Change log for python-django package in Ubuntu
| 76 → 150 of 376 results | First • Previous • Next • Last |
| Superseded in jammy-proposed |
python-django (2:3.2.11-1) unstable; urgency=high
* New upstream security release:
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSimilarityValidator.
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.
See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>
for more information. (Closes: #1003113)
-- Chris Lamb <email address hidden> Tue, 04 Jan 2022 12:35:16 +0000
Available diffs
- diff from 2:3.2.10-2 to 2:3.2.11-1 (8.0 KiB)
python-django (1:1.11.11-1ubuntu1.15) bionic-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
UserAtributeSimilarityValidator
- debian/patches/CVE-2021-45115.patch: prevent DoS in
django/contrib/auth/password_validation.py,
docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py.
- CVE-2021-45115
* SECURITY UPDATE: Potential information disclosure in dictsort template
filter
- debian/patches/CVE-2021-45116.patch: properly handle private
variables in django/template/defaultfilters.py,
docs/ref/templates/builtins.txt,
tests/template_tests/filter_tests/test_dictsort.py,
tests/template_tests/filter_tests/test_dictsortreversed.py.
- CVE-2021-45116
* SECURITY UPDATE: Potential directory-traversal via Storage.save()
- debian/patches/CVE-2021-31542-2.patch: fix regression caused by fix
for CVE-2021-31542, and add allow_relative_path parameter to
validate_file_name(), required by the following patch.
- debian/patches/CVE-2021-45452.patch: fix path traversal in
django/core/files/storage.py,
tests/file_storage/test_generate_filename.py,
tests/file_storage/tests.py.
- CVE-2021-45452
-- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 08:38:45 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.9) focal-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
UserAtributeSimilarityValidator
- debian/patches/CVE-2021-45115.patch: prevent DoS in
django/contrib/auth/password_validation.py,
docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py.
- CVE-2021-45115
* SECURITY UPDATE: Potential information disclosure in dictsort template
filter
- debian/patches/CVE-2021-45116.patch: properly handle private
variables in django/template/defaultfilters.py,
docs/ref/templates/builtins.txt,
tests/template_tests/filter_tests/test_dictsort.py,
tests/template_tests/filter_tests/test_dictsortreversed.py.
- CVE-2021-45116
* SECURITY UPDATE: Potential directory-traversal via Storage.save()
- debian/patches/CVE-2021-31542-2.patch: fix regression caused by fix
for CVE-2021-31542, and add allow_relative_path parameter to
validate_file_name(), required by the following patch.
- debian/patches/CVE-2021-45452.patch: fix path traversal in
django/core/files/storage.py,
tests/file_storage/test_generate_filename.py,
tests/file_storage/tests.py.
- CVE-2021-45452
-- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 07:29:49 -0500
Available diffs
python-django (2:2.2.20-1ubuntu0.4) hirsute-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
UserAtributeSimilarityValidator
- debian/patches/CVE-2021-45115.patch: prevent DoS in
django/contrib/auth/password_validation.py,
docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py.
- CVE-2021-45115
* SECURITY UPDATE: Potential information disclosure in dictsort template
filter
- debian/patches/CVE-2021-45116.patch: properly handle private
variables in django/template/defaultfilters.py,
docs/ref/templates/builtins.txt,
tests/template_tests/filter_tests/test_dictsort.py,
tests/template_tests/filter_tests/test_dictsortreversed.py.
- CVE-2021-45116
* SECURITY UPDATE: Potential directory-traversal via Storage.save()
- debian/patches/CVE-2021-31542-2.patch: fix regression caused by fix
for CVE-2021-31542, and add allow_relative_path parameter to
validate_file_name(), required by the following patch.
- debian/patches/CVE-2021-45452.patch: fix path traversal in
django/core/files/storage.py,
tests/file_storage/test_generate_filename.py,
tests/file_storage/tests.py.
- CVE-2021-45452
-- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 07:29:07 -0500
Available diffs
python-django (2:2.2.24-1ubuntu1.2) impish-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
UserAtributeSimilarityValidator
- debian/patches/CVE-2021-45115.patch: prevent DoS in
django/contrib/auth/password_validation.py,
docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py.
- CVE-2021-45115
* SECURITY UPDATE: Potential information disclosure in dictsort template
filter
- debian/patches/CVE-2021-45116.patch: properly handle private
variables in django/template/defaultfilters.py,
docs/ref/templates/builtins.txt,
tests/template_tests/filter_tests/test_dictsort.py,
tests/template_tests/filter_tests/test_dictsortreversed.py.
- CVE-2021-45116
* SECURITY UPDATE: Potential directory-traversal via Storage.save()
- debian/patches/CVE-2021-45452.patch: fix path traversal in
django/core/files/storage.py,
tests/file_storage/test_generate_filename.py,
tests/file_storage/tests.py.
