Ubuntu

Change logs for “python-django” source package in Precise

  • python-django (1.3.1-4ubuntu1.8) precise-security; urgency=low
    
      * SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
        - debian/patches/CVE-2013-1443.patch: enforce a maximum password length
          in django/contrib/auth/forms.py, django/contrib/auth/models.py,
          django/contrib/auth/tests/basic.py.
        - CVE-2013-1443
      * SECURITY UPDATE: directory traversal with ssi template tag
        - debian/patches/CVE-2013-4315.patch: properly check absolute path in
          django/template/defaulttags.py,
          tests/regressiontests/templates/tests.py.
        - CVE-2013-4315
      * SECURITY UPDATE: possible XSS via is_safe_url
        - debian/patches/security-is_safe_url.patch: properly reject URLs which
          specify a scheme other then HTTP or HTTPS.
        - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
        - No CVE number
     -- Marc Deslauriers <email address hidden>   Fri, 20 Sep 2013 09:20:38 -0400
  • python-django (1.3.1-4ubuntu1.7) precise-proposed; urgency=low
    
      [ Julian Edwards ]
      * debian/patches:
        - prefetch_related.diff: Backport prefetch_related from 1.4 (LP: #1081388)
        - bug15496-base64-multipart-fix.diff: Include fix for upstream bug #15496
          which makes 'Content-Transfer-Encoding: base64: work for multipart
          messages. (LP: #1081392)
     -- Andres Rodriguez <email address hidden>   Thu, 07 Mar 2013 17:27:06 -0500
  • python-django (1.3.1-4ubuntu1.6) precise-security; urgency=low
    
      * SECURITY UPDATE: host header poisoning (LP: #1089337)
        - debian/patches/fix_get_host.patch: tighten host header validation in
          django/http/__init__.py, add tests to
          tests/regressiontests/requests/tests.py.
        - https://www.djangoproject.com/weblog/2012/dec/10/security/
        - No CVE number
      * SECURITY UPDATE: redirect poisoning (LP: #1089337)
        - debian/patches/fix_redirect_poisoning.patch: tighten validation in
          django/contrib/auth/views.py,
          django/contrib/comments/views/comments.py,
          django/contrib/comments/views/moderation.py,
          django/contrib/comments/views/utils.py, django/utils/http.py,
          django/views/i18n.py, add tests to
          tests/regressiontests/comment_tests/tests/comment_view_tests.py,
          tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
          tests/regressiontests/views/tests/i18n.py.
        - https://www.djangoproject.com/weblog/2012/dec/10/security/
        - No CVE number
      * SECURITY UPDATE: host header poisoning (LP: #1130445)
        - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
          to django/conf/global_settings.py,
          django/conf/project_template/settings.py,
          django/http/__init__.py, django/test/utils.py, add docs to
          docs/ref/settings.txt, add tests to
          tests/regressiontests/requests/tests.py.
        - https://www.djangoproject.com/weblog/2013/feb/19/security/
        - No CVE number
      * SECURITY UPDATE: XML attacks (LP: #1130445)
        - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
          and external entities/DTDs in
          django/core/serializers/xml_serializer.py, add tests to
          tests/regressiontests/serializers_regress/tests.py.
        - https://www.djangoproject.com/weblog/2013/feb/19/security/
        - CVE-2013-1664
        - CVE-2013-1665
      * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
        - debian/patches/CVE-2013-0305.patch: add permission checks to history
          view in django/contrib/admin/options.py, add tests to
          tests/regressiontests/admin_views/tests.py.
        - https://www.djangoproject.com/weblog/2013/feb/19/security/
        - CVE-2013-0305
      * SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
        - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
          django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
          docs/topics/forms/modelforms.txt, add tests to
          tests/regressiontests/forms/tests/formsets.py.
        - https://www.djangoproject.com/weblog/2013/feb/19/security/
        - CVE-2013-0306
     -- Marc Deslauriers <email address hidden>   Mon, 04 Mar 2013 10:13:59 -0500
  • python-django (1.3.1-4ubuntu1.5) precise-proposed; urgency=low
    
      [ Julian Edwards ]
      * debian/patches:
        - genericipaddressfield.diff: Backport GenericIPAddressField
          from 1.4 (LP: #1081391)
        - prefetch_related.diff: Backport prefetch_related from 1.4 (LP: #1081388)
        - bug15496-base64-multipart-fix.diff: Include fix for upstream bug #15496
          which makes 'Content-Transfer-Encoding: base64: work for multipart
          messages. (LP: #1081392)
     -- Andres Rodriguez <email address hidden>   Tue, 20 Nov 2012 16:00:41 -0500
  • python-django (1.3.1-4ubuntu1.4) precise-security; urgency=low
    
      * Add additional tests for CVE-2012-4520
        - debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
          host header test material
      * Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
        - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
        - https://code.djangoproject.com/ticket/19172
        - LP: #1080204
     -- Jamie Strandboge <email address hidden>   Mon, 19 Nov 2012 15:12:35 -0600
  • python-django (1.3.1-4ubuntu1.3) precise-security; urgency=low
    
