social-auth-app-django - Debian Package Tracker

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

stop mangling: rule="s/.+\/(\d\S*)\.tar\.gz/social-auth-app-django-$1.tar.gz/ uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\.?\d*)$/$1~$2/"
   rule doesn't match "(s|tr|y)/.*/.*/[a-z]*" (or similar).

Created: 2025-08-20 Last update: 2025-10-17 20:02

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-61783: Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Created: 2025-10-10 Last update: 2025-10-11 22:31

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-61783: Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Created: 2025-10-10 Last update: 2025-10-11 22:31

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-61783: Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Created: 2025-10-10 Last update: 2025-10-11 22:31

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2025-61783: Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

1 issue postponed or untriaged:

CVE-2024-32879: (needs triaging) Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

Created: 2025-10-10 Last update: 2025-10-11 22:31

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2025-61783: Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

1 issue left for the package maintainer to handle:

CVE-2024-32879: (needs triaging) Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

You can find information about how to handle this issue in the security team's documentation.

Created: 2024-04-25 Last update: 2025-10-11 22:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25