- CVE-2021-45452
-- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 07:15:17 -0500
Available diffs
| Superseded in jammy-proposed |
python-django (2:3.2.10-2) unstable; urgency=medium
* autopkgtest: give the tests names.
This allows to easily run any of them individually, and also is better
than having them called "command1" and "command2" in the autopkgtest
logs.
* Backport fixes for more Django ORM regressions.
Upstream issue: https://code.djangoproject.com/ticket/33282).
That regression affects src:lava in Debian.
The patches are:
- 0007-Refs-32786-Made-Query.clear_ordering-not-to-cause-si.patch
- 0008-Refs-32690-Altered-lookups-Query-rhs-alterations-dur.patch
- 0009-Fixed-33282-Fixed-a-crash-when-OR-ing-subquery-and-a.patch
-- Antonio Terceiro <email address hidden> Wed, 08 Dec 2021 15:11:52 -0300
Available diffs
- diff from 2:3.2.10-1 to 2:3.2.10-2 (6.3 KiB)
| Superseded in jammy-proposed |
python-django (2:3.2.10-1) unstable; urgency=medium
* New upstream release:
- CVE-2021-44420: Potential bypass of an upstream access control based on
URL paths:
Full details are available here:
<https://www.djangoproject.com/weblog/2021/dec/07/security-releases/>
* Refresh patches.
-- Chris Lamb <email address hidden> Tue, 07 Dec 2021 07:46:51 -0800
Available diffs
- diff from 2:3.2.9-2 to 2:3.2.10-1 (7.3 KiB)
python-django (2:2.2.20-1ubuntu0.3) hirsute-security; urgency=medium
* SECURITY UPDATE: potential bypass of an upstream access control based on
URL paths
- debian/patches/CVE-2021-44420.patch: fix path match in
django/urls/resolvers.py, tests/urlpatterns/tests.py.
- CVE-2021-44420
-- Marc Deslauriers <email address hidden> Tue, 30 Nov 2021 06:58:35 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.8) focal-security; urgency=medium
* SECURITY UPDATE: potential bypass of an upstream access control based on
URL paths
- debian/patches/CVE-2021-44420.patch: fix path match in
django/urls/resolvers.py, tests/urlpatterns/tests.py.
- CVE-2021-44420
-- Marc Deslauriers <email address hidden> Tue, 30 Nov 2021 06:58:59 -0500
Available diffs
python-django (2:2.2.24-1ubuntu1.1) impish-security; urgency=medium
* SECURITY UPDATE: potential bypass of an upstream access control based on
URL paths
- debian/patches/CVE-2021-44420.patch: fix path match in
django/urls/resolvers.py, tests/urlpatterns/tests.py.
- CVE-2021-44420
-- Marc Deslauriers <email address hidden> Tue, 30 Nov 2021 06:56:31 -0500
Available diffs
python-django (2:3.2.9-2) unstable; urgency=medium
* Team upload.
* Fix __in lookup crash when combining with filtered aggregates.
Fix for: https://code.djangoproject.com/ticket/32690
This issue affects src:lava, where work is being done towards Django 3.2
compatibility.
Upstream patch from:
https://github.com/django/django/commit/136ff592ad8aa8b7fa1e61435e5501cc98ce8573
* Add Breaks: on lava-server << 2021.11 (Closes: #996931)
* Add Breaks: on python-django-pyscss << 2.0.2-10 (Closes: #983618)
-- Antonio Terceiro <email address hidden> Wed, 10 Nov 2021 11:22:48 -0300
| Superseded in jammy-release |
| Obsolete in impish-release |
| Deleted in impish-proposed (Reason: Moved to impish) |
python-django (2:2.2.24-1ubuntu1) impish; urgency=medium * d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993) -- Athos Ribeiro <email address hidden> Mon, 04 Oct 2021 10:56:57 -0300
Available diffs
python-django (2:2.2.24-1) unstable; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
This issue has medium severity, according to the Django security
policy.
-- Chris Lamb <email address hidden> Wed, 02 Jun 2021 16:15:13 +0100
Available diffs
- diff from 2:2.2.23-1 to 2:2.2.24-1 (6.5 KiB)
python-django (1:1.11.11-1ubuntu1.14) bionic-security; urgency=medium
* SECURITY UPDATE: potential directory traversal via admindocs
- debian/patches/CVE-2021-33203.patch: use safe_join in
django/contrib/admindocs/views.py, tests/admin_docs/test_views.py.
- CVE-2021-33203
* SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
- debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4
addresses in django/core/validators.py,
tests/validators/invalid_urls.txt, tests/validators/tests.py,
tests/validators/valid_urls.txt.
- CVE-2021-33571
* debian/patches/disable_image_test.patch: disable failing test since
pillow security update.