      * SECURITY UPDATE: fix Host header poisoning
        - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
          raise django.core.exceptions.SuspiciousOperation if Host headers contain
          potentially dangerous content. Patch thanks to Mackenzie Morgan.
        - CVE-2012-4520
        - LP: #1068486
     -- Jamie Strandboge <email address hidden>   Fri, 09 Nov 2012 15:56:15 -0600
  • python-django (1.3.1-4ubuntu1.2) precise-security; urgency=high
    
      [ Scott Kitterman ]
      * SECURITY UPDATE: multiple issues (LP: #1031733)
      * References CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
        https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
      * New upstream release to address three security issues:
        - Cross-site scripting in authentication views
        - Denial-of-service in image validation
        - Denial-of-service via get_image_dimensions()
      * Added debian/patches/security_http_redirects,
        security_image_uploading_two, and security_image_uploading cherry picked
        from upstream git
    
      [ Marc Deslauriers ]
      * debian/patches/security_http_redirects: remove unrelated changes, add
        python 2.4 regression fix.
     -- Marc Deslauriers <email address hidden>   Thu, 06 Sep 2012 08:36:28 -0400
  • python-django (1.3.1-4ubuntu1) precise; urgency=low
    
      * Merge with Debian.  Remaining changes:
        - 09_test_view_decorator_sleep.diff increases the sleep time to
          reduce race condition effects on build machines.
          https://code.djangoproject.com/ticket/16686  (LP: #829487)
      * debian/patches/{psycopg2_creation.diff,compat-psycopg2-plus2.4.2.diff}:
        - New patches, resolve compatibility with psycopg2 > 2.4.1, patches
          based on upstream submissions, rebasing courtesy of Dave Pifke.
        - LP: #905837
    
    python-django (1.3.1-4) unstable; urgency=medium
    
      * Add 08_fix_test_week_view_allow_future.diff to fix a regression test that
        only worked in 2011. Closes: #655666
    
    python-django (1.3.1-3) unstable; urgency=low
    
      * Add 06_use_debian_geoip_database_as_default.diff to use the default
        location of the GeoIP database used by the Debian package
        geoip-database-contrib. Closes: #645094
        Add this package to suggests. Thanks to Tapio Rantala
        <email address hidden> for the patch.
      * Bump build-dep on python-sphinx to 1.0.8 to ensure we have a version
        where #641710 is fixed. Closes: #647134
      * Add 07_fix_for_sphinx1.1.2.diff to fix build with Sphinx 1.1.2. Thanks to
        Jakub Wilk for the advance warning. Closes: #649624
    
    python-django (1.3.1-2) unstable; urgency=low
    
      * Update Build-Depends on locales to included a version requirement
        so that locales-all cannot satisfy it with its Provides: locales.
        Thanks to Jakub Wilk for the suggestion.
      * Enable 02_disable-sources-in-sphinxdoc.diff since #641710 has been
        fixed.
      * Add 05_fix_djangodocs_sphinx_ext.diff to support Sphinx 1.0.8.
        Closes: #643758
     -- Dave Walker (Daviey) <email address hidden>   Fri, 17 Feb 2012 14:59:51 +0000
  • python-django (1.3.1-1ubuntu1) precise; urgency=low
    
      * Merge with Debian.  Remaining changes:
        - 09_test_view_decorator_sleep.diff increases the sleep time to
          reduce race condition effects on build machines.
          https://code.djangoproject.com/ticket/16686  (LP: #829487)
     -- Barry Warsaw <email address hidden>   Wed, 19 Oct 2011 10:13:01 -0400
  • python-django (1.3.1-1) unstable; urgency=low
    
    
      * New upstream release. It includes security updates described here:
        https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
        Closes: #641405
      * Update 01_disable_url_verify_regression_tests.diff and merge
        07_disable_url_verify_model_tests.diff into it.
      * Update patch headers to conform to DEP-3.
      * Apply patch from Steve Langasek to dynamically build the UTF-8
        locale required by the test-suite instead of build-depending on
        locales-all. Closes: #630421
      * Use "dh --with sphinxdoc" to clean up the Sphinx generated documentation
        and avoid the embedded-javascript-library lintian warning. Build-Depends
        on python-sphinx >= 1.0.7+dfsg-1 for this and also add
        ${sphinxdoc:Depends} to python-django-doc Depends field.
      * Cleanup build-dependencies now that even oldstable has python 2.5.
      * Switch to dh_python2 as python helper tool. Drop legacy files
        debian/pyversions and debian/pycompat.
      * New patch 02_disable-sources-in-sphinxdoc.diff to not generate
        the _sources directory that we used to remove manually within the rules
        file. But must be kept disabled until #641710 is fixed.
      * Properly support DEB_BUILD_OPTIONS=nocheck despite the override
        of dh_auto_test.
    
     -- Raphaël Hertzog <email address hidden>  Thu, 15 Sep 2011 12:43:51 +0200
  • python-django (1.3-2ubuntu1) oneiric; urgency=low
    
      * 09_test_view_decorator_sleep.diff increases the sleep time to
        reduce race condition effects on build machines.
        https://code.djangoproject.com/ticket/16686  (LP: #829487)
      * Remove build-dep on locales-all which isn't in the Ubuntu archive.
     -- Barry Warsaw <email address hidden>   Tue, 23 Aug 2011 17:57:46 -0400