Change log for python-django package in Ubuntu
76 → 150 of 376 results | First • Previous • Next • Last |
Superseded in jammy-proposed |
python-django (2:3.2.11-1) unstable; urgency=high * New upstream security release: - CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. - CVE-2021-45116: Potential information disclosure in dictsort template filter Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. - CVE-2021-45452: Potential directory-traversal via Storage.save() Storage.save() allowed directory-traversal if directly passed suitably crafted file names. See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/> for more information. (Closes: #1003113) -- Chris Lamb <email address hidden> Tue, 04 Jan 2022 12:35:16 +0000
Available diffs
- diff from 2:3.2.10-2 to 2:3.2.11-1 (8.0 KiB)
python-django (1:1.11.11-1ubuntu1.15) bionic-security; urgency=medium * SECURITY UPDATE: Denial-of-service possibility in UserAtributeSimilarityValidator - debian/patches/CVE-2021-45115.patch: prevent DoS in django/contrib/auth/password_validation.py, docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py. - CVE-2021-45115 * SECURITY UPDATE: Potential information disclosure in dictsort template filter - debian/patches/CVE-2021-45116.patch: properly handle private variables in django/template/defaultfilters.py, docs/ref/templates/builtins.txt, tests/template_tests/filter_tests/test_dictsort.py, tests/template_tests/filter_tests/test_dictsortreversed.py. - CVE-2021-45116 * SECURITY UPDATE: Potential directory-traversal via Storage.save() - debian/patches/CVE-2021-31542-2.patch: fix regression caused by fix for CVE-2021-31542, and add allow_relative_path parameter to validate_file_name(), required by the following patch. - debian/patches/CVE-2021-45452.patch: fix path traversal in django/core/files/storage.py, tests/file_storage/test_generate_filename.py, tests/file_storage/tests.py. - CVE-2021-45452 -- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 08:38:45 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.9) focal-security; urgency=medium * SECURITY UPDATE: Denial-of-service possibility in UserAtributeSimilarityValidator - debian/patches/CVE-2021-45115.patch: prevent DoS in django/contrib/auth/password_validation.py, docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py. - CVE-2021-45115 * SECURITY UPDATE: Potential information disclosure in dictsort template filter - debian/patches/CVE-2021-45116.patch: properly handle private variables in django/template/defaultfilters.py, docs/ref/templates/builtins.txt, tests/template_tests/filter_tests/test_dictsort.py, tests/template_tests/filter_tests/test_dictsortreversed.py. - CVE-2021-45116 * SECURITY UPDATE: Potential directory-traversal via Storage.save() - debian/patches/CVE-2021-31542-2.patch: fix regression caused by fix for CVE-2021-31542, and add allow_relative_path parameter to validate_file_name(), required by the following patch. - debian/patches/CVE-2021-45452.patch: fix path traversal in django/core/files/storage.py, tests/file_storage/test_generate_filename.py, tests/file_storage/tests.py. - CVE-2021-45452 -- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 07:29:49 -0500
Available diffs
python-django (2:2.2.20-1ubuntu0.4) hirsute-security; urgency=medium * SECURITY UPDATE: Denial-of-service possibility in UserAtributeSimilarityValidator - debian/patches/CVE-2021-45115.patch: prevent DoS in django/contrib/auth/password_validation.py, docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py. - CVE-2021-45115 * SECURITY UPDATE: Potential information disclosure in dictsort template filter - debian/patches/CVE-2021-45116.patch: properly handle private variables in django/template/defaultfilters.py, docs/ref/templates/builtins.txt, tests/template_tests/filter_tests/test_dictsort.py, tests/template_tests/filter_tests/test_dictsortreversed.py. - CVE-2021-45116 * SECURITY UPDATE: Potential directory-traversal via Storage.save() - debian/patches/CVE-2021-31542-2.patch: fix regression caused by fix for CVE-2021-31542, and add allow_relative_path parameter to validate_file_name(), required by the following patch. - debian/patches/CVE-2021-45452.patch: fix path traversal in django/core/files/storage.py, tests/file_storage/test_generate_filename.py, tests/file_storage/tests.py. - CVE-2021-45452 -- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 07:29:07 -0500
Available diffs
python-django (2:2.2.24-1ubuntu1.2) impish-security; urgency=medium * SECURITY UPDATE: Denial-of-service possibility in UserAtributeSimilarityValidator - debian/patches/CVE-2021-45115.patch: prevent DoS in django/contrib/auth/password_validation.py, docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py. - CVE-2021-45115 * SECURITY UPDATE: Potential information disclosure in dictsort template filter - debian/patches/CVE-2021-45116.patch: properly handle private variables in django/template/defaultfilters.py, docs/ref/templates/builtins.txt, tests/template_tests/filter_tests/test_dictsort.py, tests/template_tests/filter_tests/test_dictsortreversed.py. - CVE-2021-45116 * SECURITY UPDATE: Potential directory-traversal via Storage.save() - debian/patches/CVE-2021-45452.patch: fix path traversal in django/core/files/storage.py, tests/file_storage/test_generate_filename.py, tests/file_storage/tests.py. - CVE-2021-45452 -- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 07:15:17 -0500