-- Marc Deslauriers <email address hidden> Wed, 26 May 2021 09:22:24 -0400
Available diffs
python-django (2:2.2.20-1ubuntu0.2) hirsute-security; urgency=medium
* SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+
- debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from
being accepted in URLValidator in django/core/validators.py,
tests/validators/tests.py.
- CVE-2021-32052
* SECURITY UPDATE: potential directory traversal via admindocs
- debian/patches/CVE-2021-33203.patch: use safe_join in
django/contrib/admindocs/views.py, tests/admin_docs/test_views.py.
- CVE-2021-33203
* SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
- debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4
addresses in django/core/validators.py,
tests/validators/invalid_urls.txt, tests/validators/tests.py,
tests/validators/valid_urls.txt.
- CVE-2021-33571
-- Marc Deslauriers <email address hidden> Wed, 26 May 2021 08:52:14 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.7) focal-security; urgency=medium
* SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+
- debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from
being accepted in URLValidator in django/core/validators.py,
tests/validators/tests.py.
- CVE-2021-32052
* SECURITY UPDATE: potential directory traversal via admindocs
- debian/patches/CVE-2021-33203.patch: use safe_join in
django/contrib/admindocs/views.py, tests/admin_docs/test_views.py.
- CVE-2021-33203
* SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
- debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4
addresses in django/core/validators.py,
tests/validators/invalid_urls.txt, tests/validators/tests.py,
tests/validators/valid_urls.txt.
- CVE-2021-33571
-- Marc Deslauriers <email address hidden> Wed, 26 May 2021 08:58:41 -0400
Available diffs
python-django (2:2.2.16-1ubuntu0.5) groovy-security; urgency=medium
* SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+
- debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from
being accepted in URLValidator in django/core/validators.py,
tests/validators/tests.py.
- CVE-2021-32052
* SECURITY UPDATE: potential directory traversal via admindocs
- debian/patches/CVE-2021-33203.patch: use safe_join in
django/contrib/admindocs/views.py, tests/admin_docs/test_views.py.
- CVE-2021-33203
* SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
- debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4
addresses in django/core/validators.py,
tests/validators/invalid_urls.txt, tests/validators/tests.py,
tests/validators/valid_urls.txt.
- CVE-2021-33571
-- Marc Deslauriers <email address hidden> Wed, 26 May 2021 08:57:53 -0400
Available diffs
python-django (2:2.2.23-1) unstable; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/2.2.23/>
-- Chris Lamb <email address hidden> Thu, 13 May 2021 10:41:04 +0100
Available diffs
- diff from 2:2.2.22-1 to 2:2.2.23-1 (3.3 KiB)
python-django (2:2.2.22-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+. (Closes: #988136)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/06/security-releases/>
-- Chris Lamb <email address hidden> Thu, 06 May 2021 15:52:24 +0100
Available diffs
python-django (2:2.2.12-1ubuntu0.6) focal-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-31542.patch: tighten path & file name
sanitation in file uploads in django/core/files/storage.py,
django/core/files/uploadedfile.py, django/core/files/utils.py,
django/db/models/fields/files.py, django/http/multipartparser.py,
django/utils/text.py, tests/file_storage/test_generate_filename.py,
tests/file_uploads/tests.py, tests/utils_tests/test_text.py,
tests/forms_tests/field_tests/test_filefield.py.
- CVE-2021-31542
-- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:39:44 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.13) bionic-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-31542.patch: tighten path & file name
sanitation in file uploads in django/core/files/storage.py,
django/core/files/uploadedfile.py, django/core/files/utils.py,
django/db/models/fields/files.py, django/http/multipartparser.py,
django/utils/text.py, tests/file_storage/test_generate_filename.py,
tests/file_uploads/tests.py, tests/utils_tests/test_text.py,
tests/forms_tests/field_tests/test_filefield.py.
- CVE-2021-31542
-- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:44:31 -0400
Available diffs
python-django (2:2.2.16-1ubuntu0.4) groovy-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-31542.patch: tighten path & file name
sanitation in file uploads in django/core/files/storage.py,
django/core/files/uploadedfile.py, django/core/files/utils.py,
django/db/models/fields/files.py, django/http/multipartparser.py,
django/utils/text.py, tests/file_storage/test_generate_filename.py,
tests/file_uploads/tests.py, tests/utils_tests/test_text.py,
tests/forms_tests/field_tests/test_filefield.py.
- CVE-2021-31542
-- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:39:14 -0400
Available diffs
python-django (2:2.2.20-1ubuntu0.1) hirsute-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-31542.patch: tighten path & file name
sanitation in file uploads in django/core/files/storage.py,
django/core/files/uploadedfile.py, django/core/files/utils.py,
django/db/models/fields/files.py, django/http/multipartparser.py,
django/utils/text.py, tests/file_storage/test_generate_filename.py,
tests/file_uploads/tests.py, tests/utils_tests/test_text.py,
tests/forms_tests/field_tests/test_filefield.py.
