Univention Bugzilla – Bug 50693
python-django: Multiple issues (4.4)
Last modified: 2020-01-15 17:00:07 CET
New Debian python-django 1:1.10.7-2+deb9u7 fixes: This update addresses the following issue: * Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) (CVE-2019-19844)
--- mirror/ftp/4.4/unmaintained/4.4-2/source/python-django_1.10.7-2+deb9u6.dsc +++ apt/ucs_4.4-0-errata4.4-3/source/python-django_1.10.7-2+deb9u7.dsc @@ -1,3 +1,8 @@ +1:1.10.7-2+deb9u7 [Mon, 06 Jan 2020 17:52:10 +0000] Chris Lamb <lamby@debian.org>: + + * CVE-2019-19844: Prevent a potential account hijack via the password reset + form. (Closes: #946937) + 1:1.10.7-2+deb9u6 [Thu, 08 Aug 2019 10:42:49 +0100] Chris Lamb <lamby@debian.org>: * Backport four security patches from upstream. (Closes: #934026) <http://10.200.17.11/4.4-3/#6557579374636872887>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-3] 1cd5a8b725 Bug #50693: python-django 1:1.10.7-2+deb9u7 doc/errata/staging/python-django.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) [4.4-3] 172b6c6064 Bug #50693: python-django 1:1.10.7-2+deb9u7 doc/errata/staging/python-django.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<http://errata.software-univention.de/ucs/4.4/418.html>