Available diffs
Superseded in jammy-proposed |
python-django (2:3.2.10-2) unstable; urgency=medium * autopkgtest: give the tests names. This allows to easily run any of them individually, and also is better than having them called "command1" and "command2" in the autopkgtest logs. * Backport fixes for more Django ORM regressions. Upstream issue: https://code.djangoproject.com/ticket/33282). That regression affects src:lava in Debian. The patches are: - 0007-Refs-32786-Made-Query.clear_ordering-not-to-cause-si.patch - 0008-Refs-32690-Altered-lookups-Query-rhs-alterations-dur.patch - 0009-Fixed-33282-Fixed-a-crash-when-OR-ing-subquery-and-a.patch -- Antonio Terceiro <email address hidden> Wed, 08 Dec 2021 15:11:52 -0300
Available diffs
- diff from 2:3.2.10-1 to 2:3.2.10-2 (6.3 KiB)
Superseded in jammy-proposed |
python-django (2:3.2.10-1) unstable; urgency=medium * New upstream release: - CVE-2021-44420: Potential bypass of an upstream access control based on URL paths: Full details are available here: <https://www.djangoproject.com/weblog/2021/dec/07/security-releases/> * Refresh patches. -- Chris Lamb <email address hidden> Tue, 07 Dec 2021 07:46:51 -0800
Available diffs
- diff from 2:3.2.9-2 to 2:3.2.10-1 (7.3 KiB)
python-django (2:2.2.20-1ubuntu0.3) hirsute-security; urgency=medium * SECURITY UPDATE: potential bypass of an upstream access control based on URL paths - debian/patches/CVE-2021-44420.patch: fix path match in django/urls/resolvers.py, tests/urlpatterns/tests.py. - CVE-2021-44420 -- Marc Deslauriers <email address hidden> Tue, 30 Nov 2021 06:58:35 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.8) focal-security; urgency=medium * SECURITY UPDATE: potential bypass of an upstream access control based on URL paths - debian/patches/CVE-2021-44420.patch: fix path match in django/urls/resolvers.py, tests/urlpatterns/tests.py. - CVE-2021-44420 -- Marc Deslauriers <email address hidden> Tue, 30 Nov 2021 06:58:59 -0500
Available diffs
python-django (2:2.2.24-1ubuntu1.1) impish-security; urgency=medium * SECURITY UPDATE: potential bypass of an upstream access control based on URL paths - debian/patches/CVE-2021-44420.patch: fix path match in django/urls/resolvers.py, tests/urlpatterns/tests.py. - CVE-2021-44420 -- Marc Deslauriers <email address hidden> Tue, 30 Nov 2021 06:56:31 -0500
Available diffs
python-django (2:3.2.9-2) unstable; urgency=medium * Team upload. * Fix __in lookup crash when combining with filtered aggregates. Fix for: https://code.djangoproject.com/ticket/32690 This issue affects src:lava, where work is being done towards Django 3.2 compatibility. Upstream patch from: https://github.com/django/django/commit/136ff592ad8aa8b7fa1e61435e5501cc98ce8573 * Add Breaks: on lava-server << 2021.11 (Closes: #996931) * Add Breaks: on python-django-pyscss << 2.0.2-10 (Closes: #983618) -- Antonio Terceiro <email address hidden> Wed, 10 Nov 2021 11:22:48 -0300
Superseded in jammy-release |
Obsolete in impish-release |
Deleted in impish-proposed (Reason: Moved to impish) |
python-django (2:2.2.24-1ubuntu1) impish; urgency=medium * d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993) -- Athos Ribeiro <email address hidden> Mon, 04 Oct 2021 10:56:57 -0300
Available diffs
python-django (2:2.2.24-1) unstable; urgency=medium * New upstream security release. (Closes: #989394) - CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. This issue has low severity, according to the Django security policy. Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report. - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. This issue has medium severity, according to the Django security policy. -- Chris Lamb <email address hidden> Wed, 02 Jun 2021 16:15:13 +0100
Available diffs
- diff from 2:2.2.23-1 to 2:2.2.24-1 (6.5 KiB)
python-django (1:1.11.11-1ubuntu1.14) bionic-security; urgency=medium * SECURITY UPDATE: potential directory traversal via admindocs - debian/patches/CVE-2021-33203.patch: use safe_join in django/contrib/admindocs/views.py, tests/admin_docs/test_views.py. - CVE-2021-33203 * SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses - debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4 addresses in django/core/validators.py, tests/validators/invalid_urls.txt, tests/validators/tests.py, tests/validators/valid_urls.txt. - CVE-2021-33571 * debian/patches/disable_image_test.patch: disable failing test since pillow security update. -- Marc Deslauriers <email address hidden> Wed, 26 May 2021 09:22:24 -0400
Available diffs