- CVE-2021-31542
-- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:36:37 -0400
Available diffs
| Superseded in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: Moved to hirsute) |
python-django (2:2.2.20-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-28658: The MultiPartParser class allowed directory-traversal
via uploaded files via maliciously crafted filenames. (Closes: #986447)
-- Chris Lamb <email address hidden> Tue, 06 Apr 2021 11:44:51 +0100
Available diffs
python-django (2:2.2.19-1ubuntu1) hirsute; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-28658.patch: properly sanitize filenames in
django/http/multipartparser.py, tests/file_uploads/tests.py,
tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py,
tests/file_uploads/views.py.
- CVE-2021-28658
-- Marc Deslauriers <email address hidden> Tue, 06 Apr 2021 08:18:46 -0400
Available diffs
python-django (1.8.7-1ubuntu5.15) xenial-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-28658.patch: properly sanitize filenames in
django/http/multipartparser.py, tests/file_uploads/tests.py,
tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py,
tests/file_uploads/views.py.
- CVE-2021-28658
-- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:57:56 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.12) bionic-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-28658.patch: properly sanitize filenames in
django/http/multipartparser.py, tests/file_uploads/tests.py,
tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py,
tests/file_uploads/views.py.
- CVE-2021-28658
-- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:55:49 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.5) focal-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-28658.patch: properly sanitize filenames in
django/http/multipartparser.py, tests/file_uploads/tests.py,
tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py,
tests/file_uploads/views.py.
- CVE-2021-28658
-- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:53:19 -0400
Available diffs
python-django (2:2.2.16-1ubuntu0.3) groovy-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-28658.patch: properly sanitize filenames in
django/http/multipartparser.py, tests/file_uploads/tests.py,
tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py,
tests/file_uploads/views.py.
- CVE-2021-28658
-- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:51:14 -0400
Available diffs
python-django (2:2.2.19-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a
query parameter separator by default. (Closes: #983090)
<https://www.djangoproject.com/weblog/2021/feb/19/security-releases/>
* Refresh patches.
-- Chris Lamb <email address hidden> Fri, 19 Feb 2021 09:22:37 +0000
Available diffs
- diff from 2:2.2.18-1 to 2:2.2.19-1 (4.5 KiB)
python-django (1:1.11.11-1ubuntu1.11) bionic-security; urgency=medium
* SECURITY UPDATE: Web cache poisoning via limited_parse_qsl()
- debian/patches/CVE-2021-23336.patch: no longer allow ; in parse_qsl()
in django/utils/http.py, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py,
tests/utils_tests/test_http.py.
- CVE-2021-23336
-- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 10:44:15 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.4) focal-security; urgency=medium
* SECURITY UPDATE: Web cache poisoning via limited_parse_qsl()
- debian/patches/CVE-2021-23336.patch: no longer allow ; in parse_qsl()
in django/utils/http.py, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py,
tests/utils_tests/test_http.py.
- CVE-2021-23336
-- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 10:40:54 -0500
Available diffs
python-django (2:2.2.16-1ubuntu0.2) groovy-security; urgency=medium
* SECURITY UPDATE: Web cache poisoning via limited_parse_qsl()
- debian/patches/CVE-2021-23336.patch: no longer allow ; in parse_qsl()
in django/utils/http.py, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py,
tests/utils_tests/test_http.py.
- CVE-2021-23336
-- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 10:37:09 -0500
Available diffs
python-django (2:2.2.18-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-3281: Potential directory-traversal via archive.extract().
The django.utils.archive.extract() function, used by startapp --template
and startproject --template, allowed directory-traversal via an archive
with absolute paths or relative paths with dot segments.
(Closes: #981562)
<https://www.djangoproject.com/weblog/2021/feb/01/security-releases/>
* Drop 0006-Fixed-31850-Fixed-BasicExtractorTests.test_extractio.patch;
applied upstream.
-- Chris Lamb <email address hidden> Mon, 01 Feb 2021 11:59:58 +0000
Available diffs
- diff from 2:2.2.17-2 to 2:2.2.18-1 (4.3 KiB)
python-django (1.8.7-1ubuntu5.14) xenial-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via archive.extract()
- debian/patches/CVE-2021-3281.patch: check for invalid paths in
django/utils/archive.py.
- CVE-2021-3281
-- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:56:58 -0500
Available diffs
python-django (1:1.11.11-1ubuntu1.10) bionic-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via archive.extract()
- debian/patches/CVE-2021-3281.patch: check for invalid paths in
django/utils/archive.py.
- CVE-2021-3281
-- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:34:39 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.3) focal-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via archive.extract()
- debian/patches/CVE-2021-3281.patch: check for invalid paths in
django/utils/archive.py.
- CVE-2021-3281
-- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:31:24 -0500
Available diffs
python-django (2:2.2.16-1ubuntu0.1) groovy-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via archive.extract()
- debian/patches/CVE-2021-3281.patch: check for invalid paths in
django/utils/archive.py.
