==========================================================================
Ubuntu Security Notice USN-4224-1
December 19, 2019
python-django vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 19.10
– Ubuntu 19.04
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
Summary:
Django accounts could be hijacked through password reset requests.
Software Description:
– python-django: High-level Python web development framework
Details:
Simon Charette discovered that the password reset functionality in
Django used a Unicode case insensitive query to retrieve accounts
associated with an email address. An attacker could possibly use this
to obtain password reset tokens and hijack accounts.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
python-django 1:1.11.22-1ubuntu1.1
python3-django 1:1.11.22-1ubuntu1.1
Ubuntu 19.04:
python-django 1:1.11.20-1ubuntu0.3
python3-django 1:1.11.20-1ubuntu0.3
Ubuntu 18.04 LTS:
python-django 1:1.11.11-1ubuntu1.6
python3-django 1:1.11.11-1ubuntu1.6
Ubuntu 16.04 LTS:
python-django 1.8.7-1ubuntu5.11
python3-django 1.8.7-1ubuntu5.11
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4224-1
CVE-2019-19844
Package Information:
https://launchpad.net/ubuntu/+source/python-django/1:1.11.22-1ubuntu1.1
https://launchpad.net/ubuntu/+source/python-django/1:1.11.20-1ubuntu0.3
https://launchpad.net/ubuntu/+source/python-django/1:1.11.11-1ubuntu1.6
https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.11
—–BEGIN PGP SIGNATURE—–
iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAl36068ACgkQLwmejQBe
gfSCOg/+NGKrWPqvljJ9y5/hKPJXKE5K17dxpiekhsU1gbfuDgH0aDhjRVZQIdJS
nM6LiHp4HZtvsiOBcJmS8JkPm6X2yJJQ/Mn64svZ48+NvID8WFVTi7X6L5NKTyUX
fc0pl86halbszOpECMwViProUK8exp2JpP9PPFS2ayV/7Pmjs4pjapLhhPzyrvu2
DqOj8BqEuLNY95NYuCcYkBpJIrMU5Yv0WPEl3g8bJNS96lx3k8nkCU6tbsMLuzEV
Bn93M701UTTFabBJaSpf+f4PpKnziKFPLipZrk9cdeHn8fReJTJMgt+CjfT34v1h
sX1NC8f6jFWWujrxEI3jJ4ItA1hBWe7f/1UHikMlStQ46KsnotMEX7PjxcaHVO3u
9pqvLab2Cgy60sO8fLQ+Cu46LYz0wc08g3dKxStsGi+WU77Q7J0ZWpCGC3Junk2A
QwB9t7vmU638NOkTsQYak5CfpnC6NWSvfqFGUTsIiy15NTQHPpYcuSPBMoQ5IMA6
++P29dkIEtVaxHqewr4vDDpvH6zSK5C+M8SBq17tVEevaZZsHWHkjSXF2xQJK93T
WwMCDuC9z3AY9ns6KvmpgC0w1HYFZYSLwusP6fAoaefO3RqPqrOc+KDNd/fK5vGH
PkhkumG1qtaTZVnDpCVJzaAwPZ4HtSVtV8MKFn9CyhidvEinynQ=
=yybN
—–END PGP SIGNATURE—–
—