-
python-django (1.2.3-1ubuntu0.2.10.10.3) maverick-security; urgency=low
* SECURITY UPDATE: session manipulation when using django.contrib.sessions
with memory-based sessions and caching
- debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
for session instead of root namespace
- CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
URLField
- debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
default and use a timeout if available.
- CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
- debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
default when constructing full URLs
- CVE-2011-4139
* debian/patches/01_disable_url_verify_regression_tests.diff: remove the
test_correct_url_but_nonexisting_gives_404() test from the
modeltests/validation/tests.py too. Not sure how it passed before, but
this makes the CVE-2011-4137+4138.patch consistent with our other releases
since the upstream fix for CVE-2011-4137+4138.patch removed this test too.
* More information on these issues can be found at:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
-- Jamie Strandboge <email address hidden> Wed, 07 Dec 2011 15:52:55 -0600
-
python-django (1.2.3-1ubuntu0.2.10.10.2) maverick-security; urgency=low
* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
- debian/patches/09_CVE-2011-0696.diff: apply full CSRF validation to all
requests, regardless of apparent AJAX origin. This is technically
backwards-incompatible, but the security risks have been judged to
outweigh the compatibility concerns in this case. See the Django project
notes for more information:
http://www.djangoproject.com/weblog/2011/feb/08/security/
- CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
- debian/patches/10_admin_widgets-to-unittest.diff: prepare testsuite for
security fix tests
- debian/patches/11_CVE-2011-0697.diff: properly escape URL in
django/contrib/admin/widgets.py
- CVE-2011-0697
-- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:04:19 -0600
-
python-django (1.2.3-1ubuntu0.2.10.10.1) maverick-security; urgency=low
* SECURITY UPDATE: information leak in admin interface
- debian/patches/07_security_admin_infoleak.diff: validate querystring
lookup arguments either specify only fields on the model being viewed,
or cross relations which have been explicitly whitelisted.
- CVE-2010-4534
* SECURITY UPDATE:
- debian/patches/08_security_pasword_reset_dos.diff: adjust
base36_to_int() function in django.utils.http will now validate the
length of its input; on input longer than 13 digits (sufficient to
base36-encode any 64-bit integer), it will now raise ValueError.
Additionally, the default URL patterns for django.contrib.auth will now
enforce a maximum length on the relevant parameters.
- CVE-2010-4535
-- Jamie Strandboge <email address hidden> Mon, 03 Jan 2011 11:28:10 -0600
-
python-django (1.2.3-1ubuntu0.1) maverick-security; urgency=low
* SECURITY UPDATE: XSS in CSRF protections. New upstream release
- CVE-2010-3082
* debian/patches/01_disable_url_verify_regression_tests.diff:
- updated to disable another test that fails without internet connection
- patch based on work by Kai Kasurinen and Krzysztof Klimonda
* debian/control: don't Build-Depends on locales-all, which doesn't exist
in maverick
python-django (1.2.3-1) unstable; urgency=low
[ Krzysztof Klimonda ]
* New upstream release. Closes: #596893 LP: #636482
* Fixes both a XSS vulnerability introduced in 1.2 series and
the regressions caused by 1.2.2 release. Closes: #596205
* debian/control:
- depend on language packs for en_US.utf8 locales required for unit tests.
* debian/rules:
- re-enable build time tests.
- set LC_ALL to en_US.utf8 for test suite.
* debian/patches/series:
- two new patches: 05_fix_regression_tests.diff and
06_fix_regression_tests.diff backported from 1.2.x branch to fix
test suite failures.
[ Raphaƫl Hertzog ]
* Update Standards-Version to 3.9.1.
* Drop "--with quilt" and quilt build-dependency since the package is
already using source format "3.0 (quilt)".
-- Jamie Strandboge <email address hidden> Tue, 12 Oct 2010 11:34:35 -0500
-
python-django (1.2.1-1) unstable; urgency=low
* New upstream bugfix release.
-- Thomas Bechtold <email address hidden> Tue, 08 Jun 2010 23:35:34 +0100
-
python-django (1.2-1) unstable; urgency=low
* New upstream stable release.
python-django (1.2~rc1-1) experimental; urgency=low
* New upstream release candidate.
* Remove "02-embedded_code_copies.diff" - not needed anymore.
* Refresh "01_disable_url_verify_regression_tests.diff".
* Refresh "04_hyphen-manpage.diff".
* Temporarily disable test runner due to failing date-related tests.
python-django (1.2~beta1-1) experimental; urgency=low
* New upstream development release.
* Switch to dpkg-source 3.0 (quilt) format
* Bump Standards-Version to 3.8.4.
* Remove "0.96 -> 1.x" NEWS entry.
* jQuery added to admin system upstream:
- Add libjs-jquery to python-django's Recommends
- Use symlinks so we use the version from libjs-query over an embedded code
copy.
python-django (1.2~alpha1-1) experimental; urgency=low
* New upstream development release:
This is the first in a series of preview/development releases leading up
to the eventual release of Django 1.2, currently scheduled to take place
in March 2010.
<http://docs.djangoproject.com/en/dev//releases/1.2-alpha-1/>
* Update "01_disable_url_verify_regression_tests.diff" - tests now use the
unittest module instead of doctests.
* Update "02-embedded_code_copies.diff".
* Remove "05_ftbfs_in_november.diff" - applied upstream.
* Remove "06_python_2.6.3_regression.diff" - applied upstream.
* Update dh_auto_test - database engine is set differently in 1.2.
* Remove useless ._DS_Store files.
-- Christoph Egger <email address hidden> Fri, 21 May 2010 07:52:55 +0100
-
python-django (1.1.1-2ubuntu1) lucid; urgency=low
* Fix django test client cookie handling (LP: #513719)
-- Elliot Murphy <email address hidden> Fri, 29 Jan 2010 13:01:27 -0500
