Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630064 (CVE-2017-12794)

Summary: <dev-python/django-1.11.5: security releases
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/09/05/4
Whiteboard: B4 [noglsa cve]
Package list:
=dev-python/django-1.8.19 =dev-python/django-tastypie-0.13.3-r1
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 649748    

Description Agostino Sarubbo gentoo-dev 2017-09-06 09:20:31 UTC
From ${URL} :

Today the Django team issued 1.11.5 and 1.10.8 as part of our security 
process. These releases address a security issue, and we encourage all 
users to upgrade as soon as possible:

https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

As a reminder, we ask that potential security issues be reported via 
private email to security@...ngoproject.com and not via Django's Trac 
instance or the django-developers list. Please see 
https://www.djangoproject.com/security for further information.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2018-01-19 14:20:43 UTC
1.11.x and 1.10.x are both unstable in Gentoo.  They still need bumped though and vulnerable versions cleaned.
Comment 2 Larry the Git Cow gentoo-dev 2018-07-17 14:47:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=353ab3c934731b424d59e9efd92dce75ae3e7252

commit 353ab3c934731b424d59e9efd92dce75ae3e7252
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-07-17 14:46:31 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-07-17 14:46:31 +0000

    dev-python/django: bump to 1.11.14
    
    * Add myself as maintainer
    * Add missing test dependencies
    
    Bug: https://bugs.gentoo.org/630064
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-python/django/Manifest                                        | 2 +-
 dev-python/django/{django-1.11.2.ebuild => django-1.11.14.ebuild} | 6 ++++--
 dev-python/django/metadata.xml                                    | 4 ++++
 3 files changed, 9 insertions(+), 3 deletions(-)
Comment 3 Virgil Dupras (RETIRED) gentoo-dev 2018-07-17 15:10:36 UTC
I've just bumped django to 1.11.14. Even though 1.11.x and 1.10.x were unstable, 1.8.x is not supported anymore (support ended in april 2018 [1]) and is therefore insecure.

I would like to request a stabilization operation as part of this security fix under the ALLARCHES policy.

1.11.2 has been around for a good while, ebuild hasn't significantly changed in the latest bump and django minor releases tend to be pretty solid.

Please stabilize =dev-python/django-1.11.14

I will remove all older versions afterwards.

[1]:https://www.djangoproject.com/download/#supported-versions
Comment 4 Virgil Dupras (RETIRED) gentoo-dev 2018-07-17 15:15:47 UTC
Oops, sorry, forgot to CC the arches.
Comment 5 Agostino Sarubbo gentoo-dev 2018-07-19 10:08:05 UTC
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-20 22:41:29 UTC
x86 stable
Comment 7 Larry the Git Cow gentoo-dev 2018-07-21 00:20:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b40fac4739d8bf1bc96de3be93e4903f5dff2801

commit b40fac4739d8bf1bc96de3be93e4903f5dff2801
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-07-21 00:17:34 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-07-21 00:18:32 +0000

    profiles: remove dev-python/django package mask
    
    Vulnerable versions have been removed from the tree.
    
    Bug: https://bugs.gentoo.org/630064

 profiles/package.mask | 13 -------------
 1 file changed, 13 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5bd127d40a0ae08853af6e2c2c7cff86c5cc608

commit b5bd127d40a0ae08853af6e2c2c7cff86c5cc608
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-07-21 00:15:27 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-07-21 00:15:27 +0000

    dev-python/django: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/630064
    Package-Manager: Portage-2.3.43, Repoman-2.3.10

 dev-python/django/Manifest                         |   7 --
 dev-python/django/django-1.10.7.ebuild             | 110 ---------------------
 dev-python/django/django-1.4.22.ebuild             | 103 -------------------
 dev-python/django/django-1.5.12.ebuild             |  77 ---------------
 dev-python/django/django-1.6.11.ebuild             | 105 --------------------
 dev-python/django/django-1.7.11.ebuild             | 104 -------------------
 dev-python/django/django-1.8.18.ebuild             | 106 --------------------
 dev-python/django/django-1.9.13.ebuild             | 110 ---------------------
 .../django/files/django-1.4.19-bashcomp.patch      |  37 -------
 dev-python/django/files/django-1.5-py3tests.patch  |  22 -----
 dev-python/django/files/django-1.5.4-objects.patch |  31 ------
 dev-python/django/files/django-1.6-objects.patch   |  18 ----
 .../django/files/django-1.6.10-bashcomp.patch      |  35 -------
 .../django/files/django-1.7.6-bashcomp.patch       |  34 -------
 14 files changed, 899 deletions(-)
Comment 8 Virgil Dupras (RETIRED) gentoo-dev 2018-07-21 00:22:12 UTC
Vulnerable versions have been removed.
Comment 9 Virgil Dupras (RETIRED) gentoo-dev 2018-07-21 01:19:04 UTC
It turns out that removing django 1.8.x, even if unsupported, is trickier than I thought. It has a couple of revdeps I hadn't noticed. It might take a while to remove them.

In the interest of closing this bug and because there's no CVE for django 1.8.19 yet, I'll bump the to 1.8.19 shortly and request stabilization.
Comment 10 Larry the Git Cow gentoo-dev 2018-07-21 11:11:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01060e7ce00061bfae821547ffaebe3cc149bae9

commit 01060e7ce00061bfae821547ffaebe3cc149bae9
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-07-21 11:11:37 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-07-21 11:11:37 +0000

    dev-python/django: security bump to 1.8.19
    
    * versionator -> eapi7-ver
    * Drop py36 (not supported upstream, added by mistake)
    
    Bug: https://bugs.gentoo.org/630064
    Package-Manager: Portage-2.3.43, Repoman-2.3.10

 dev-python/django/Manifest             |   1 +
 dev-python/django/django-1.8.19.ebuild | 106 +++++++++++++++++++++++++++++++++
 2 files changed, 107 insertions(+)
Comment 11 Virgil Dupras (RETIRED) gentoo-dev 2018-07-21 12:29:09 UTC
The 1.8.19 ebuild is pushed, but because I've dropped support for py36 impl (it was mistakenly added, upstream specifically doesn't support it), I have to adapt the couple of revdeps to it before requesting stabilization.
Comment 12 Virgil Dupras (RETIRED) gentoo-dev 2018-07-22 17:24:21 UTC
Revdeps for django 1.8.19 have been sorted out, one of them (dev-python/django-tastypie) needs stabilization.

amd64, x86, please stabilize:

=dev-python/django-1.8.19
=dev-python/django-tastypie-0.13.3-r1

Thanks.
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-22 18:38:08 UTC
x86 stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-07-23 00:14:42 UTC
amd64 stable
Comment 15 Larry the Git Cow gentoo-dev 2018-07-23 00:45:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed97cb6fbc33d594d2a7255f76f559b13f80d09c

commit ed97cb6fbc33d594d2a7255f76f559b13f80d09c
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-07-23 00:43:06 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-07-23 00:44:49 +0000

    dev-python/django: remove old and vulnerable version
    
    Bug: https://bugs.gentoo.org/630064
    Package-Manager: Portage-2.3.43, Repoman-2.3.10

 dev-python/django/Manifest             |   1 -
 dev-python/django/django-1.8.18.ebuild | 106 ---------------------------------
 2 files changed, 107 deletions(-)
Comment 16 Virgil Dupras (RETIRED) gentoo-dev 2018-07-23 00:47:45 UTC
Cleanup is done. If I fixed revdeps properly, I won't make the CI scream this time...