Operating System:

[Debian]

Published:

08 January 2020

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2020.0064 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0064
                       python-django security update
                              8 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-django
Publisher:         Debian
Operating System:  Debian GNU/Linux 10
                   Debian GNU/Linux 9
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-19844  

Reference:         ESB-2019.4720
                   ESB-2019.4719
                   ESB-2019.4718

Original Bulletin: 
   http://www.debian.org/security/2020/dsa-4598

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4598-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 07, 2020                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : python-django
CVE ID         : CVE-2019-19844
Debian Bug     : 946937

Simon Charette reported that the password reset functionality in Django,
a high-level Python web development framework, uses a Unicode
case-insensitive query to retrieve accounts matching the email address
requesting the password reset. An attacker can take advantage of this
flaw to potentially retrieve password reset tokens and hijack accounts.

For details please refer to
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

For the oldstable distribution (stretch), this problem has been fixed
in version 1:1.10.7-2+deb9u7.

For the stable distribution (buster), this problem has been fixed in
version 1:1.11.27-1~deb10u1.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4U+UxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qeww/9F55/oT62Df9KCNLDPOio+Kdc5Rz7I4a88D4eIbDBuOUWFu8TBsFFgoO0
P7cSxjZMrJ9GgmwoDeWj/80EhNhyCjMGkZWsPwaUp1/aJ2zHcY9dw/2UWLVTz9+K
Lb9lItAWnuBf6hxRhtSeZK9LKYgJfQvj5yGJATI6LJ6/UlT8m0of3YH0TeaFf/Z2
Q5NmV6AcWwmRvBNuWcaje1a0rpJUgxBTUQ+fczgORDc9kICmx6WVx1lB2Yact9SF
diqnXpXPE9BWnCf647yISYkBOtIE24oEia0iFxRnuq7ZHpzysisPLgUmXjnhdlu7
u/r8kE503IqA79fb2aDfeqHpk6fkc7CmFEL5qSyoJZL3cw3k5D6n+BS1U4Ov1801
mzQCtzVrhnc4LCGVI32lEwmqVgcGpTen4xXeEaikWzbZCoK8+OenXu4Dr3eNvrIV
9Xqy9Xh4HM0Lgwa1aDPBhL1DmTDN8i4fs8r14Jik0LSm5W2cJHct3s5kD8DTNbhA
V0ebsM621RFIFFuyg9//ZYp2gVgYkl4mALD6mJF+sAJGFauVx9tr5AfVFtOsgSLV
eHToqcnYBa8nNKeQJ2XZI62H4pXw/BDCxysfaDjBLiwrSVFHLkvcOx/o15vJ00Kf
tY9Edmc7BWj73942jaIHnw2GZ5fQynSgNTwircg+s7Ri5yFsL2I=
=fBAg
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXhVhrWaOgq3Tt24GAQj7UQ/+LprD60GLVCC1SNzEKLKVGJ2DgBB1JhF9
al8J6DVN1+9bQRvIedRtXhFNDVBNZLZSw3dNNa/5S30KSbM4L3/a3IuU1RDdQ7rN
WtZ7zw4Z+a9AfhB90cWFJ/7pcYMLCP8AO5HN0x9x11JUn0vhXegEohBt9b04qKsC
03pKCQB4uxhupaI8JPRfTgp1kAOotXqlSf4rX4/2whbzUxWqo7+3tb75AvxTdgPa
08U2Nrsjj+KTj5gn/3ori3zg9PfMolLLJhVtP7IceR8nCox40ADERWWgihnlTaOs
kJ+OgMU77ql4eQAgBpWfPgSQc74NELSTp3H/78zCEbwQ8arVffvA3m9GGYYCJfGE
uP4cawtod53gPAwOHN0EFCSlf6ELoAf8O5jB+fj44o4ZZungJtx78xh8r9abibBf
87Nu2wbZHoF4bGefvBzpKR+RXo+/UhU3JinlEo8HOzRDJqlsaOgLBHjQmQgV4o0F
W9rVygfu7w4N9NkYdDGSTIhxOGJiLy7U5uWrIJaywrR6urH+0kct21BIeYLUcuR3
QP1nxHebdB5UijXyjq13li22kPGe4x3AUjfuSoZjgZb0ulId82emVqzAiU7t42gf
GaEJXNrc/I1oy9+vkF6S3ROvjPVcMtu3Bt4oM1BbJX1frzOADmt44+0/D1yocoKi
bXo4h2HOILo=
=KfGE
-----END PGP SIGNATURE-----