-
python-django (1.6.11-0ubuntu1.3) trusty-security; urgency=medium
* SECURITY UPDATE: content spoofing in the default 404 page
- debian/patches/CVE-2019-3498.patch: properly quote string in
django/views/defaults.py.
- CVE-2019-3498
-- Marc Deslauriers <email address hidden> Tue, 08 Jan 2019 14:00:29 -0500
-
python-django (1.6.11-0ubuntu1.2) trusty-security; urgency=medium
* SECURITY UPDATE: DoS in urlize and urlizetrunc template filters
- debian/patches/CVE-2018-7536.patch: fix backtracking in
django/utils/html.py, add test to tests/utils_tests/test_html.py.
- CVE-2018-7536
* SECURITY UPDATE: DoS in truncatechars_html and truncatewords_html
template filters
- debian/patches/CVE-2018-7537.patch: fix backtracking in
django/utils/text.py, add test to tests/utils_tests/test_text.py.
- CVE-2018-7537
-- Marc Deslauriers <email address hidden> Mon, 05 Mar 2018 15:52:37 +0100
-
python-django (1.6.11-0ubuntu1.1) trusty-security; urgency=medium
* SECURITY UPDATE: Open redirect and possible XSS attack via
user-supplied numeric redirect URLs
- debian/patches/CVE-2017-7233.patch: fix is_safe_url() with numeric
URLs in django/utils/http.py, added tests to
tests/utils_tests/test_http.py.
- CVE-2017-7233
* SECURITY UPDATE: Open redirect vulnerability in
django.views.static.serve()
- debian/patches/CVE-2017-7234.patch: remove redirect from
django/views/static.py.
- CVE-2017-7234
-- Marc Deslauriers <email address hidden> Wed, 29 Mar 2017 07:38:12 -0400
-
python-django (1.6.11-0ubuntu1) trusty; urgency=medium
* Update to final upstream 1.6 microrelease (LP: #1644346)
* Drop patches included upstream:
- debian/patches/07_translation_encoding_fix.diff, ticket21869.diff,
CVE-2014-0472.patch, CVE-2014-0473.patch, CVE-2014-0474.patch,
CVE-2014-0472-regression.patch, drop_fix_ie_for_vary_1_6.diff,
is_safe_url_1_6.diff, CVE-2014-0480.patch, CVE-2014-0481.patch,
CVE-2014-0482.patch, CVE-2014-0483.patch, CVE-2014-0483-bug23329.patch,
CVE-2014-0483-bug23431.patch, CVE-2015-0219.patch, CVE-2015-0220.patch,
CVE-2015-0221.patch, CVE-2015-0222.patch, CVE-2015-2316.patch, and
CVE-2015-2317.patch
-- Scott Kitterman <email address hidden> Wed, 23 Nov 2016 14:41:31 -0500
-
python-django (1.6.1-2ubuntu0.16) trusty-security; urgency=medium
* SECURITY UPDATE: user with hardcoded password created when running
tests on Oracle
- debian/patches/CVE-2016-9013.patch: remove hardcoded password in
django/db/backends/oracle/creation.py, added note to
docs/ref/settings.txt.
- CVE-2016-9013
* SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True
- debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in
django/http/request.py, updated docs/ref/settings.txt, added test to
tests/requests/tests.py.
- CVE-2016-9014
-- Marc Deslauriers <email address hidden> Mon, 31 Oct 2016 10:14:20 -0400
-
python-django (1.6.1-2ubuntu0.15) trusty-security; urgency=medium
* SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
- debian/patches/CVE-2016-7401.patch: simplify cookie parsing in
django/http/cookie.py, add tests to tests/httpwrappers/tests.py,
tests/requests/tests.py.
- CVE-2016-7401
-- Marc Deslauriers <email address hidden> Mon, 26 Sep 2016 07:36:53 -0400
-
python-django (1.6.1-2ubuntu0.14) trusty-security; urgency=medium
* SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
- debian/patches/CVE-2016-2512-regression.patch: updated to final
upstream fix.
- CVE-2016-2512
-- Marc Deslauriers <email address hidden> Mon, 07 Mar 2016 08:50:01 -0500
-
python-django (1.6.1-2ubuntu0.13) trusty-security; urgency=medium
* SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
- debian/patches/CVE-2016-2512-regression.patch: force url to unicode
in django/utils/http.py, added test to
tests/utils_tests/test_http.py.
- CVE-2016-2512
-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 11:07:40 -0500
-
python-django (1.6.1-2ubuntu0.12) trusty-security; urgency=medium
* SECURITY UPDATE: malicious redirect and possible XSS attack via
user-supplied redirect URLs containing basic auth
- debian/patches/CVE-2016-2512.patch: prevent spoofing in
django/utils/http.py, added test to tests/utils_tests/test_http.py.
