Debian LTS Advisory ([SECURITY] [DLA 2042-1] python-django security update)

The remote host is missing an update for the 'python-django' package(s) announced via the DSA-2042-1 advisory.

It was discovered that there was a potential account hijack vulnerability in Django, the Python-based web development framework. Django's password-reset form used a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this typically involves explicit or implicit case transformations, an attacker who knew the email address associated with a user account could craft an email address which is distinct from the address associated with that account, but which -- due to the behavior of Unicode case transformations -- ceases to be distinct after case transformation, or which will otherwise compare equal given database case-transformation or collation behavior. In such a situation, the attacker can receive a valid password-reset token for the user account. To resolve this, two changes were made in Django: * After retrieving a list of potentially-matching accounts from the database, Django's password reset functionality now also checks the email address for equivalence in Python, using the recommended identifier-comparison process from Unicode Technical Report 36, section 2.11.2(B)(2). * When generating password-reset emails, Django now sends to the email address retrieved from the database, rather than the email address submitted in the password-reset request form. For more information, please see:

'python-django' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For Debian 8 'Jessie', this issue has been fixed in python-django version 1.7.11-1+deb8u8. We recommend that you upgrade your python-django packages.