Executive Summary

Summary
Titlepython-django security update
Informations
NameDSA-4598First vendor Publication2020-01-07
VendorDebianLast vendor Modification2020-01-07
Severity (Vendor) N/ARevision1

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base ScoreN/AAttack RangeN/A
Cvss Impact ScoreN/AAttack ComplexityN/A
Cvss Expoit ScoreN/AAuthenticationN/A
Calculate full CVSS 2.0 Vectors scores

Detail

Simon Charette reported that the password reset functionality in Django, a high-level Python web development framework, uses a Unicode case-insensitive query to retrieve accounts matching the email address requesting the password reset. An attacker can take advantage of this flaw to potentially retrieve password reset tokens and hijack accounts.

For details please refer to https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

For the oldstable distribution (stretch), this problem has been fixed in version 1:1.10.7-2+deb9u7.

For the stable distribution (buster), this problem has been fixed in version 1:1.11.27-1~deb10u1.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django

Original Source

Url : http://www.debian.org/security/2020/dsa-4598

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2020-01-08 00:18:49
  • First insertion