- CVE-2016-2512
* SECURITY UPDATE: user enumeration through timing difference on password
hasher work factor upgrade
- debian/patches/CVE-2016-2513.patch: fix timing in
django/contrib/auth/hashers.py, added note to
docs/topics/auth/passwords.txt, added tests to
django/contrib/auth/tests/test_hashers.py.
- debian/control: added python-mock to Build-Depends
- CVE-2016-2513
-- Marc Deslauriers <email address hidden> Thu, 25 Feb 2016 14:41:20 -0500
-
python-django (1.6.1-2ubuntu0.11) trusty-security; urgency=medium
* SECURITY UPDATE: Settings leak possibility in date template filter
- debian/patches/CVE-2015-8213.patch: check format type in
django/utils/formats.py, added test to tests/i18n/tests.py.
- CVE-2015-8213
-- Marc Deslauriers <email address hidden> Wed, 18 Nov 2015 15:15:27 -0500
-
python-django (1.6.1-2ubuntu0.10) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service by filling session store
- debian/patches/CVE-2015-596x.patch: don't create empty sessions in
django/contrib/sessions/backends/base.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/middleware.py, added tests to
django/contrib/sessions/tests.py, updated docs in
docs/topics/http/sessions.txt.
- CVE-2015-5963
- CVE-2015-5964
-- Marc Deslauriers <email address hidden> Thu, 13 Aug 2015 11:49:44 -0400
-
python-django (1.6.1-2ubuntu0.9) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via empty session records
- debian/patches/CVE-2015-5143.patch: avoid creating a session record
when loading the session in
django/contrib/sessions/backends/cache.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/backends/db.py,
django/contrib/sessions/backends/file.py,
added test to django/contrib/sessions/tests.py.
- CVE-2015-5143
* SECURITY UPDATE: header injection via newlines
- debian/patches/CVE-2015-5144.patch: check for newlines in
django/core/validators.py, added tests to tests/validators/tests.py.
- CVE-2015-5144
-- Marc Deslauriers <email address hidden> Thu, 02 Jul 2015 11:34:04 -0400
-
python-django (1.6.1-2ubuntu0.8) trusty-security; urgency=medium
* SECURITY UPDATE: denial-of-service possibility with strip_tags
- debian/patches/CVE-2015-2316.patch: improve and fix infinite loop
possibility in django/utils/html.py, added tests to
tests/utils_tests/test_html.py, clarified documentation in
docs/ref/templates/builtins.txt, docs/ref/utils.txt.
- CVE-2015-2316
* SECURITY UPDATE: XSS attack via user-supplied redirect URLs
- debian/patches/CVE-2015-2317.patch: reject URLs that start with
control characters in django/utils/http.py, added test to
tests/utils_tests/test_http.py.
- CVE-2015-2317
-- Marc Deslauriers <email address hidden> Fri, 20 Mar 2015 10:34:50 -0400
-
python-django (1.6.1-2ubuntu0.7) trusty-proposed; urgency=medium
* SRU LP: #1433376.
* tests/utils_tests/test_jslex.py: Fix file encoding for python 2.7.9.
-- Matthias Klose <email address hidden> Wed, 18 Mar 2015 01:54:55 +0100
-
python-django (1.6.1-2ubuntu0.6) trusty-security; urgency=medium
* SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation
- debian/patches/CVE-2015-0219.patch: strip headers with underscores in
django/core/servers/basehttp.py, added blurb to
docs/howto/auth-remote-user.txt, added test to
tests/servers/test_basehttp.py.
- CVE-2015-0219
* SECURITY UPDATE: Mitigated possible XSS attack via user-supplied
redirect URLs
- debian/patches/CVE-2015-0220.patch: filter url in
django/utils/http.py, added test to tests/utils_tests/test_http.py.
- CVE-2015-0220
* SECURITY UPDATE: Denial-of-service attack against
django.views.static.serve
- debian/patches/CVE-2015-0221.patch: limit large files in
django/views/static.py, added test to
tests/view_tests/media/long-line.txt,
tests/view_tests/tests/test_static.py.
- CVE-2015-0221
* SECURITY UPDATE: Database denial-of-service with
ModelMultipleChoiceField
- debian/patches/CVE-2015-0222.patch: check values in
django/forms/models.py, added test to tests/model_forms/tests.py.
- CVE-2015-0222
-- Marc Deslauriers <email address hidden> Tue, 13 Jan 2015 07:47:48 -0500
-
python-django (1.6.1-2ubuntu0.5) trusty-proposed; urgency=medium
* debian/patches/99_fix_multipart_base64_decoding_large_files.patch:
Fix Multipart base64 file decoding with large files ensuring that the
actual base64 content has a length a multiple of 4. (LP: #1363348)
* debian/patches/
-- Andres Rodriguez <email address hidden> Thu, 18 Sep 2014 17:46:45 -0500
-
python-django (1.6.1-2ubuntu0.4) trusty-security; urgency=medium
* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
- debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
URLs pointing to other hosts in django/core/urlresolvers.py, added
tests to tests/urlpatterns_reverse/{tests,urls}.py.
- CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
- debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
django/core/files/storage.py, updated docs in
docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt,
added tests to tests/file_storage/tests.py, tests/files/tests.py.
- CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
- debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
logout on REMOTE_USE change in django/contrib/auth/middleware.py,
added test to django/contrib/auth/tests/test_remote_user.py.
- CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
- debian/patches/CVE-2014-0483.patch: validate to_field in
django/contrib/admin/{options,exceptions}.py,
django/contrib/admin/views/main.py, added docs to
docs/ref/exceptions.txt, added tests to tests/admin_views/tests.py.
- debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
django/contrib/admin/options.py, added tests to
tests/admin_views/{admin,models,tests}.py.
- debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
django/contrib/admin/options.py, added tests to
tests/admin_views/{admin,models,tests}.py.
- CVE-2014-0483
-- Marc Deslauriers <email address hidden> Tue, 09 Sep 2014 13:37:23 -0400
-
python-django (1.6.1-2ubuntu0.3) trusty-security; urgency=medium
* SECURITY UPDATE: cache coherency problems in old Internet Explorer
compatibility functions lead to loss of privacy and cache poisoning
attacks. (LP: #1317663)
- debian/patches/drop_fix_ie_for_vary_1_6.diff: remove fix_IE_for_vary()
and fix_IE_for_attach() functions so Cache-Control and Vary headers are
no longer modified. This may introduce some regressions for IE 6 and IE 7
users. Patch from upstream.
- CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
some malformed URLs, which are accepted by some browsers. This allows a
user to be redirected to an unsafe URL unexpectedly.
- debian/patches/is_safe_url_1_6.diff: Forbid URLs starting with '///',
forbid URLs without a host but with a path. Patch from upstream.
-- Seth Arnold <email address hidden> Wed, 14 May 2014 10:27:37 -0700
-
python-django (1.6.1-2ubuntu0.2) trusty-security; urgency=medium
* SECURITY REGRESSION: security fix regression when a view is a partial
(LP: #1311433)
- debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
from the original function whenever a partial is provided as an
argument to a url pattern in django/core/urlresolvers.py,
added tests to tests/urlpatterns_reverse/urls.py,
tests/urlpatterns_reverse/views.py.
- CVE-2014-0472
-- Marc Deslauriers <email address hidden> Tue, 22 Apr 2014 23:05:51 -0400
-
python-django (1.6.1-2ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: unexpected code execution using reverse()
(LP: #1309779)
- debian/patches/CVE-2014-0472.patch: added filtering to
django/core/urlresolvers.py, added tests to
tests/urlpatterns_reverse/nonimported_module.py,
tests/urlpatterns_reverse/tests.py,
tests/urlpatterns_reverse/urls.py,
tests/urlpatterns_reverse/views.py.
- CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
(LP: #1309782)
- debian/patches/CVE-2014-0473.patch: don't cache responses with a
cookie in django/middleware/cache.py, added tests to
tests/cache/tests.py.
- CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
- debian/patches/CVE-2014-0474.patch: convert arguments to correct
type in django/db/models/fields/__init__.py, updated docs in
docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
tests/model_fields/tests.py.
- CVE-2014-0474
-- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 08:50:48 -0400
-
python-django (1.6.1-2) unstable; urgency=medium
* Team upload.
* d/patches/ticket21869.diff: Cherry pick upstream fix for building
documentation against Sphinx 1.2.1.
-- Barry Warsaw <email address hidden> Wed, 29 Jan 2014 18:37:51 +0000
-
python-django (1.6.1-1) unstable; urgency=medium
* New upstream version.
* Fix broken encoding in translations attribution. (Closes: #729194)
-- Luke Faraone <email address hidden> Thu, 12 Dec 2013 15:46:01 -0500
-
python-django (1.6-1) unstable; urgency=low
* New upstream version. Closes: #557474, #724637.
* python-django now also suggests the installation of ipython,
bpython, python-django-doc, and libgdal1.
Closes: #636511, #686333, #704203
* Set package maintainer to Debian Python Modules Team.
* Bump standards version to 3.9.5, no changes needed.
-- Luke Faraone <email address hidden> Thu, 07 Nov 2013 15:33:49 -0500
-
python-django (1.5.4-1ubuntu1) saucy; urgency=low
* Pull patch from git to isolate a DB test in testsuite (LP: #1231923)
-- Adam Conrad <email address hidden> Fri, 27 Sep 2013 04:51:31 -0600