Change logs for python-django source package in Eoan

  • python-django (2:2.2.4-1) unstable; urgency=medium
    
      * New upstream security release. (Closes: #934026)
        <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
    
     -- Chris Lamb <email address hidden>  Tue, 06 Aug 2019 10:08:25 +0100
  • python-django (2:2.2.3-5) unstable; urgency=medium
    
      [ Chris Lamb ]
      * Drop Pre-Depends on version of dpkg that is now satisfied in oldoldstable.
    
      [ Ondřej Nový ]
      * Bump Standards-Version to 4.4.0
    
     -- Chris Lamb <email address hidden>  Wed, 24 Jul 2019 11:36:15 -0300
  • python-django (2:2.2.3-4) unstable; urgency=medium
    
      * Fixup debian/python-django-doc.doc-base to refer to the new location(s) of
        the documentation. (Closes: #931652)
    
     -- Chris Lamb <email address hidden>  Mon, 08 Jul 2019 21:49:47 -0300
  • python-django (1:1.11.22-1ubuntu1.3) eoan-security; urgency=medium
    
      * SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
        - debian/patches/CVE-2020-9402.patch: properly escaped tolerance
          parameter in GIS functions and aggregates on Oracle in
          django/contrib/gis/db/models/aggregates.py,
          django/contrib/gis/db/models/functions.py,
          tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
        - CVE-2020-9402
    
     -- Marc Deslauriers <email address hidden>  Fri, 28 Feb 2020 13:05:32 -0500
  • python-django (1:1.11.22-1ubuntu1.2) eoan-security; urgency=medium
    
      * SECURITY UPDATE: Possible SQL injection in the postgres aggregates
        StringAgg function
        - debian/patches/CVE-2020-7471.patch: Update
          django/contrib/postgres/aggregates/general.py to escape delimited
          parameter to the StringAgg function. Upstream patch.
        - CVE-2020-7471
    
     -- Alex Murray <email address hidden>  Fri, 31 Jan 2020 14:05:54 +1030
  • python-django (1:1.11.22-1ubuntu1.1) eoan-security; urgency=medium
    
      * SECURITY UPDATE: Potential account hijack via password reset form
        - debian/patches/CVE-2019-19844.patch: Use verified user email for
          password reset requests.
        - CVE-2019-19844
    
     -- Steve Beattie <email address hidden>  Wed, 18 Dec 2019 08:40:29 -0800
  • python-django (1:1.11.22-1ubuntu1) eoan; urgency=medium
    
      * SECURITY UPDATE: Denial-of-service possibility in
        django.utils.text.Truncator
        - debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
          backtracking issues when truncating HTML in django/utils/text.py,
          tests/template_tests/filter_tests/test_truncatewords_html.py,
          tests/utils_tests/test_text.py.
        - CVE-2019-14232
      * SECURITY UPDATE: Denial-of-service possibility in strip_tags()
        - debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
          recursion in strip_tags() when handling incomplete HTML entities in
          django/utils/html.py, tests/utils_tests/test_html.py.
        - CVE-2019-14233
      * SECURITY UPDATE: SQL injection possibility in key and index lookups for
        JSONField/HStoreField
        - debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
          key and index lookups against SQL injection in
          django/contrib/postgres/fields/hstore.py,
          django/contrib/postgres/fields/jsonb.py,
          tests/postgres_tests/test_hstore.py,
          tests/postgres_tests/test_json.py.
        - CVE-2019-14234
      * SECURITY UPDATE: Potential memory exhaustion in
        django.utils.encoding.uri_to_iri()
        - debian/patches/CVE-2019-14235.patch: fixed potential memory
          exhaustion in django.utils.encoding.uri_to_iri() in
          django/utils/encoding.py, tests/utils_tests/test_encoding.py.
        - CVE-2019-14235
    
     -- Marc Deslauriers <email address hidden>  Thu, 19 Sep 2019 16:21:15 +0200
  • python-django (1:1.11.22-1) unstable; urgency=medium
    
      * New upstream security release.
        <https://www.djangoproject.com/weblog/2019/jul/01/security-releases/>
        (Closes: #931316)
    
     -- Chris Lamb <email address hidden>  Mon, 01 Jul 2019 17:09:52 -0300
  • python-django (1:1.11.21-1) unstable; urgency=medium
    
      * New upstream security release.
        - CVE-2019-12308: XSS in Django admin via AdminURLFieldWidget
          (Closes: #929927)
    
     -- Luke W Faraone <email address hidden>  Wed, 05 Jun 2019 00:07:07 +0000
  • python-django (1:1.11.20-1) unstable; urgency=medium
    
      * New upstream security release.
        - CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format().
          (Closes: #922027)
    
     -- Chris Lamb <email address hidden>  Mon, 11 Feb 2019 19:08:53 +0100