[SECURITY] [DLA 2042-1] python-django security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2042-1] python-django security update
From: "Chris Lamb" <lamby@debian.org>
Date: Wed, 18 Dec 2019 16:50:48 +0000
Message-id: <[🔎] f8c7234d-c20d-4533-a8b7-36d998df9aa7@sloti26t01>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : python-django
Version        : 1.7.11-1+deb8u8
CVE ID         : CVE-2019-19844
Debian Bug     : #946937

It was discovered that there was a potential account hijack
vulnerabilility in Django, the Python-based web development
framework.

Django's password-reset form used a case-insensitive query to
retrieve accounts matching the email address requesting the password
reset. Because this typically involves explicit or implicit case
transformations, an attacker who knew the email address associated
with a user account could craft an email address which is distinct
from the address associated with that account, but which -- due to
the behavior of Unicode case transformations -- ceases to be distinct
after case transformation, or which will otherwise compare equal
given database case-transformation or collation behavior. In such a
situation, the attacker can receive a valid password-reset token for
the user account.

To resolve this, two changes were made in Django:

  * After retrieving a list of potentially-matching accounts from the
    database, Django's password reset functionality now also checks
    the email address for equivalence in Python, using the
    recommended identifier-comparison process from Unicode Technical
    Report 36, section 2.11.2(B)(2).

  * When generating password-reset emails, Django now sends to the
    email address retrieved from the database, rather than the email
    address submitted in the password-reset request form.

For more information, please see:

  https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

For Debian 8 "Jessie", this issue has been fixed in python-django version
1.7.11-1+deb8u8.

We recommend that you upgrade your python-django packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl36WI4ACgkQHpU+J9Qx
HliYihAAwRIuu+3C6Aw9Ymjfv/V97vPazNYvesMwNW434ze29ttd0TNcUAdMEUOM
44m9IVDOubO8Z7HxyO6xkWK1OdoICY64EGWNHZXQv21RZDl1CEorJ/8xK5MXcwV7
q092DMCUCNI4k7AN/Oaggnhm4XGdVQXtdRFrGmV4zwM1DO8pR8ZDjc7n0FxqZky4
6vjIIjlc5o2ad+e138MH3azDMjsVoRnLirDMiFa0FQttTvEYMLcbu++6hCGCf4vk
ZE5nhCSiAE9PxbNSoDIIvLzZtlR1C0H70ow2Ei9gdDUFaCijG3KtO50Ga6wzTomm
yb+noHpFSNvGeM8yWP3FOY1/Ea70iba9NoPPGfl5Y81Vb9zAe32CenBAwaYrU6HI
8rxjq8lNTveioiPjihYwtWdsUlfeTfOnUrq9ItaDVnWReeY8YamV0lsBp1dgAng0
audRQY0br02hWXQJEGMA5egzodaxhx5pMKdMeVLdbmjMrbMwtHcnv6H7eRrUl3/A
qRNsh2BHDsc0m+kKFJ+NQaLJk1TO+ixqzPFip3wtL/5P45rbx00SCh1Xe8wMzwyh
j3xw7FXmid3rX0AZgAFHdzf5KA+Q7+GI0qavFcQxzJznJ8F9D0QE35umHTns4mxu
WK1k+rbq+xrDk0CD5plYL+5ch/1i826XxBV2HetGMvso85oTw2k=
=ud32
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2041-1] debian-edu-config security update
Next by Date: [SECURITY] [DLA 2043-1] gdk-pixbuf security update
Previous by thread: [SECURITY] [DLA 2041-1] debian-edu-config security update
Next by thread: [SECURITY] [DLA 2043-1] gdk-pixbuf security update
Index(es):
- Date
- Thread