- CVE-2021-3281
-- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:29:17 -0500
Available diffs
python-django (2:2.2.17-2) unstable; urgency=medium * Fix compatibility with xgettext 0.21. (Closes: #978263) * Move to debian/watch file version 4. * Bump Standards-Version to 4.5.1. -- Chris Lamb <email address hidden> Sun, 27 Dec 2020 16:42:36 +0000
Available diffs
- diff from 2:2.2.17-1 to 2:2.2.17-2 (1.5 KiB)
python-django (2:2.2.17-1) unstable; urgency=medium
[ Chris Lamb ]
* New upstream bugfix release.
<https://docs.djangoproject.com/en/stable/releases/2.2.17/>
[ Ondřej Nový ]
* d/control: Update Maintainer field with new Debian Python Team
contact address.
* d/control: Update Vcs-* fields with new Debian Python Team Salsa
layout.
-- Chris Lamb <email address hidden> Tue, 03 Nov 2020 10:46:54 +0000
Available diffs
- diff from 2:2.2.16-1 to 2:2.2.17-1 (3.5 KiB)
| Superseded in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
python-django (2:2.2.16-1) unstable; urgency=medium
* New upstream security release to address CVE-2020-24583, CVE-2020-24584.
(Closes: #969367)
<https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>
-- Chris Lamb <email address hidden> Tue, 01 Sep 2020 12:21:39 +0100
Available diffs
- diff from 2:2.2.15-2 to 2:2.2.16-1 (5.1 KiB)
python-django (2:2.2.12-1ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: Incorrect permissions on intermediate-level
directories on Python 3.7+
- debian/patches/CVE-2020-24583.patch: set umask in
django/core/files/storage.py, added test and test files to tests/*.
- CVE-2020-24583
* SECURITY UPDATE: Permission escalation in intermediate-level
directories of the file system cache on Python 3.7+
- debian/patches/CVE-2020-24584.patch: set umask in
django/core/cache/backends/filebased.py, added test to
tests/cache/tests.py.
- CVE-2020-24584
-- Marc Deslauriers <email address hidden> Tue, 25 Aug 2020 09:58:36 -0400
Available diffs
python-django (2:2.2.15-2) unstable; urgency=medium
* Set the PYTHONPATH in the autopkgtests in the same way that we do in
debian/rules. (Closes: #968577)
-- Chris Lamb <email address hidden> Mon, 17 Aug 2020 23:02:17 +0100
Available diffs
python-django (2:2.2.12-1ubuntu1) groovy; urgency=medium
* SECURITY UPDATE: Potential data leakage via malformed memcached keys
- debian/patches/CVE-2020-13254.patch: enforced cache key validation in
memcached backends in django/core/cache/__init__.py,
django/core/cache/backends/base.py,
django/core/cache/backends/memcached.py, tests/cache/tests.py.
- CVE-2020-13254
* SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
- debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
ForeignKeyRawIdWidget in django/contrib/admin/widgets.py,
tests/admin_widgets/models.py, tests/admin_widgets/tests.py.
- CVE-2020-13596
-- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:10:05 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.9) bionic-security; urgency=medium
* SECURITY UPDATE: Potential data leakage via malformed memcached keys
- debian/patches/CVE-2020-13254.patch: enforced cache key validation in
memcached backends in django/core/cache/__init__.py,
django/core/cache/backends/base.py,
django/core/cache/backends/memcached.py, tests/cache/tests.py.
- CVE-2020-13254
* SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
- debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
ForeignKeyRawIdWidget in django/contrib/admin/widgets.py,
tests/admin_widgets/models.py, tests/admin_widgets/tests.py.
- CVE-2020-13596
-- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:30:39 -0400
Available diffs
python-django (1:1.11.22-1ubuntu1.4) eoan-security; urgency=medium
* SECURITY UPDATE: Potential data leakage via malformed memcached keys
- debian/patches/CVE-2020-13254.patch: enforced cache key validation in
memcached backends in django/core/cache/__init__.py,
django/core/cache/backends/base.py,
django/core/cache/backends/memcached.py, tests/cache/tests.py.
- CVE-2020-13254
* SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
- debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
ForeignKeyRawIdWidget in django/contrib/admin/widgets.py,
tests/admin_widgets/models.py, tests/admin_widgets/tests.py.
- CVE-2020-13596
-- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:28:03 -0400
Available diffs
python-django (1.8.7-1ubuntu5.13) xenial-security; urgency=medium
* SECURITY UPDATE: Potential data leakage via malformed memcached keys
- debian/patches/CVE-2020-13254.patch: enforced cache key validation in
memcached backends in django/core/cache/__init__.py,
django/core/cache/backends/base.py,
django/core/cache/backends/memcached.py, tests/cache/tests.py.