python-django (2:2.2.20-1ubuntu0.2) hirsute-security; urgency=medium * SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+ - debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from being accepted in URLValidator in django/core/validators.py, tests/validators/tests.py. - CVE-2021-32052 * SECURITY UPDATE: potential directory traversal via admindocs - debian/patches/CVE-2021-33203.patch: use safe_join in django/contrib/admindocs/views.py, tests/admin_docs/test_views.py. - CVE-2021-33203 * SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses - debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4 addresses in django/core/validators.py, tests/validators/invalid_urls.txt, tests/validators/tests.py, tests/validators/valid_urls.txt. - CVE-2021-33571 -- Marc Deslauriers <email address hidden> Wed, 26 May 2021 08:52:14 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.7) focal-security; urgency=medium * SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+ - debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from being accepted in URLValidator in django/core/validators.py, tests/validators/tests.py. - CVE-2021-32052 * SECURITY UPDATE: potential directory traversal via admindocs - debian/patches/CVE-2021-33203.patch: use safe_join in django/contrib/admindocs/views.py, tests/admin_docs/test_views.py. - CVE-2021-33203 * SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses - debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4 addresses in django/core/validators.py, tests/validators/invalid_urls.txt, tests/validators/tests.py, tests/validators/valid_urls.txt. - CVE-2021-33571 -- Marc Deslauriers <email address hidden> Wed, 26 May 2021 08:58:41 -0400
Available diffs
python-django (2:2.2.16-1ubuntu0.5) groovy-security; urgency=medium * SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+ - debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from being accepted in URLValidator in django/core/validators.py, tests/validators/tests.py. - CVE-2021-32052 * SECURITY UPDATE: potential directory traversal via admindocs - debian/patches/CVE-2021-33203.patch: use safe_join in django/contrib/admindocs/views.py, tests/admin_docs/test_views.py. - CVE-2021-33203 * SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses - debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4 addresses in django/core/validators.py, tests/validators/invalid_urls.txt, tests/validators/tests.py, tests/validators/valid_urls.txt. - CVE-2021-33571 -- Marc Deslauriers <email address hidden> Wed, 26 May 2021 08:57:53 -0400
Available diffs
python-django (2:2.2.23-1) unstable; urgency=medium * New upstream release. <https://docs.djangoproject.com/en/3.2/releases/2.2.23/> -- Chris Lamb <email address hidden> Thu, 13 May 2021 10:41:04 +0100
Available diffs
- diff from 2:2.2.22-1 to 2:2.2.23-1 (3.3 KiB)
python-django (2:2.2.22-1) unstable; urgency=medium * New upstream security release: - CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+. (Closes: #988136) - Full release notes: <https://www.djangoproject.com/weblog/2021/may/06/security-releases/> -- Chris Lamb <email address hidden> Thu, 06 May 2021 15:52:24 +0100
Available diffs
python-django (2:2.2.12-1ubuntu0.6) focal-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via uploaded files - debian/patches/CVE-2021-31542.patch: tighten path & file name sanitation in file uploads in django/core/files/storage.py, django/core/files/uploadedfile.py, django/core/files/utils.py, django/db/models/fields/files.py, django/http/multipartparser.py, django/utils/text.py, tests/file_storage/test_generate_filename.py, tests/file_uploads/tests.py, tests/utils_tests/test_text.py, tests/forms_tests/field_tests/test_filefield.py. - CVE-2021-31542 -- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:39:44 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.13) bionic-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via uploaded files - debian/patches/CVE-2021-31542.patch: tighten path & file name sanitation in file uploads in django/core/files/storage.py, django/core/files/uploadedfile.py, django/core/files/utils.py, django/db/models/fields/files.py, django/http/multipartparser.py, django/utils/text.py, tests/file_storage/test_generate_filename.py, tests/file_uploads/tests.py, tests/utils_tests/test_text.py, tests/forms_tests/field_tests/test_filefield.py. - CVE-2021-31542 -- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:44:31 -0400
Available diffs
python-django (2:2.2.16-1ubuntu0.4) groovy-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via uploaded files - debian/patches/CVE-2021-31542.patch: tighten path & file name sanitation in file uploads in django/core/files/storage.py, django/core/files/uploadedfile.py, django/core/files/utils.py, django/db/models/fields/files.py, django/http/multipartparser.py, django/utils/text.py, tests/file_storage/test_generate_filename.py, tests/file_uploads/tests.py, tests/utils_tests/test_text.py, tests/forms_tests/field_tests/test_filefield.py. - CVE-2021-31542 -- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:39:14 -0400
Available diffs
python-django (2:2.2.20-1ubuntu0.1) hirsute-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via uploaded files - debian/patches/CVE-2021-31542.patch: tighten path & file name sanitation in file uploads in django/core/files/storage.py, django/core/files/uploadedfile.py, django/core/files/utils.py, django/db/models/fields/files.py, django/http/multipartparser.py, django/utils/text.py, tests/file_storage/test_generate_filename.py, tests/file_uploads/tests.py, tests/utils_tests/test_text.py, tests/forms_tests/field_tests/test_filefield.py. - CVE-2021-31542 -- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:36:37 -0400
Available diffs
Superseded in impish-release |
