c7c4f7c864c95171f 1513558 python optional python-django-common_1.10.7-2+deb9u2_all.deb c50ec227e86bb8f1cb1d949a7844cd01 2532012 doc optional python-django-doc_1.10.7-2+deb9u2_all.deb 402bf959aea2b8040235c452eb7f2f11 903406 python optional python-django_1.10.7-2+deb9u2_all.deb a25a3f79aa5c993570c6a9dff08550bb 9264 python optional python-django_1.10.7-2+deb9u2_amd64.buildinfo 9ecd4027ae32bdc2e27340b76bf00331 885284 python optional python3-django_1.10.7-2+deb9u2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltkAygACgkQHpU+J9Qx Hlj+VA/9FDN4ieSysnp8g/2cDQ2F7wyEk2ufI0CIvVCbPu/jigoi2HVMFYCcShcW 0B50Kjjhr8qkrI8qY7xaA3wBQ/fWlnEZK4/uuFi27rnauMeFNCA9jowpYsmgPatE rhu99y4Ou91mJBm9r+gibH7K73o147DcwlePWKS7iYXpGGPOSrCfVnmLOEexcrn3 uFoxUcfVhhPr0RwoXaSe0tt4UwqhVblFQ1OnAFOgEJxhevh93MxpLoamsDBnnrAL /1nFubKIIGweXcARXG8tQvE3fCUavmOYDOrHmRdNaK7z44qMoUYu6HUj+EIe5GTd kfIpBzXU6Q6ynFMTsTMC4vSUSaVsgz0Jix4C05LG1wNRMVFrwEB02txfCsQ0fMEE 4iLA6puiZQ5dPBtA5e522CuTxGSlzyPcarVAIM33PF/TWfZwDppGxOuGCYbdused uw2IgQ1WniB/rTYmnW/CEL8g+tru+s0glQLlyPYxwMfDtkMRT9mDDscgKbp91ywZ Ib7awFf3H+z7u2t0B0Pdp/wmposrZG1zLN/Fywk+2LUpqDf9lqykL/uML3A2z75S GFeofeyMgiNictgm0NPEJpDapbEmrvDrNWXsSWChFHYJIsGunU7sgRZNJB/S3N5q g9WV8j390BqiS7++N6olu/ODvMUmzdAK0olJm+Eql00Il+j5aVQ= =tHk1 -----END PGP SIGNATURE-----