- CVE-2020-13254
* SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
- debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
ForeignKeyRawIdWidget in django/contrib/admin/widgets.py.
- CVE-2020-13596
-- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:48:45 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: Potential data leakage via malformed memcached keys
- debian/patches/CVE-2020-13254.patch: enforced cache key validation in
memcached backends in django/core/cache/__init__.py,
django/core/cache/backends/base.py,
django/core/cache/backends/memcached.py, tests/cache/tests.py.
- CVE-2020-13254
* SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
- debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
ForeignKeyRawIdWidget in django/contrib/admin/widgets.py,
tests/admin_widgets/models.py, tests/admin_widgets/tests.py.
- CVE-2020-13596
-- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:10:05 -0400
Available diffs
| Superseded in groovy-release |
| Published in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
python-django (2:2.2.12-1) unstable; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.0/releases/2.2.12/>
-- Chris Lamb <email address hidden> Wed, 01 Apr 2020 10:43:19 +0100
Available diffs
- diff from 2:2.2.11-1 to 2:2.2.12-1 (4.1 KiB)
python-django (2:2.2.11-1) unstable; urgency=medium
* New upstream security release. (Closes: #953102)
<https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>
-- Chris Lamb <email address hidden> Wed, 04 Mar 2020 08:01:27 -0800
Available diffs
python-django (2:2.2.10-1ubuntu1) focal; urgency=medium
* SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
- debian/patches/CVE-2020-9402.patch: properly escaped tolerance
parameter in GIS functions and aggregates on Oracle in
django/contrib/gis/db/models/aggregates.py,
django/contrib/gis/db/models/functions.py,
tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
- CVE-2020-9402
-- Marc Deslauriers <email address hidden> Wed, 04 Mar 2020 09:05:10 -0500
Available diffs
python-django (1:1.11.11-1ubuntu1.8) bionic-security; urgency=medium
* SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
- debian/patches/CVE-2020-9402.patch: properly escaped tolerance
parameter in GIS functions and aggregates on Oracle in
django/contrib/gis/db/models/aggregates.py,
django/contrib/gis/db/models/functions.py,
tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
- CVE-2020-9402
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:07:57 -0500
Available diffs
python-django (1.8.7-1ubuntu5.12) xenial-security; urgency=medium
* SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
- debian/patches/CVE-2020-9402.patch: properly escaped tolerance
parameter in GIS functions and aggregates on Oracle in
django/contrib/gis/db/models/aggregates.py,
tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
- CVE-2020-9402
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:12:33 -0500
Available diffs
python-django (1:1.11.22-1ubuntu1.3) eoan-security; urgency=medium
* SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
- debian/patches/CVE-2020-9402.patch: properly escaped tolerance
parameter in GIS functions and aggregates on Oracle in
django/contrib/gis/db/models/aggregates.py,
django/contrib/gis/db/models/functions.py,
tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
- CVE-2020-9402
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:05:32 -0500
Available diffs
python-django (2:2.2.10-1) unstable; urgency=medium
* New upstream security release. (Closes: #950581)
<https://www.djangoproject.com/weblog/2020/feb/03/security-releases/>
* Bump Standards-Version to 4.5.0.
-- Chris Lamb <email address hidden> Tue, 04 Feb 2020 17:19:01 +0100
Available diffs
python-django (1:1.11.11-1ubuntu1.7) bionic-security; urgency=medium
* SECURITY UPDATE: Possible SQL injection in the postgres aggregates
StringAgg function
- debian/patches/CVE-2020-7471.patch: Update
django/contrib/postgres/aggregates/general.py to escape delimited
parameter to the StringAgg function. Upstream patch.
- CVE-2020-7471
-- Alex Murray <email address hidden> Fri, 31 Jan 2020 14:14:46 +1030
python-django (1:1.11.22-1ubuntu1.2) eoan-security; urgency=medium
* SECURITY UPDATE: Possible SQL injection in the postgres aggregates
StringAgg function
- debian/patches/CVE-2020-7471.patch: Update
django/contrib/postgres/aggregates/general.py to escape delimited
parameter to the StringAgg function. Upstream patch.
- CVE-2020-7471
-- Alex Murray <email address hidden> Fri, 31 Jan 2020 14:05:54 +1030
python-django (2:2.2.9-2ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- Mark a few failing tests as expected.
Available diffs
python-django (2:2.2.9-2) unstable; urgency=medium
* Add python3-selenium to test-dependencies and to a runtime "Suggests".
(Closes: #947549)
-- Chris Lamb <email address hidden> Sat, 28 Dec 2019 11:11:37 +0000
Available diffs
python-django (1.8.7-1ubuntu5.11) xenial-security; urgency=medium
* SECURITY UPDATE: Potential account hijack via password reset form
- debian/patches/CVE-2019-19844.patch: Use verified user email for
password reset requests.