Obsolete in hirsute-release |
Deleted in hirsute-proposed (Reason: Moved to hirsute) |
python-django (2:2.2.20-1) unstable; urgency=medium * New upstream security release: - CVE-2021-28658: The MultiPartParser class allowed directory-traversal via uploaded files via maliciously crafted filenames. (Closes: #986447) -- Chris Lamb <email address hidden> Tue, 06 Apr 2021 11:44:51 +0100
Available diffs
python-django (2:2.2.19-1ubuntu1) hirsute; urgency=medium * SECURITY UPDATE: Potential directory-traversal via uploaded files - debian/patches/CVE-2021-28658.patch: properly sanitize filenames in django/http/multipartparser.py, tests/file_uploads/tests.py, tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py, tests/file_uploads/views.py. - CVE-2021-28658 -- Marc Deslauriers <email address hidden> Tue, 06 Apr 2021 08:18:46 -0400
Available diffs
python-django (1.8.7-1ubuntu5.15) xenial-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via uploaded files - debian/patches/CVE-2021-28658.patch: properly sanitize filenames in django/http/multipartparser.py, tests/file_uploads/tests.py, tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py, tests/file_uploads/views.py. - CVE-2021-28658 -- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:57:56 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.12) bionic-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via uploaded files - debian/patches/CVE-2021-28658.patch: properly sanitize filenames in django/http/multipartparser.py, tests/file_uploads/tests.py, tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py, tests/file_uploads/views.py. - CVE-2021-28658 -- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:55:49 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.5) focal-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via uploaded files - debian/patches/CVE-2021-28658.patch: properly sanitize filenames in django/http/multipartparser.py, tests/file_uploads/tests.py, tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py, tests/file_uploads/views.py. - CVE-2021-28658 -- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:53:19 -0400
Available diffs
python-django (2:2.2.16-1ubuntu0.3) groovy-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via uploaded files - debian/patches/CVE-2021-28658.patch: properly sanitize filenames in django/http/multipartparser.py, tests/file_uploads/tests.py, tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py, tests/file_uploads/views.py. - CVE-2021-28658 -- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:51:14 -0400
Available diffs
python-django (2:2.2.19-1) unstable; urgency=medium * New upstream security release: - CVE-2021-23336: Prevent a web cache poisoning attack via "parameter cloaking". Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ";" as a query parameter separator by default. (Closes: #983090) <https://www.djangoproject.com/weblog/2021/feb/19/security-releases/> * Refresh patches. -- Chris Lamb <email address hidden> Fri, 19 Feb 2021 09:22:37 +0000
Available diffs
- diff from 2:2.2.18-1 to 2:2.2.19-1 (4.5 KiB)
python-django (1:1.11.11-1ubuntu1.11) bionic-security; urgency=medium * SECURITY UPDATE: Web cache poisoning via limited_parse_qsl() - debian/patches/CVE-2021-23336.patch: no longer allow ; in parse_qsl() in django/utils/http.py, tests/handlers/test_exception.py, tests/requests/test_data_upload_settings.py, tests/utils_tests/test_http.py. - CVE-2021-23336 -- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 10:44:15 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.4) focal-security; urgency=medium * SECURITY UPDATE: Web cache poisoning via limited_parse_qsl() - debian/patches/CVE-2021-23336.patch: no longer allow ; in parse_qsl() in django/utils/http.py, tests/handlers/test_exception.py, tests/requests/test_data_upload_settings.py, tests/utils_tests/test_http.py. - CVE-2021-23336 -- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 10:40:54 -0500
Available diffs
python-django (2:2.2.16-1ubuntu0.2) groovy-security; urgency=medium * SECURITY UPDATE: Web cache poisoning via limited_parse_qsl() - debian/patches/CVE-2021-23336.patch: no longer allow ; in parse_qsl() in django/utils/http.py, tests/handlers/test_exception.py, tests/requests/test_data_upload_settings.py, tests/utils_tests/test_http.py. - CVE-2021-23336 -- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 10:37:09 -0500
Available diffs
python-django (2:2.2.18-1) unstable; urgency=medium * New upstream security release: - CVE-2021-3281: Potential directory-traversal via archive.extract(). The django.utils.archive.extract() function, used by startapp --template and startproject --template, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments. (Closes: #981562) <https://www.djangoproject.com/weblog/2021/feb/01/security-releases/> * Drop 0006-Fixed-31850-Fixed-BasicExtractorTests.test_extractio.patch; applied upstream. -- Chris Lamb <email address hidden> Mon, 01 Feb 2021 11:59:58 +0000
Available diffs
- diff from 2:2.2.17-2 to 2:2.2.18-1 (4.3 KiB)
python-django (1.8.7-1ubuntu5.14) xenial-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via archive.extract() - debian/patches/CVE-2021-3281.patch: check for invalid paths in django/utils/archive.py. - CVE-2021-3281 -- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:56:58 -0500
