Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 706204 (CVE-2019-19844)

Summary: dev-python/django: crafted email address allows account takeover (CVE-2019-19844)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
Whiteboard: B4 [glsa+ cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-01-23 21:47:25 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-01-23 21:48:28 UTC
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

External References:

https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

References: 

https://seclists.org/oss-sec/2019/q4/163
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-25 20:28:14 UTC
All Gentoo versions of django are severely outdated (and vulnerable).  I'm not sure if anyone from Python team wants to maintain it.  Maybe it'd be better to drop it to maintainer-needed, and/or mask it with long removal time.
Comment 3 Larry the Git Cow gentoo-dev 2020-03-06 14:38:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d0858ec7469d1327e9fad71108a9a637469851e

commit 6d0858ec7469d1327e9fad71108a9a637469851e
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-03-06 14:13:35 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-03-06 14:38:30 +0000

    dev-python/django: Remove vulnerable (drop to ~arch)
    
    Bug: https://bugs.gentoo.org/692384
    Bug: https://bugs.gentoo.org/701744
    Bug: https://bugs.gentoo.org/706204
    Bug: https://bugs.gentoo.org/707998
    Bug: https://bugs.gentoo.org/711522
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest            |  4 --
 dev-python/django/django-2.1.8.ebuild | 88 ---------------------------------
 dev-python/django/django-2.1.9.ebuild | 88 ---------------------------------
 dev-python/django/django-2.2.1.ebuild | 91 -----------------------------------
 dev-python/django/django-2.2.2.ebuild | 91 -----------------------------------
 5 files changed, 362 deletions(-)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2020-04-08 04:45:42 UTC
Added to an existing GLSA Request.
Arches and Maintainer(s), Thank you for your work.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-30 23:32:33 UTC
This issue was resolved and addressed in
 GLSA 202004-17 at https://security.gentoo.org/glsa/202004-17
by GLSA coordinator Thomas Deutschmann (whissi).