-
python-django (1.4.1-2ubuntu0.7) quantal-security; urgency=medium
* SECURITY UPDATE: cache coherency problems in old Internet Explorer
compatibility functions lead to loss of privacy and cache poisoning
attacks. (LP: #1317663)
- debian/patches/drop_fix_ie_for_vary_1_4.diff: remove fix_IE_for_vary()
and fix_IE_for_attach() functions so Cache-Control and Vary headers are
no longer modified. This may introduce some regressions for IE 6 and IE 7
users. Patch from upstream.
- CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
some malformed URLs, which are accepted by some browsers. This allows a
user to be redirected to an unsafe URL unexpectedly.
- debian/patches/is_safe_url_1_4.diff: Forbid URLs starting with '///',
forbid URLs without a host but with a path. Patch from upstream.
-- Seth Arnold <email address hidden> Wed, 14 May 2014 11:05:38 -0700
-
python-django (1.4.1-2ubuntu0.6) quantal-security; urgency=medium
* SECURITY REGRESSION: security fix regression when a view is a partial
(LP: #1311433)
- debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
from the original function whenever a partial is provided as an
argument to a url pattern in django/core/urlresolvers.py,
added tests to tests/regressiontests/urlpatterns_reverse/urls.py,
tests/regressiontests/urlpatterns_reverse/views.py.
- CVE-2014-0472
-- Marc Deslauriers <email address hidden> Tue, 22 Apr 2014 23:14:35 -0400
-
python-django (1.4.1-2ubuntu0.5) quantal-security; urgency=medium
* SECURITY UPDATE: unexpected code execution using reverse()
(LP: #1309779)
- debian/patches/CVE-2014-0472.patch: added filtering to
django/core/urlresolvers.py, added tests to
tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
tests/regressiontests/urlpatterns_reverse/tests.py,
tests/regressiontests/urlpatterns_reverse/urls.py,
tests/regressiontests/urlpatterns_reverse/views.py.
- CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
(LP: #1309782)
- debian/patches/CVE-2014-0473.patch: don't cache responses with a
cookie in django/middleware/cache.py, added tests to
tests/regressiontests/cache/tests.py.
- CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
- debian/patches/CVE-2014-0474.patch: convert arguments to correct
type in django/db/models/fields/__init__.py, updated docs in
docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
tests/regressiontests/model_fields/tests.py.
- CVE-2014-0474
* debian/patches/fix_test_ftbfs.patch: fix ftbfs with upstream commit.
-- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:12:33 -0400
-
python-django (1.4.1-2ubuntu0.4) quantal-security; urgency=low
* SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
- debian/patches/CVE-2013-1443.patch: enforce a maximum password length
in django/contrib/auth/forms.py, django/contrib/auth/hashers.py,
django/contrib/auth/tests/hashers.py.
- CVE-2013-1443
* SECURITY UPDATE: directory traversal with ssi template tag
- debian/patches/CVE-2013-4315.patch: properly check absolute path in
django/template/defaulttags.py,
tests/regressiontests/templates/tests.py.
- CVE-2013-4315
* SECURITY UPDATE: possible XSS via is_safe_url
- debian/patches/security-is_safe_url.patch: properly reject URLs which
specify a scheme other then HTTP or HTTPS.
- https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
- No CVE number
* debian/patches/fix-validation-tests.patch: fix regression in tests
since example.com is now available via https.
-- Marc Deslauriers <email address hidden> Fri, 20 Sep 2013 09:05:04 -0400
-
python-django (1.4.1-2ubuntu0.3) quantal-security; urgency=low
* SECURITY UPDATE: host header poisoning (LP: #1089337)
- debian/patches/fix_get_host.patch: tighten host header validation in
django/http/__init__.py, add info to docs/topics/security.txt, add
tests to tests/regressiontests/requests/tests.py.
- https://www.djangoproject.com/weblog/2012/dec/10/security/
- No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
- debian/patches/fix_redirect_poisoning.patch: tighten validation in
django/contrib/auth/views.py,
django/contrib/comments/views/comments.py,
django/contrib/comments/views/moderation.py,
django/contrib/comments/views/utils.py, django/utils/http.py,
django/views/i18n.py, add tests to
tests/regressiontests/comment_tests/tests/comment_view_tests.py,
tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
tests/regressiontests/views/tests/i18n.py.