Available diffs
python-django (1:1.11.11-1ubuntu1.10) bionic-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via archive.extract() - debian/patches/CVE-2021-3281.patch: check for invalid paths in django/utils/archive.py. - CVE-2021-3281 -- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:34:39 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.3) focal-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via archive.extract() - debian/patches/CVE-2021-3281.patch: check for invalid paths in django/utils/archive.py. - CVE-2021-3281 -- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:31:24 -0500
Available diffs
python-django (2:2.2.16-1ubuntu0.1) groovy-security; urgency=medium * SECURITY UPDATE: Potential directory-traversal via archive.extract() - debian/patches/CVE-2021-3281.patch: check for invalid paths in django/utils/archive.py. - CVE-2021-3281 -- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:29:17 -0500
Available diffs
python-django (2:2.2.17-2) unstable; urgency=medium * Fix compatibility with xgettext 0.21. (Closes: #978263) * Move to debian/watch file version 4. * Bump Standards-Version to 4.5.1. -- Chris Lamb <email address hidden> Sun, 27 Dec 2020 16:42:36 +0000
Available diffs
- diff from 2:2.2.17-1 to 2:2.2.17-2 (1.5 KiB)
python-django (2:2.2.17-1) unstable; urgency=medium [ Chris Lamb ] * New upstream bugfix release. <https://docs.djangoproject.com/en/stable/releases/2.2.17/> [ Ondřej Nový ] * d/control: Update Maintainer field with new Debian Python Team contact address. * d/control: Update Vcs-* fields with new Debian Python Team Salsa layout. -- Chris Lamb <email address hidden> Tue, 03 Nov 2020 10:46:54 +0000
Available diffs
- diff from 2:2.2.16-1 to 2:2.2.17-1 (3.5 KiB)
Superseded in hirsute-release |
Obsolete in groovy-release |
Deleted in groovy-proposed (Reason: moved to Release) |
python-django (2:2.2.16-1) unstable; urgency=medium * New upstream security release to address CVE-2020-24583, CVE-2020-24584. (Closes: #969367) <https://www.djangoproject.com/weblog/2020/sep/01/security-releases/> -- Chris Lamb <email address hidden> Tue, 01 Sep 2020 12:21:39 +0100
Available diffs
- diff from 2:2.2.15-2 to 2:2.2.16-1 (5.1 KiB)
python-django (2:2.2.12-1ubuntu0.2) focal-security; urgency=medium * SECURITY UPDATE: Incorrect permissions on intermediate-level directories on Python 3.7+ - debian/patches/CVE-2020-24583.patch: set umask in django/core/files/storage.py, added test and test files to tests/*. - CVE-2020-24583 * SECURITY UPDATE: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+ - debian/patches/CVE-2020-24584.patch: set umask in django/core/cache/backends/filebased.py, added test to tests/cache/tests.py. - CVE-2020-24584 -- Marc Deslauriers <email address hidden> Tue, 25 Aug 2020 09:58:36 -0400
Available diffs
python-django (2:2.2.15-2) unstable; urgency=medium * Set the PYTHONPATH in the autopkgtests in the same way that we do in debian/rules. (Closes: #968577) -- Chris Lamb <email address hidden> Mon, 17 Aug 2020 23:02:17 +0100
Available diffs
python-django (2:2.2.12-1ubuntu1) groovy; urgency=medium * SECURITY UPDATE: Potential data leakage via malformed memcached keys - debian/patches/CVE-2020-13254.patch: enforced cache key validation in memcached backends in django/core/cache/__init__.py, django/core/cache/backends/base.py, django/core/cache/backends/memcached.py, tests/cache/tests.py. - CVE-2020-13254 * SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget - debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin ForeignKeyRawIdWidget in django/contrib/admin/widgets.py, tests/admin_widgets/models.py, tests/admin_widgets/tests.py. - CVE-2020-13596 -- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:10:05 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.9) bionic-security; urgency=medium * SECURITY UPDATE: Potential data leakage via malformed memcached keys - debian/patches/CVE-2020-13254.patch: enforced cache key validation in memcached backends in django/core/cache/__init__.py, django/core/cache/backends/base.py, django/core/cache/backends/memcached.py, tests/cache/tests.py. - CVE-2020-13254 * SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget - debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin ForeignKeyRawIdWidget in django/contrib/admin/widgets.py, tests/admin_widgets/models.py, tests/admin_widgets/tests.py. - CVE-2020-13596 -- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:30:39 -0400
Available diffs
python-django (1:1.11.22-1ubuntu1.4) eoan-security; urgency=medium * SECURITY UPDATE: Potential data leakage via malformed memcached keys - debian/patches/CVE-2020-13254.patch: enforced cache key validation in memcached backends in django/core/cache/__init__.py, django/core/cache/backends/base.py, django/core/cache/backends/memcached.py, tests/cache/tests.py. - CVE-2020-13254 * SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget - debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin ForeignKeyRawIdWidget in django/contrib/admin/widgets.py, tests/admin_widgets/models.py, tests/admin_widgets/tests.py. - CVE-2020-13596 -- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:28:03 -0400
