diff -Nru python-django-1.6.11/debian/changelog python-django-1.6.11/debian/changelog --- python-django-1.6.11/debian/changelog 2018-03-05 15:10:48.000000000 +0000 +++ python-django-1.6.11/debian/changelog 2019-01-08 19:00:38.000000000 +0000 @@ -1,3 +1,12 @@ +python-django (1.6.11-0ubuntu1.3) trusty-security; urgency=medium + + * SECURITY UPDATE: content spoofing in the default 404 page + - debian/patches/CVE-2019-3498.patch: properly quote string in + django/views/defaults.py. + - CVE-2019-3498 + + -- Marc Deslauriers Tue, 08 Jan 2019 14:00:29 -0500 + python-django (1.6.11-0ubuntu1.2) trusty-security; urgency=medium * SECURITY UPDATE: DoS in urlize and urlizetrunc template filters diff -Nru python-django-1.6.11/debian/patches/CVE-2019-3498.patch python-django-1.6.11/debian/patches/CVE-2019-3498.patch --- python-django-1.6.11/debian/patches/CVE-2019-3498.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-django-1.6.11/debian/patches/CVE-2019-3498.patch 2019-01-08 19:00:14.000000000 +0000 @@ -0,0 +1,53 @@ +Backport of: + +From 1cd00fcf52d089ef0fe03beabd05d59df8ea052a Mon Sep 17 00:00:00 2001 +From: Tom Hacohen +Date: Fri, 4 Jan 2019 02:21:55 +0000 +Subject: [PATCH] [1.11.x] Fixed #30070, CVE-2019-3498 -- Fixed content + spoofing possiblity in the default 404 page. + +Co-Authored-By: Tim Graham +Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master. +--- + django/views/defaults.py | 8 +++++--- + docs/releases/1.11.18.txt | 18 ++++++++++++++++++ + docs/releases/index.txt | 1 + + tests/handlers/tests.py | 12 ++++++++---- + 4 files changed, 32 insertions(+), 7 deletions(-) + create mode 100644 docs/releases/1.11.18.txt + +Index: python-django-1.6.11/django/views/defaults.py +=================================================================== +--- python-django-1.6.11.orig/django/views/defaults.py 2019-01-08 13:57:15.738954692 -0500 ++++ python-django-1.6.11/django/views/defaults.py 2019-01-08 13:58:51.535297176 -0500 +@@ -4,7 +4,7 @@ from django import http + from django.template import (Context, RequestContext, + loader, Template, TemplateDoesNotExist) + from django.views.decorators.csrf import requires_csrf_token +- ++from django.utils.http import urlquote + + # This can be called when CsrfViewMiddleware.process_view has not run, + # therefore need @requires_csrf_token in case the template needs +@@ -17,7 +17,8 @@ def page_not_found(request, template_nam + Templates: :template:`404.html` + Context: + request_path +- The path of the requested URL (e.g., '/app/pages/bad_page/') ++ The path of the requested URL (e.g., '/app/pages/bad_page/'). It's ++ quoted to prevent a content injection attack. + """ + try: + template = loader.get_template(template_name) +@@ -25,9 +26,9 @@ def page_not_found(request, template_nam + except TemplateDoesNotExist: + template = Template( + '

Not Found

' +- '

The requested URL {{ request_path }} was not found on this server.

') ++ '

The requested resource was not found on this server.

') + content_type = 'text/html' +- body = template.render(RequestContext(request, {'request_path': request.path})) ++ body = template.render(RequestContext(request, {'request_path': urlquote(request.path)})) + return http.HttpResponseNotFound(body, content_type=content_type) + + diff -Nru python-django-1.6.11/debian/patches/series python-django-1.6.11/debian/patches/series --- python-django-1.6.11/debian/patches/series 2018-03-05 14:36:53.000000000 +0000 +++ python-django-1.6.11/debian/patches/series 2019-01-08 18:57:02.000000000 +0000 @@ -17,3 +17,4 @@ CVE-2017-7234.patch CVE-2018-7536.patch CVE-2018-7537.patch +CVE-2019-3498.patch