- CVE-2019-19844
-- Steve Beattie <email address hidden> Wed, 18 Dec 2019 12:37:04 -0800
Available diffs
python-django (1:1.11.11-1ubuntu1.6) bionic-security; urgency=medium
* SECURITY UPDATE: Potential account hijack via password reset form
- debian/patches/CVE-2019-19844.patch: Use verified user email for
password reset requests.
- CVE-2019-19844
-- Steve Beattie <email address hidden> Wed, 18 Dec 2019 08:44:43 -0800
Available diffs
python-django (1:1.11.20-1ubuntu0.3) disco-security; urgency=medium
* SECURITY UPDATE: Potential account hijack via password reset form
- debian/patches/CVE-2019-19844.patch: Use verified user email for
password reset requests.
- CVE-2019-19844
-- Steve Beattie <email address hidden> Wed, 18 Dec 2019 08:42:46 -0800
Available diffs
python-django (1:1.11.22-1ubuntu1.1) eoan-security; urgency=medium
* SECURITY UPDATE: Potential account hijack via password reset form
- debian/patches/CVE-2019-19844.patch: Use verified user email for
password reset requests.
- CVE-2019-19844
-- Steve Beattie <email address hidden> Wed, 18 Dec 2019 08:40:29 -0800
Available diffs
python-django (2:2.2.6-1ubuntu1) focal; urgency=medium * Mark a few failing tests as expected. -- Dimitri John Ledkov <email address hidden> Fri, 01 Nov 2019 00:13:50 +0000
Available diffs
python-django (2:2.2.6-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/2.2/releases/2.2.6/>
-- Chris Lamb <email address hidden> Tue, 01 Oct 2019 10:44:50 +0100
| Superseded in focal-release |
| Obsolete in eoan-release |
| Deleted in eoan-proposed (Reason: moved to Release) |
python-django (1:1.11.22-1ubuntu1) eoan; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
django.utils.text.Truncator
- debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
backtracking issues when truncating HTML in django/utils/text.py,
tests/template_tests/filter_tests/test_truncatewords_html.py,
tests/utils_tests/test_text.py.
- CVE-2019-14232
* SECURITY UPDATE: Denial-of-service possibility in strip_tags()
- debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
recursion in strip_tags() when handling incomplete HTML entities in
django/utils/html.py, tests/utils_tests/test_html.py.
- CVE-2019-14233
* SECURITY UPDATE: SQL injection possibility in key and index lookups for
JSONField/HStoreField
- debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
key and index lookups against SQL injection in
django/contrib/postgres/fields/hstore.py,
django/contrib/postgres/fields/jsonb.py,
tests/postgres_tests/test_hstore.py,
tests/postgres_tests/test_json.py.
- CVE-2019-14234
* SECURITY UPDATE: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2019-14235.patch: fixed potential memory
exhaustion in django.utils.encoding.uri_to_iri() in
django/utils/encoding.py, tests/utils_tests/test_encoding.py.
- CVE-2019-14235
-- Marc Deslauriers <email address hidden> Thu, 19 Sep 2019 16:21:15 +0200
Available diffs
| Deleted in eoan-proposed (Reason: won't be released; superseded by python-django 2.2.5 in u...) |
python-django (2:2.2.4-1) unstable; urgency=medium
* New upstream security release. (Closes: #934026)
<https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
-- Chris Lamb <email address hidden> Tue, 06 Aug 2019 10:08:25 +0100
Available diffs
- diff from 2:2.2.3-5 to 2:2.2.4-1 (13.3 KiB)
python-django (1.8.7-1ubuntu5.10) xenial-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
django.utils.text.Truncator
- debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
backtracking issues when truncating HTML in django/utils/text.py,
tests/template_tests/filter_tests/test_truncatewords_html.py,
tests/utils_tests/test_text.py.
- CVE-2019-14232
* SECURITY UPDATE: Denial-of-service possibility in strip_tags()
- debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
recursion in strip_tags() when handling incomplete HTML entities in
django/utils/html.py, tests/utils_tests/test_html.py.
- CVE-2019-14233
* SECURITY UPDATE: SQL injection possibility in key and index lookups for
JSONField/HStoreField
- debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
key and index lookups against SQL injection in
django/contrib/postgres/fields/hstore.py,
tests/postgres_tests/test_hstore.py.
- CVE-2019-14234
* SECURITY UPDATE: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2019-14235.patch: fixed potential memory
exhaustion in django.utils.encoding.uri_to_iri() in
django/utils/encoding.py, tests/utils_tests/test_encoding.py.
- CVE-2019-14235
-- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 07:41:12 -0400
Available diffs
python-django (1:1.11.20-1ubuntu0.2) disco-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
django.utils.text.Truncator
- debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
backtracking issues when truncating HTML in django/utils/text.py,
tests/template_tests/filter_tests/test_truncatewords_html.py,
tests/utils_tests/test_text.py.