Available diffs
python-django (1.8.7-1ubuntu5.13) xenial-security; urgency=medium * SECURITY UPDATE: Potential data leakage via malformed memcached keys - debian/patches/CVE-2020-13254.patch: enforced cache key validation in memcached backends in django/core/cache/__init__.py, django/core/cache/backends/base.py, django/core/cache/backends/memcached.py, tests/cache/tests.py. - CVE-2020-13254 * SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget - debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin ForeignKeyRawIdWidget in django/contrib/admin/widgets.py. - CVE-2020-13596 -- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:48:45 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.1) focal-security; urgency=medium * SECURITY UPDATE: Potential data leakage via malformed memcached keys - debian/patches/CVE-2020-13254.patch: enforced cache key validation in memcached backends in django/core/cache/__init__.py, django/core/cache/backends/base.py, django/core/cache/backends/memcached.py, tests/cache/tests.py. - CVE-2020-13254 * SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget - debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin ForeignKeyRawIdWidget in django/contrib/admin/widgets.py, tests/admin_widgets/models.py, tests/admin_widgets/tests.py. - CVE-2020-13596 -- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:10:05 -0400
Available diffs
Superseded in groovy-release |
Published in focal-release |
Deleted in focal-proposed (Reason: moved to Release) |
python-django (2:2.2.12-1) unstable; urgency=medium * New upstream release. <https://docs.djangoproject.com/en/3.0/releases/2.2.12/> -- Chris Lamb <email address hidden> Wed, 01 Apr 2020 10:43:19 +0100
Available diffs
- diff from 2:2.2.11-1 to 2:2.2.12-1 (4.1 KiB)
python-django (2:2.2.11-1) unstable; urgency=medium * New upstream security release. (Closes: #953102) <https://www.djangoproject.com/weblog/2020/mar/04/security-releases/> -- Chris Lamb <email address hidden> Wed, 04 Mar 2020 08:01:27 -0800
Available diffs
python-django (2:2.2.10-1ubuntu1) focal; urgency=medium * SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates - debian/patches/CVE-2020-9402.patch: properly escaped tolerance parameter in GIS functions and aggregates on Oracle in django/contrib/gis/db/models/aggregates.py, django/contrib/gis/db/models/functions.py, tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py. - CVE-2020-9402 -- Marc Deslauriers <email address hidden> Wed, 04 Mar 2020 09:05:10 -0500
Available diffs
python-django (1:1.11.11-1ubuntu1.8) bionic-security; urgency=medium * SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates - debian/patches/CVE-2020-9402.patch: properly escaped tolerance parameter in GIS functions and aggregates on Oracle in django/contrib/gis/db/models/aggregates.py, django/contrib/gis/db/models/functions.py, tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py. - CVE-2020-9402 -- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:07:57 -0500
Available diffs
python-django (1.8.7-1ubuntu5.12) xenial-security; urgency=medium * SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates - debian/patches/CVE-2020-9402.patch: properly escaped tolerance parameter in GIS functions and aggregates on Oracle in django/contrib/gis/db/models/aggregates.py, tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py. - CVE-2020-9402 -- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:12:33 -0500
Available diffs
python-django (1:1.11.22-1ubuntu1.3) eoan-security; urgency=medium * SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates - debian/patches/CVE-2020-9402.patch: properly escaped tolerance parameter in GIS functions and aggregates on Oracle in django/contrib/gis/db/models/aggregates.py, django/contrib/gis/db/models/functions.py, tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py. - CVE-2020-9402 -- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:05:32 -0500
Available diffs
python-django (2:2.2.10-1) unstable; urgency=medium * New upstream security release. (Closes: #950581) <https://www.djangoproject.com/weblog/2020/feb/03/security-releases/> * Bump Standards-Version to 4.5.0. -- Chris Lamb <email address hidden> Tue, 04 Feb 2020 17:19:01 +0100
Available diffs
python-django (1:1.11.11-1ubuntu1.7) bionic-security; urgency=medium * SECURITY UPDATE: Possible SQL injection in the postgres aggregates StringAgg function - debian/patches/CVE-2020-7471.patch: Update django/contrib/postgres/aggregates/general.py to escape delimited parameter to the StringAgg function. Upstream patch. - CVE-2020-7471 -- Alex Murray <email address hidden> Fri, 31 Jan 2020 14:14:46 +1030
python-django (1:1.11.22-1ubuntu1.2) eoan-security; urgency=medium * SECURITY UPDATE: Possible SQL injection in the postgres aggregates StringAgg function - debian/patches/CVE-2020-7471.patch: Update django/contrib/postgres/aggregates/general.py to escape delimited parameter to the StringAgg function. Upstream patch. - CVE-2020-7471 -- Alex Murray <email address hidden> Fri, 31 Jan 2020 14:05:54 +1030
python-django (2:2.2.9-2ubuntu1) focal; urgency=low * Merge from Debian unstable. Remaining changes: - Mark a few failing tests as expected.
