Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 706204 (CVE-2019-19844) - dev-python/django: crafted email address allows account takeover (CVE-2019-19844)
Summary: dev-python/django: crafted email address allows account takeover (CVE-2019-19...
Status: RESOLVED FIXED
Alias: CVE-2019-19844
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-23 21:47 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-30 23:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-01-23 21:47:25 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-01-23 21:48:28 UTC
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

External References:

https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

References: 

https://seclists.org/oss-sec/2019/q4/163
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-25 20:28:14 UTC
All Gentoo versions of django are severely outdated (and vulnerable).  I'm not sure if anyone from Python team wants to maintain it.  Maybe it'd be better to drop it to maintainer-needed, and/or mask it with long removal time.
Comment 3 Larry the Git Cow gentoo-dev 2020-03-06 14:38:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d0858ec7469d1327e9fad71108a9a637469851e

commit 6d0858ec7469d1327e9fad71108a9a637469851e
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-03-06 14:13:35 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-03-06 14:38:30 +0000

    dev-python/django: Remove vulnerable (drop to ~arch)
    
    Bug: https://bugs.gentoo.org/692384
    Bug: https://bugs.gentoo.org/701744
    Bug: https://bugs.gentoo.org/706204
    Bug: https://bugs.gentoo.org/707998
    Bug: https://bugs.gentoo.org/711522
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest            |  4 --
 dev-python/django/django-2.1.8.ebuild | 88 ---------------------------------
 dev-python/django/django-2.1.9.ebuild | 88 ---------------------------------
 dev-python/django/django-2.2.1.ebuild | 91 -----------------------------------
 dev-python/django/django-2.2.2.ebuild | 91 -----------------------------------
 5 files changed, 362 deletions(-)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2020-04-08 04:45:42 UTC
Added to an existing GLSA Request.
Arches and Maintainer(s), Thank you for your work.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-30 23:32:33 UTC
This issue was resolved and addressed in
 GLSA 202004-17 at https://security.gentoo.org/glsa/202004-17
by GLSA coordinator Thomas Deutschmann (whissi).