DebianDEBIAN:DLA-2042-1:1ECD8[SECURITY] [DLA 2042-1] python-django security update
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.198 Low
EPSS
Percentile
96.3%
Package : python-django
Version : 1.7.11-1+deb8u8
CVE ID : CVE-2019-19844
Debian Bug : #946937
It was discovered that there was a potential account hijack
vulnerabilility in Django, the Python-based web development
framework.
Django's password-reset form used a case-insensitive query to
retrieve accounts matching the email address requesting the password
reset. Because this typically involves explicit or implicit case
transformations, an attacker who knew the email address associated
with a user account could craft an email address which is distinct
from the address associated with that account, but which – due to
the behavior of Unicode case transformations – ceases to be distinct
after case transformation, or which will otherwise compare equal
given database case-transformation or collation behavior. In such a
situation, the attacker can receive a valid password-reset token for
the user account.
To resolve this, two changes were made in Django:
-
After retrieving a list of potentially-matching accounts from the
database, Django's password reset functionality now also checks
the email address for equivalence in Python, using the
recommended identifier-comparison process from Unicode Technical
Report 36, section 2.11.2(B)(2). -
When generating password-reset emails, Django now sends to the
email address retrieved from the database, rather than the email
address submitted in the password-reset request form.
For more information, please see:
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
For Debian 8 "Jessie", this issue has been fixed in python-django version
1.7.11-1+deb8u8.
We recommend that you upgrade your python-django packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Regards,
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 8 | all | python-django | < 1.7.11-1+deb8u8 | python-django_1.7.11-1+deb8u8_all.deb |
| Debian | 8 | all | python3-django | < 1.7.11-1+deb8u8 | python3-django_1.7.11-1+deb8u8_all.deb |
| Debian | 9 | all | python3-django | < 1:1.10.7-2+deb9u7 | python3-django_1:1.10.7-2+deb9u7_all.deb |
| Debian | 10 | all | python-django-common | < 1:1.11.27-1~deb10u1 | python-django-common_1:1.11.27-1~deb10u1_all.deb |
| Debian | 9 | all | python-django-doc | < 1:1.10.7-2+deb9u7 | python-django-doc_1:1.10.7-2+deb9u7_all.deb |
| Debian | 8 | all | python-django-common | < 1.7.11-1+deb8u8 | python-django-common_1.7.11-1+deb8u8_all.deb |
| Debian | 9 | all | python-django | < 1:1.10.7-2+deb9u7 | python-django_1:1.10.7-2+deb9u7_all.deb |
| Debian | 9 | all | python-django-common | < 1:1.10.7-2+deb9u7 | python-django-common_1:1.10.7-2+deb9u7_all.deb |
| Debian | 10 | all | python3-django | < 1:1.11.27-1~deb10u1 | python3-django_1:1.11.27-1~deb10u1_all.deb |
| Debian | 10 | all | python-django-doc | < 1:1.11.27-1~deb10u1 | python-django-doc_1:1.11.27-1~deb10u1_all.deb |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.198 Low
EPSS
Percentile
96.3%