- https://www.djangoproject.com/weblog/2012/dec/10/security/
- No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
- debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
to django/conf/global_settings.py,
django/conf/project_template/project_name/settings.py,
django/contrib/auth/tests/views.py,
django/contrib/contenttypes/tests.py, django/contrib/sites/tests.py,
django/http/__init__.py, django/test/utils.py, add docs to
docs/ref/settings.txt, docs/topics/security.txt, add tests to
tests/regressiontests/csrf_tests/tests.py,
tests/regressiontests/requests/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
- debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
and external entities/DTDs in
django/core/serializers/xml_serializer.py, add tests to
tests/regressiontests/serializers_regress/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-1664
- CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
- debian/patches/CVE-2013-0305.patch: add permission checks to history
view in django/contrib/admin/options.py, add tests to
tests/regressiontests/admin_views/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
- debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
docs/topics/forms/modelforms.txt, add tests to
tests/regressiontests/forms/tests/formsets.py,
tests/regressiontests/generic_inline_admin/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-0306
-- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 08:28:36 -0500
-
python-django (1.4.1-2ubuntu0.2) quantal-security; urgency=low
* Add additional tests for CVE-2012-4520
- debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
host header test material
* Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
- debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
- https://code.djangoproject.com/ticket/19172
- LP: #1080204
-- Jamie Strandboge <email address hidden> Mon, 19 Nov 2012 14:16:05 -0600
-
python-django (1.4.1-2ubuntu0.1) quantal-security; urgency=low
* SECURITY UPDATE: fix Host header poisoning
- debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
raise django.core.exceptions.SuspiciousOperation if Host headers contain
potentially dangerous content. Patch thanks to Mackenzie Morgan.
- CVE-2012-4520
- LP: #1068486
* debian/patches/docs-update-httponly-cookie.diff: update documentation of
HttpOnly cookie option to correctly describe changes to 1.4
-- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 15:53:27 -0600
-
python-django (1.4.1-2) unstable; urgency=low
* New patch 01_use_stdlib_htmlparser_when_possible.diff to not override
Python stdlib's HTMLParser with Python versions which are unaffected by
http://bugs.python.org/issue670664 Closes: #683648
Thanks to David Watson <email address hidden> for the patch.
* Update the above patch to use the version committed upstream (commit
57d9ccc).
-- Raphaël Hertzog <email address hidden> Tue, 21 Aug 2012 08:42:10 +0200
-
python-django (1.4.1-1) unstable; urgency=low
* New upstream security and maintenance release. Closes: #683364
Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
* Drop 01_disable_broken_test.diff and 04_hyphen-manpage.diff which
have been merged upstream.
-- Raphaël Hertzog <email address hidden> Thu, 02 Aug 2012 10:44:02 +0200
-
python-django (1.4-1) unstable; urgency=low
* New upstream release. Closes: #666003
* Fix watch file to correctly extract the version number from the URL.
* Updated Standards-Version to 3.9.3 (no change needed).
* Drop 01_disable_url_verify_regression_tests.diff since upstream test
suite has been modified to work even without internet connection.
* Update 04_hyphen-manpage.diff to apply again.
* Drop 05_fix_djangodocs_sphinx_ext.diff which has been merged
upstream.
* Update 06_use_debian_geoip_database_as_default.diff to apply on
renamed file.
* Drop 07_fix_for_sphinx1.1.2.diff merged upstream.
* Drop 08_fix_test_week_view_allow_future.diff, merged upstream.
* Add 01_disable_broken_test.diff to disable a test that fails with
the current python 2.7 version in Debian.
-- Raphaël Hertzog <email address hidden> Sat, 31 Mar 2012 14:48:00 +0200
-
python-django (1.3.1-4ubuntu1) precise; urgency=low
* Merge with Debian. Remaining changes:
- 09_test_view_decorator_sleep.diff increases the sleep time to
reduce race condition effects on build machines.
https://code.djangoproject.com/ticket/16686 (LP: #829487)
* debian/patches/{psycopg2_creation.diff,compat-psycopg2-plus2.4.2.diff}:
- New patches, resolve compatibility with psycopg2 > 2.4.1, patches
based on upstream submissions, rebasing courtesy of Dave Pifke.
- LP: #905837
python-django (1.3.1-4) unstable; urgency=medium
* Add 08_fix_test_week_view_allow_future.diff to fix a regression test that
only worked in 2011. Closes: #655666
python-django (1.3.1-3) unstable; urgency=low
* Add 06_use_debian_geoip_database_as_default.diff to use the default
location of the GeoIP database used by the Debian package
geoip-database-contrib. Closes: #645094
Add this package to suggests. Thanks to Tapio Rantala
<email address hidden> for the patch.
* Bump build-dep on python-sphinx to 1.0.8 to ensure we have a version
where #641710 is fixed. Closes: #647134
* Add 07_fix_for_sphinx1.1.2.diff to fix build with Sphinx 1.1.2. Thanks to
Jakub Wilk for the advance warning. Closes: #649624
python-django (1.3.1-2) unstable; urgency=low
* Update Build-Depends on locales to included a version requirement
so that locales-all cannot satisfy it with its Provides: locales.
Thanks to Jakub Wilk for the suggestion.
* Enable 02_disable-sources-in-sphinxdoc.diff since #641710 has been
fixed.
* Add 05_fix_djangodocs_sphinx_ext.diff to support Sphinx 1.0.8.
Closes: #643758
-- Dave Walker (Daviey) <email address hidden> Fri, 17 Feb 2012 14:59:51 +0000
