A python-django security update has been released for Debian GNU/Linux 8 LTS
Package : python-django
Version : 1.7.11-1+deb8u8
CVE ID : CVE-2019-19844
Debian Bug : #946937
It was discovered that there was a potential account hijack
vulnerabilility in Django, the Python-based web development
framework.
Django's password-reset form used a case-insensitive query to
retrieve accounts matching the email address requesting the password
reset. Because this typically involves explicit or implicit case
transformations, an attacker who knew the email address associated
with a user account could craft an email address which is distinct
from the address associated with that account, but which -- due to
the behavior of Unicode case transformations -- ceases to be distinct
after case transformation, or which will otherwise compare equal
given database case-transformation or collation behavior. In such a
situation, the attacker can receive a valid password-reset token for
the user account.
To resolve this, two changes were made in Django:
* After retrieving a list of potentially-matching accounts from the
database, Django's password reset functionality now also checks
the email address for equivalence in Python, using the
recommended identifier-comparison process from Unicode Technical
Report 36, section 2.11.2(B)(2).
* When generating password-reset emails, Django now sends to the
email address retrieved from the database, rather than the email
address submitted in the password-reset request form.
For more information, please see:
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
For Debian 8 "Jessie", this issue has been fixed in python-django version
1.7.11-1+deb8u8.
We recommend that you upgrade your python-django packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS