-
python-django (1:1.11.4-1ubuntu1.2) artful-security; urgency=medium
* SECURITY UPDATE: DoS in urlize and urlizetrunc template filters
- debian/patches/CVE-2018-7536.patch: fix backtracking in
django/utils/html.py, add test to tests/utils_tests/test_html.py.
- CVE-2018-7536
* SECURITY UPDATE: DoS in truncatechars_html and truncatewords_html
template filters
- debian/patches/CVE-2018-7537.patch: fix backtracking in
django/utils/text.py, add test to tests/utils_tests/test_text.py.
- CVE-2018-7537
-- Marc Deslauriers <email address hidden> Mon, 05 Mar 2018 14:32:00 +0100
-
python-django (1:1.11.4-1ubuntu1.1) artful-security; urgency=medium
* SECURITY UPDATE: cross-site scripting attack
- debian/patches/CVE-2017-12794.patch: Fixed XSS possibility in
traceback section of technical 500 debug page in django/views/debug.py,
tests/view_tests/tests/py3_test_debug.py.
- CVE-2017-12794
* SECURITY UPDATE: AuthenticationForm issue allowed obtain potentially
sensitive informations
- debian/patches/CVE-2018-6188.patch: this backport added just a test that
was missing, major part of the code original patcha and the package were
already applied in the package. Test add in test/auth_tests/test_forms.py.
- CVE-2018-6188
-- <email address hidden> (Leonidas S. Barbosa) Tue, 06 Feb 2018 10:18:21 -0300
-
python-django (1:1.11.4-1ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
python-django (1:1.11.4-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/1.11/releases/1.11.4/>
-- Steve Langasek <email address hidden> Wed, 09 Aug 2017 08:49:41 -0700
-
python-django (1:1.11.3-1ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* All other changes dropped, as they were backports of upstream fixes.
python-django (1:1.11.3-1) unstable; urgency=medium
[ Chris Lamb ]
* New upstream bugfix release.
- Drop 0003-Fixed-test_middleware_classes_headers-if-Django-sour.patch as
it was merged upstream.
* Check DEB_BUILD_PROFILES consistently, not DEB_BUILD_OPTIONS.
[ Brian May ]
* Use locally installed intersphinx mapping sources. (Closes: #852512)
python-django (1:1.11.2-2) unstable; urgency=medium
* Upload (LTS) release to unstable.
- Incorporate Python 3.6 compatibility. (Closes: #865053)
* Use !nocheck profile for build dependencies that are only required for
tests.
* Move to debhelper compatibility level 10.
* Bump Standards-Version to 4.0.0.
* wrap-and-sort -sa.
python-django (1:1.11.2-1) experimental; urgency=medium
[ Chris Lamb ]
* New upstream minor release.
<https://docs.djangoproject.com/en/1.11/releases/1.11.2/>
* Backport patch from <https://code.djangoproject.com/ticket/26755> to
prevent test_middleware_classes_headers from failing if the Django source
is not writable. This should fix the autopkgtests. (Closes: #816435)
* Refresh all patches with ``pq import && pq export --renumber``.
[ Raphaël Hertzog ]
* Update README.source and debian/gbp.conf.
* Document a minimal Django packaging policy in
README.Django-packaging-policy. (Closes: #863514)
* Remove README.Debian which contained only outdated information.
* Drop FastCGI initscript, it's obsolete, WSGI is required nowadays.
* Drop migrate-south helper script as south is gone for a long time already.
* Add same documentation in python3-django as in python-django.
(Closes: #831838)
python-django (1:1.11.1-3) experimental; urgency=medium
* Really add Build-Depends on libgdal-dev.
python-django (1:1.11.1-2) experimental; urgency=medium
* Add missing Build-Depends on libgdal-dev due to new GIS tests.
python-django (1:1.11.1-1) experimental; urgency=medium
* New upstream minor release.
<https://docs.djangoproject.com/en/1.11/releases/1.11.1/>
python-django (1:1.11-1) experimental; urgency=medium
* New upstream stable release. (Closes: #859515, #859516)
python-django (1:1.11~rc1-1) experimental; urgency=medium
* New upstream beta release.
python-django (1:1.11~beta1-1) experimental; urgency=medium
* New upstream beta release.
* Update debian/gbp.conf.
* Drop taskset calls when running testsuite now that
<https://code.djangoproject.com/ticket/27741> has been resolved.
python-django (1:1.11~alpha1-1) experimental; urgency=medium
* New upstream alpha release.
* Match/mangle upstream versions using (eg.) "b1" instead of "beta1" in
debian/watch.
* Drop now-unused source-is-missing Lintian overrides.
* Limit parallelism in testsuite to avoid FTBFS. See:
<https://code.djangoproject.com/ticket/27741>
-- Steve Langasek <email address hidden> Fri, 07 Jul 2017 15:19:59 -0700
-
python-django (1:1.11.2-2ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* All other changes dropped, as they were backports of upstream fixes.
python-django (1:1.11.2-2) unstable; urgency=medium
* Upload (LTS) release to unstable.
- Incorporate Python 3.6 compatibility. (Closes: #865053)
* Use !nocheck profile for build dependencies that are only required for
tests.
* Move to debhelper compatibility level 10.
* Bump Standards-Version to 4.0.0.
* wrap-and-sort -sa.
python-django (1:1.11.2-1) experimental; urgency=medium
[ Chris Lamb ]
* New upstream minor release.
<https://docs.djangoproject.com/en/1.11/releases/1.11.2/>
* Backport patch from <https://code.djangoproject.com/ticket/26755> to
prevent test_middleware_classes_headers from failing if the Django source
is not writable. This should fix the autopkgtests. (Closes: #816435)
* Refresh all patches with ``pq import && pq export --renumber``.
[ Raphaël Hertzog ]
* Update README.source and debian/gbp.conf.
* Document a minimal Django packaging policy in
README.Django-packaging-policy. (Closes: #863514)
* Remove README.Debian which contained only outdated information.
* Drop FastCGI initscript, it's obsolete, WSGI is required nowadays.
* Drop migrate-south helper script as south is gone for a long time already.
* Add same documentation in python3-django as in python-django.
(Closes: #831838)
python-django (1:1.11.1-3) experimental; urgency=medium
* Really add Build-Depends on libgdal-dev.
python-django (1:1.11.1-2) experimental; urgency=medium
* Add missing Build-Depends on libgdal-dev due to new GIS tests.
python-django (1:1.11.1-1) experimental; urgency=medium
* New upstream minor release.
<https://docs.djangoproject.com/en/1.11/releases/1.11.1/>
python-django (1:1.11-1) experimental; urgency=medium
* New upstream stable release. (Closes: #859515, #859516)
python-django (1:1.11~rc1-1) experimental; urgency=medium
* New upstream beta release.
python-django (1:1.11~beta1-1) experimental; urgency=medium
* New upstream beta release.
* Update debian/gbp.conf.
* Drop taskset calls when running testsuite now that
<https://code.djangoproject.com/ticket/27741> has been resolved.
python-django (1:1.11~alpha1-1) experimental; urgency=medium
* New upstream alpha release.
* Match/mangle upstream versions using (eg.) "b1" instead of "beta1" in
debian/watch.
* Drop now-unused source-is-missing Lintian overrides.
* Limit parallelism in testsuite to avoid FTBFS. See:
<https://code.djangoproject.com/ticket/27741>
-- Steve Langasek <email address hidden> Mon, 26 Jun 2017 09:05:18 -0700
-
python-django (1:1.10.7-2ubuntu2) artful; urgency=medium
* d/p/0001-Refs-27025-Fixed-tests-for-the-new-ModuleNotFoundErr.patch,
d/p/0001-Refs-27025-Fixed-a-test-for-the-new-re.RegexFlag-in-.patch,
d/p/0001-Refs-27025-Fixed-a-timezone-test-for-Python-3.6.patch,
d/p/0001-Refs-27025-Fixed-a-servers-test-on-Python-3.6.patch:
fix tests for compatibility with python 3.6.
-- Steve Langasek <email address hidden> Sat, 17 Jun 2017 23:33:25 -0700
-
python-django (1:1.10.7-2ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* All other changes dropped, as they were backports of upstream fixes.
python-django (1:1.10.7-2) unstable; urgency=medium
* Accept again migrations depending on initial migrations that
can be fake applied. Closes: #863267
* Add patch to fix DEP-8 test. Closes: #816435
python-django (1:1.10.7-1) unstable; urgency=medium
* New upstream security release:
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
"on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) "safe" when they shouldn't be.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack. (Closes: #859515)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve().
A maliciously crafted URL to a Django site using the
django.views.static.serve() view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known,
useful functionality.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a development
aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516)
python-django (1:1.10.6-1) unstable; urgency=medium
* New upstream bugfix release:
- Fixed ClearableFileInput’s “Clear” checkbox on model form fields where
the model field has a default (#27805).
- Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather
than generating a bad request response (#27820).
- Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
IntegerField from DateField (#27828).
- Fixed query expression date subtraction accuracy on PostgreSQL for
differences larger than a month (#27856).
- Fixed a GDALException raised by GDALClose on GDAL ≥ 2.0 (#27479).
python-django (1:1.10.5-1) unstable; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2017/jan/04/bugfix-release/>
- Drop 0003-Fix-test-suite-in-parallel-mode.patch; applied upstream.
python-django (1:1.10.3-2) unstable; urgency=medium
* Add patch to fix tests running in parallel. Closes: #844139
* Update copyright file (and drop new extra LICENSE.txt).
* Adjust lintian overrides.
python-django (1:1.10.3-1) unstable; urgency=medium
* New upstream release. (Closes: #844037)
python-django (1:1.10.1-1) unstable; urgency=medium
* New upstream bugfix release.
- Drop 07_fix-test-failures-due-to-translation-updates.diff; applied
upstream.
* Ensure that "django-admin startproject foo" using python3-django emits the
corrent shebang (Closes: #833275)
python-django (1:1.10-2) unstable; urgency=medium
* Add patch from upstream to fix admin_utils test failures due to translation
updates.
python-django (1:1.10-1) unstable; urgency=medium
* New upstream release.
* Drop debian/source/lintian-overrides now that #799861 is fixed in Lintian.
python-django (1:1.9.8-1) unstable; urgency=high
* New upstream security release:
https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- CVE-2016-6186: XSS in admin's add/change related popup
python-django (1:1.9.7-2) unstable; urgency=medium
* Re-upload 1.9.7 to unstable with epoch.
python-django (1.10~beta1-1) unstable; urgency=medium
[ Chris Lamb ]
* New upstream beta release.
* Drop fix-25761-add-traceback-attribute.patch; applied upstream.
[ Raphaël Hertzog ]
* Remove obsolete /etc/bash_completion.d/django_bash_completion on upgrade.
Closes: #801744
python-django (1.9.7-1) unstable; urgency=medium
[ Raphaël Hertzog ]
* New upstream bugfix release.
* Bump python-sphinx build dependency to >= 1.3. Closes: #824108
* Drop build dependency on locales. C.UTF-8 that we currently use is part of
libc-bin.
[ Chris Lamb ]
* Remove duplicated "of of" in python-django's README.Debian.
python-django (1.9.6-1) unstable; urgency=medium
* New upstream bugfix release.
python-django (1.9.5-2) unstable; urgency=medium
* Drop the dir_to_symlink transition that was only really needed
for upgrades between versions 1.9~rc2 and 1.9.4. Closes: #821789
python-django (1.9.5-1) unstable; urgency=medium
* New upstream bugfix release:
https://docs.djangoproject.com/en/1.9/releases/1.9.5/
* Fix the DEP-8 test suite (django-admin --with python3 failing
because ./manage.py does not have a good shebang).
* Update Standards-Version to 3.9.8.
* Add some lintian overrides.
* Tweak Vcs-Browser to use https.
* Drop obsolete parts of the copyright file.
python-django (1.9.4-1) unstable; urgency=high
[ Luke Faraone ]
* New upstream security release:
https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- CVE-2016-2512: Malicious redirect and possible XSS via user-supplied
redirect URLs containing basic auth
- CVE-2016-2513: User enumeration through timing difference on password
hasher work factor upgrade
Closes: #816434
[ Raphaël Hertzog ]
* Fix rules file to no longer mess with *_templates directories. They no
longer contain invalid .py files but only *-tpl template files that are
instantiated at runtime.
python-django (1.9.2-1) unstable; urgency=medium
* New upstream security release fixing:
- CVE-2016-2048: User with "change" but not "add" permission can create
objects for ModelAdmin objects with save_as=True
Closes: #813448
python-django (1.9.1-1) unstable; urgency=medium
* New upstream release.
python-django (1.9-2) unstable; urgency=medium
[ Chris Lamb ]
* Use dpkg-maintscript-helper's dir_to_symlink to correctly replace the
app_template and project_template symlinks added in 1.9~rc2-2.
(Closes: #807683)
[ Raphaël Hertzog ]
* Add some DEP-8 tests testing "django-admin" and running the test suite
against the installed package. In both cases, we do it with python2 and
python3.
* Add python-tblib and python3-tblib to Build-Depends for the benefit of
the parallel testing feature of the test suite.
* Add "set -e" in the command line running the tests with all supported
versions so that it actually fails as soon as one version is failing
(and thus disallow later successes to shadow earlier failures).
python-django (1.9-1) unstable; urgency=medium
* Upload to unstable
* Adjust uversionmangle in debian/watch to mangle "1.9rc2" scheme
(previously only "1.9-rc-2" would have matched).
python-django (1.9~rc2-2) experimental; urgency=medium
* Move {app,project}_template to python-django-common to prevent
byte-compilation (via pycompile) on installation, causing failure. They are
not valid Python files until variables have been interpolated.
python-django (1.9~rc2-1) experimental; urgency=medium
* New upstream release candidate.
* Add myself to Uploaders.
python-django (1.8.7-2) unstable; urgency=high
* Rely on C.UTF-8 to run the tests instead of building our locale ourselves.
* Add debian/patches/fix-25761-add-traceback-attribute.patch:
new patch to ensure exceptions registered in __cause__ attributes
have a __traceback__ attribute. Closes: #802677
* Extend lintian overrides to cover more false positives of
source-is-missing.
* Cleanup debian/copyright for dropped/renamed files.
* Run tests for all supported Python versions.
-- Steve Langasek <email address hidden> Sat, 17 Jun 2017 21:55:34 -0700
-
python-django (1.8.7-1ubuntu11) zesty; urgency=medium
* SECURITY UPDATE: Open redirect and possible XSS attack via
user-supplied numeric redirect URLs
- debian/patches/CVE-2017-7233.patch: fix is_safe_url() with numeric
URLs in django/utils/http.py, added tests to
tests/utils_tests/test_http.py.
- CVE-2017-7233
* SECURITY UPDATE: Open redirect vulnerability in
django.views.static.serve()
- debian/patches/CVE-2017-7234.patch: remove redirect from
django/views/static.py.
- CVE-2017-7234
-- Marc Deslauriers <email address hidden> Mon, 03 Apr 2017 10:32:55 -0400