- CVE-2019-14232
* SECURITY UPDATE: Denial-of-service possibility in strip_tags()
- debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
recursion in strip_tags() when handling incomplete HTML entities in
django/utils/html.py, tests/utils_tests/test_html.py.
- CVE-2019-14233
* SECURITY UPDATE: SQL injection possibility in key and index lookups for
JSONField/HStoreField
- debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
key and index lookups against SQL injection in
django/contrib/postgres/fields/hstore.py,
django/contrib/postgres/fields/jsonb.py,
tests/postgres_tests/test_hstore.py,
tests/postgres_tests/test_json.py.
- CVE-2019-14234
* SECURITY UPDATE: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2019-14235.patch: fixed potential memory
exhaustion in django.utils.encoding.uri_to_iri() in
django/utils/encoding.py, tests/utils_tests/test_encoding.py.
- CVE-2019-14235
-- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 07:24:02 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.5) bionic-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
django.utils.text.Truncator
- debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
backtracking issues when truncating HTML in django/utils/text.py,
tests/template_tests/filter_tests/test_truncatewords_html.py,
tests/utils_tests/test_text.py.
- CVE-2019-14232
* SECURITY UPDATE: Denial-of-service possibility in strip_tags()
- debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
recursion in strip_tags() when handling incomplete HTML entities in
django/utils/html.py, tests/utils_tests/test_html.py.
- CVE-2019-14233
* SECURITY UPDATE: SQL injection possibility in key and index lookups for
JSONField/HStoreField
- debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
key and index lookups against SQL injection in
django/contrib/postgres/fields/hstore.py,
django/contrib/postgres/fields/jsonb.py,
tests/postgres_tests/test_hstore.py,
tests/postgres_tests/test_json.py.
- CVE-2019-14234
* SECURITY UPDATE: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2019-14235.patch: fixed potential memory
exhaustion in django.utils.encoding.uri_to_iri() in
django/utils/encoding.py, tests/utils_tests/test_encoding.py.
- CVE-2019-14235
-- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 07:29:57 -0400
Available diffs
python-django (2:2.2.3-5) unstable; urgency=medium [ Chris Lamb ] * Drop Pre-Depends on version of dpkg that is now satisfied in oldoldstable. [ Ondřej Nový ] * Bump Standards-Version to 4.4.0 -- Chris Lamb <email address hidden> Wed, 24 Jul 2019 11:36:15 -0300
Available diffs
- diff from 2:2.2.3-4 to 2:2.2.3-5 (611 bytes)
python-django (2:2.2.3-4) unstable; urgency=medium
* Fixup debian/python-django-doc.doc-base to refer to the new location(s) of
the documentation. (Closes: #931652)
-- Chris Lamb <email address hidden> Mon, 08 Jul 2019 21:49:47 -0300
Available diffs
- diff from 1:1.11.22-1 to 2:2.2.3-4 (2.9 MiB)
python-django (1:1.11.22-1) unstable; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/jul/01/security-releases/>
(Closes: #931316)
-- Chris Lamb <email address hidden> Mon, 01 Jul 2019 17:09:52 -0300
Available diffs
- diff from 1:1.11.21-1 to 1:1.11.22-1 (6.6 KiB)
python-django (1:1.11.20-1ubuntu0.1) disco-security; urgency=medium
* SECURITY UPDATE: Incorrect HTTP detection with reverse-proxy
connecting via HTTPS
- debian/patches/CVE-2019-12781.patch: made HttpRequest always
trusty SECURE_PROXY_SSL_HEADER if set in django/http/request.py,
docs/ref/settings.txt and added tests to tests/settings_test/tests.py.
- CVE-2019-12781
* SECURITY UPDATE: XSS in Django admin via AdminURLFieldWidget
- debian/patches/CVE-2019-12308.patch: made AdminURLFieldWidget
validate URL before rendering clickable link in
django/contrib/admin/templates/admin/widgets/url.html,
django/contrib/admin/widgets.py add test test/admin_widgets/tests.py.
- CVE-2019-12308
-- <email address hidden> (Leonidas S. Barbosa) Mon, 24 Jun 2019 13:49:07 -0300
Available diffs
python-django (1.8.7-1ubuntu5.9) xenial-security; urgency=medium
* SECURITY UPDATE: Incorrect HTTP detection with reverse-proxy
connecting via HTTPS
- debian/patches/CVE-2019-12781.patch: made HttpRequest always
trusty SECURE_PROXY_SSL_HEADER if set in django/http/request.py,
docs/ref/settings.txt and added tests to tests/settings_test/tests.py.
- CVE-2019-12781
-- <email address hidden> (Leonidas S. Barbosa) Mon, 24 Jun 2019 11:30:16 -0300
Available diffs
| 76 → 150 of 376 results | First • Previous • Next • Last |
