Changelog
python-django (1:1.10.7-2ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* All other changes dropped, as they were backports of upstream fixes.
python-django (1:1.10.7-2) unstable; urgency=medium
* Accept again migrations depending on initial migrations that
can be fake applied. Closes: #863267
* Add patch to fix DEP-8 test. Closes: #816435
python-django (1:1.10.7-1) unstable; urgency=medium
* New upstream security release:
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
"on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) "safe" when they shouldn't be.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack. (Closes: #859515)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve().
A maliciously crafted URL to a Django site using the
django.views.static.serve() view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known,
useful functionality.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a development
aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516)
python-django (1:1.10.6-1) unstable; urgency=medium
* New upstream bugfix release:
- Fixed ClearableFileInput’s “Clear” checkbox on model form fields where
the model field has a default (#27805).
- Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather
than generating a bad request response (#27820).
- Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
IntegerField from DateField (#27828).
- Fixed query expression date subtraction accuracy on PostgreSQL for
differences larger than a month (#27856).
- Fixed a GDALException raised by GDALClose on GDAL ≥ 2.0 (#27479).
python-django (1:1.10.5-1) unstable; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2017/jan/04/bugfix-release/>
- Drop 0003-Fix-test-suite-in-parallel-mode.patch; applied upstream.
python-django (1:1.10.3-2) unstable; urgency=medium
* Add patch to fix tests running in parallel. Closes: #844139
* Update copyright file (and drop new extra LICENSE.txt).
* Adjust lintian overrides.
python-django (1:1.10.3-1) unstable; urgency=medium
* New upstream release. (Closes: #844037)
python-django (1:1.10.1-1) unstable; urgency=medium
* New upstream bugfix release.
- Drop 07_fix-test-failures-due-to-translation-updates.diff; applied
upstream.
* Ensure that "django-admin startproject foo" using python3-django emits the
corrent shebang (Closes: #833275)
python-django (1:1.10-2) unstable; urgency=medium
* Add patch from upstream to fix admin_utils test failures due to translation
updates.
python-django (1:1.10-1) unstable; urgency=medium
* New upstream release.
* Drop debian/source/lintian-overrides now that #799861 is fixed in Lintian.
python-django (1:1.9.8-1) unstable; urgency=high
* New upstream security release:
https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- CVE-2016-6186: XSS in admin's add/change related popup
python-django (1:1.9.7-2) unstable; urgency=medium
* Re-upload 1.9.7 to unstable with epoch.
python-django (1.10~beta1-1) unstable; urgency=medium
[ Chris Lamb ]
* New upstream beta release.
* Drop fix-25761-add-traceback-attribute.patch; applied upstream.
[ Raphaël Hertzog ]
* Remove obsolete /etc/bash_completion.d/django_bash_completion on upgrade.
Closes: #801744
python-django (1.9.7-1) unstable; urgency=medium
[ Raphaël Hertzog ]
* New upstream bugfix release.
* Bump python-sphinx build dependency to >= 1.3. Closes: #824108
* Drop build dependency on locales. C.UTF-8 that we currently use is part of
libc-bin.
[ Chris Lamb ]
* Remove duplicated "of of" in python-django's README.Debian.
python-django (1.9.6-1) unstable; urgency=medium
* New upstream bugfix release.
python-django (1.9.5-2) unstable; urgency=medium
* Drop the dir_to_symlink transition that was only really needed
for upgrades between versions 1.9~rc2 and 1.9.4. Closes: #821789
python-django (1.9.5-1) unstable; urgency=medium
* New upstream bugfix release:
https://docs.djangoproject.com/en/1.9/releases/1.9.5/
* Fix the DEP-8 test suite (django-admin --with python3 failing
because ./manage.py does not have a good shebang).
* Update Standards-Version to 3.9.8.
* Add some lintian overrides.
* Tweak Vcs-Browser to use https.
* Drop obsolete parts of the copyright file.
python-django (1.9.4-1) unstable; urgency=high
[ Luke Faraone ]
* New upstream security release:
https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- CVE-2016-2512: Malicious redirect and possible XSS via user-supplied
redirect URLs containing basic auth
- CVE-2016-2513: User enumeration through timing difference on password
hasher work factor upgrade
Closes: #816434
[ Raphaël Hertzog ]
* Fix rules file to no longer mess with *_templates directories. They no
longer contain invalid .py files but only *-tpl template files that are
instantiated at runtime.
python-django (1.9.2-1) unstable; urgency=medium
* New upstream security release fixing:
- CVE-2016-2048: User with "change" but not "add" permission can create
objects for ModelAdmin objects with save_as=True
Closes: #813448
python-django (1.9.1-1) unstable; urgency=medium
* New upstream release.
python-django (1.9-2) unstable; urgency=medium
[ Chris Lamb ]
* Use dpkg-maintscript-helper's dir_to_symlink to correctly replace the
app_template and project_template symlinks added in 1.9~rc2-2.
(Closes: #807683)
[ Raphaël Hertzog ]
* Add some DEP-8 tests testing "django-admin" and running the test suite
against the installed package. In both cases, we do it with python2 and
python3.
* Add python-tblib and python3-tblib to Build-Depends for the benefit of
the parallel testing feature of the test suite.
* Add "set -e" in the command line running the tests with all supported
versions so that it actually fails as soon as one version is failing
(and thus disallow later successes to shadow earlier failures).
python-django (1.9-1) unstable; urgency=medium
* Upload to unstable
* Adjust uversionmangle in debian/watch to mangle "1.9rc2" scheme
(previously only "1.9-rc-2" would have matched).
python-django (1.9~rc2-2) experimental; urgency=medium
* Move {app,project}_template to python-django-common to prevent
byte-compilation (via pycompile) on installation, causing failure. They are
not valid Python files until variables have been interpolated.
python-django (1.9~rc2-1) experimental; urgency=medium
* New upstream release candidate.
* Add myself to Uploaders.
python-django (1.8.7-2) unstable; urgency=high
* Rely on C.UTF-8 to run the tests instead of building our locale ourselves.
* Add debian/patches/fix-25761-add-traceback-attribute.patch:
new patch to ensure exceptions registered in __cause__ attributes
have a __traceback__ attribute. Closes: #802677
* Extend lintian overrides to cover more false positives of
source-is-missing.
* Cleanup debian/copyright for dropped/renamed files.
* Run tests for all supported Python versions.
-- Steve Langasek <email address hidden> Sat, 17 Jun 2017 21:55:34 -0700