Available diffs
python-django (2:2.2.9-2) unstable; urgency=medium * Add python3-selenium to test-dependencies and to a runtime "Suggests". (Closes: #947549) -- Chris Lamb <email address hidden> Sat, 28 Dec 2019 11:11:37 +0000
Available diffs
python-django (1.8.7-1ubuntu5.11) xenial-security; urgency=medium * SECURITY UPDATE: Potential account hijack via password reset form - debian/patches/CVE-2019-19844.patch: Use verified user email for password reset requests. - CVE-2019-19844 -- Steve Beattie <email address hidden> Wed, 18 Dec 2019 12:37:04 -0800
Available diffs
python-django (1:1.11.11-1ubuntu1.6) bionic-security; urgency=medium * SECURITY UPDATE: Potential account hijack via password reset form - debian/patches/CVE-2019-19844.patch: Use verified user email for password reset requests. - CVE-2019-19844 -- Steve Beattie <email address hidden> Wed, 18 Dec 2019 08:44:43 -0800
Available diffs
python-django (1:1.11.20-1ubuntu0.3) disco-security; urgency=medium * SECURITY UPDATE: Potential account hijack via password reset form - debian/patches/CVE-2019-19844.patch: Use verified user email for password reset requests. - CVE-2019-19844 -- Steve Beattie <email address hidden> Wed, 18 Dec 2019 08:42:46 -0800
Available diffs
python-django (1:1.11.22-1ubuntu1.1) eoan-security; urgency=medium * SECURITY UPDATE: Potential account hijack via password reset form - debian/patches/CVE-2019-19844.patch: Use verified user email for password reset requests. - CVE-2019-19844 -- Steve Beattie <email address hidden> Wed, 18 Dec 2019 08:40:29 -0800
Available diffs
python-django (2:2.2.6-1ubuntu1) focal; urgency=medium * Mark a few failing tests as expected. -- Dimitri John Ledkov <email address hidden> Fri, 01 Nov 2019 00:13:50 +0000
Available diffs
python-django (2:2.2.6-1) unstable; urgency=medium * New upstream bugfix release. <https://docs.djangoproject.com/en/2.2/releases/2.2.6/> -- Chris Lamb <email address hidden> Tue, 01 Oct 2019 10:44:50 +0100
Superseded in focal-release |
Obsolete in eoan-release |
Deleted in eoan-proposed (Reason: moved to Release) |
python-django (1:1.11.22-1ubuntu1) eoan; urgency=medium * SECURITY UPDATE: Denial-of-service possibility in django.utils.text.Truncator - debian/patches/CVE-2019-14232.patch: adjusted regex to avoid backtracking issues when truncating HTML in django/utils/text.py, tests/template_tests/filter_tests/test_truncatewords_html.py, tests/utils_tests/test_text.py. - CVE-2019-14232 * SECURITY UPDATE: Denial-of-service possibility in strip_tags() - debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities in django/utils/html.py, tests/utils_tests/test_html.py. - CVE-2019-14233 * SECURITY UPDATE: SQL injection possibility in key and index lookups for JSONField/HStoreField - debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField key and index lookups against SQL injection in django/contrib/postgres/fields/hstore.py, django/contrib/postgres/fields/jsonb.py, tests/postgres_tests/test_hstore.py, tests/postgres_tests/test_json.py. - CVE-2019-14234 * SECURITY UPDATE: Potential memory exhaustion in django.utils.encoding.uri_to_iri() - debian/patches/CVE-2019-14235.patch: fixed potential memory exhaustion in django.utils.encoding.uri_to_iri() in django/utils/encoding.py, tests/utils_tests/test_encoding.py. - CVE-2019-14235 -- Marc Deslauriers <email address hidden> Thu, 19 Sep 2019 16:21:15 +0200
Available diffs
Deleted in eoan-proposed (Reason: won't be released; superseded by python-django 2.2.5 in u...) |
python-django (2:2.2.4-1) unstable; urgency=medium * New upstream security release. (Closes: #934026) <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/> -- Chris Lamb <email address hidden> Tue, 06 Aug 2019 10:08:25 +0100
Available diffs
- diff from 2:2.2.3-5 to 2:2.2.4-1 (13.3 KiB)
python-django (1.8.7-1ubuntu5.10) xenial-security; urgency=medium * SECURITY UPDATE: Denial-of-service possibility in django.utils.text.Truncator - debian/patches/CVE-2019-14232.patch: adjusted regex to avoid backtracking issues when truncating HTML in django/utils/text.py, tests/template_tests/filter_tests/test_truncatewords_html.py, tests/utils_tests/test_text.py. - CVE-2019-14232 * SECURITY UPDATE: Denial-of-service possibility in strip_tags() - debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities in django/utils/html.py, tests/utils_tests/test_html.py. - CVE-2019-14233 * SECURITY UPDATE: SQL injection possibility in key and index lookups for JSONField/HStoreField - debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField key and index lookups against SQL injection in django/contrib/postgres/fields/hstore.py, tests/postgres_tests/test_hstore.py. - CVE-2019-14234 * SECURITY UPDATE: Potential memory exhaustion in django.utils.encoding.uri_to_iri() - debian/patches/CVE-2019-14235.patch: fixed potential memory exhaustion in django.utils.encoding.uri_to_iri() in django/utils/encoding.py, tests/utils_tests/test_encoding.py. - CVE-2019-14235 -- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 07:41:12 -0400
Available diffs
python-django (1:1.11.20-1ubuntu0.2) disco-security; urgency=medium * SECURITY UPDATE: Denial-of-service possibility in django.utils.text.Truncator - debian/patches/CVE-2019-14232.patch: adjusted regex to avoid backtracking issues when truncating HTML in django/utils/text.py, tests/template_tests/filter_tests/test_truncatewords_html.py, tests/utils_tests/test_text.py. - CVE-2019-14232 * SECURITY UPDATE: Denial-of-service possibility in strip_tags() - debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities in django/utils/html.py, tests/utils_tests/test_html.py. - CVE-2019-14233 * SECURITY UPDATE: SQL injection possibility in key and index lookups for JSONField/HStoreField - debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField key and index lookups against SQL injection in django/contrib/postgres/fields/hstore.py, django/contrib/postgres/fields/jsonb.py, tests/postgres_tests/test_hstore.py, tests/postgres_tests/test_json.py. - CVE-2019-14234 * SECURITY UPDATE: Potential memory exhaustion in django.utils.encoding.uri_to_iri() - debian/patches/CVE-2019-14235.patch: fixed potential memory exhaustion in django.utils.encoding.uri_to_iri() in django/utils/encoding.py, tests/utils_tests/test_encoding.py. - CVE-2019-14235 -- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 07:24:02 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.5) bionic-security; urgency=medium * SECURITY UPDATE: Denial-of-service possibility in django.utils.text.Truncator - debian/patches/CVE-2019-14232.patch: adjusted regex to avoid backtracking issues when truncating HTML in django/utils/text.py, tests/template_tests/filter_tests/test_truncatewords_html.py, tests/utils_tests/test_text.py. - CVE-2019-14232 * SECURITY UPDATE: Denial-of-service possibility in strip_tags() - debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities in django/utils/html.py, tests/utils_tests/test_html.py. - CVE-2019-14233 * SECURITY UPDATE: SQL injection possibility in key and index lookups for JSONField/HStoreField - debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField key and index lookups against SQL injection in django/contrib/postgres/fields/hstore.py, django/contrib/postgres/fields/jsonb.py, tests/postgres_tests/test_hstore.py, tests/postgres_tests/test_json.py. - CVE-2019-14234 * SECURITY UPDATE: Potential memory exhaustion in django.utils.encoding.uri_to_iri() - debian/patches/CVE-2019-14235.patch: fixed potential memory exhaustion in django.utils.encoding.uri_to_iri() in django/utils/encoding.py, tests/utils_tests/test_encoding.py. - CVE-2019-14235 -- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 07:29:57 -0400
Available diffs
python-django (2:2.2.3-5) unstable; urgency=medium [ Chris Lamb ] * Drop Pre-Depends on version of dpkg that is now satisfied in oldoldstable. [ Ondřej Nový ] * Bump Standards-Version to 4.4.0 -- Chris Lamb <email address hidden> Wed, 24 Jul 2019 11:36:15 -0300
Available diffs
- diff from 2:2.2.3-4 to 2:2.2.3-5 (611 bytes)
python-django (2:2.2.3-4) unstable; urgency=medium * Fixup debian/python-django-doc.doc-base to refer to the new location(s) of the documentation. (Closes: #931652) -- Chris Lamb <email address hidden> Mon, 08 Jul 2019 21:49:47 -0300
Available diffs
- diff from 1:1.11.22-1 to 2:2.2.3-4 (2.9 MiB)
python-django (1:1.11.22-1) unstable; urgency=medium * New upstream security release. <https://www.djangoproject.com/weblog/2019/jul/01/security-releases/> (Closes: #931316) -- Chris Lamb <email address hidden> Mon, 01 Jul 2019 17:09:52 -0300
Available diffs
- diff from 1:1.11.21-1 to 1:1.11.22-1 (6.6 KiB)
python-django (1:1.11.20-1ubuntu0.1) disco-security; urgency=medium * SECURITY UPDATE: Incorrect HTTP detection with reverse-proxy connecting via HTTPS - debian/patches/CVE-2019-12781.patch: made HttpRequest always trusty SECURE_PROXY_SSL_HEADER if set in django/http/request.py, docs/ref/settings.txt and added tests to tests/settings_test/tests.py. - CVE-2019-12781 * SECURITY UPDATE: XSS in Django admin via AdminURLFieldWidget - debian/patches/CVE-2019-12308.patch: made AdminURLFieldWidget validate URL before rendering clickable link in django/contrib/admin/templates/admin/widgets/url.html, django/contrib/admin/widgets.py add test test/admin_widgets/tests.py. - CVE-2019-12308 -- <email address hidden> (Leonidas S. Barbosa) Mon, 24 Jun 2019 13:49:07 -0300
Available diffs
python-django (1.8.7-1ubuntu5.9) xenial-security; urgency=medium * SECURITY UPDATE: Incorrect HTTP detection with reverse-proxy connecting via HTTPS - debian/patches/CVE-2019-12781.patch: made HttpRequest always trusty SECURE_PROXY_SSL_HEADER if set in django/http/request.py, docs/ref/settings.txt and added tests to tests/settings_test/tests.py. - CVE-2019-12781 -- <email address hidden> (Leonidas S. Barbosa) Mon, 24 Jun 2019 11:30:16 -0300
Available diffs
76 → 150 of 376 results | First • Previous • Next • Last |