-
python-django (2:2.2.4-1) unstable; urgency=medium
* New upstream security release. (Closes: #934026)
<https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
-- Chris Lamb <email address hidden> Tue, 06 Aug 2019 10:08:25 +0100
-
python-django (2:2.2.3-5) unstable; urgency=medium
[ Chris Lamb ]
* Drop Pre-Depends on version of dpkg that is now satisfied in oldoldstable.
[ Ondřej Nový ]
* Bump Standards-Version to 4.4.0
-- Chris Lamb <email address hidden> Wed, 24 Jul 2019 11:36:15 -0300
-
python-django (2:2.2.3-4) unstable; urgency=medium
* Fixup debian/python-django-doc.doc-base to refer to the new location(s) of
the documentation. (Closes: #931652)
-- Chris Lamb <email address hidden> Mon, 08 Jul 2019 21:49:47 -0300
-
python-django (1:1.11.22-1ubuntu1.4) eoan-security; urgency=medium
* SECURITY UPDATE: Potential data leakage via malformed memcached keys
- debian/patches/CVE-2020-13254.patch: enforced cache key validation in
memcached backends in django/core/cache/__init__.py,
django/core/cache/backends/base.py,
django/core/cache/backends/memcached.py, tests/cache/tests.py.
- CVE-2020-13254
* SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
- debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
ForeignKeyRawIdWidget in django/contrib/admin/widgets.py,
tests/admin_widgets/models.py, tests/admin_widgets/tests.py.
- CVE-2020-13596
-- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:28:03 -0400
-
python-django (1:1.11.22-1ubuntu1.3) eoan-security; urgency=medium
* SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
- debian/patches/CVE-2020-9402.patch: properly escaped tolerance
parameter in GIS functions and aggregates on Oracle in
django/contrib/gis/db/models/aggregates.py,
django/contrib/gis/db/models/functions.py,
tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
- CVE-2020-9402
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:05:32 -0500
-
python-django (1:1.11.22-1ubuntu1.2) eoan-security; urgency=medium
* SECURITY UPDATE: Possible SQL injection in the postgres aggregates
StringAgg function
- debian/patches/CVE-2020-7471.patch: Update
django/contrib/postgres/aggregates/general.py to escape delimited
parameter to the StringAgg function. Upstream patch.
- CVE-2020-7471
-- Alex Murray <email address hidden> Fri, 31 Jan 2020 14:05:54 +1030
-
python-django (1:1.11.22-1ubuntu1.1) eoan-security; urgency=medium
* SECURITY UPDATE: Potential account hijack via password reset form
- debian/patches/CVE-2019-19844.patch: Use verified user email for
password reset requests.
- CVE-2019-19844
-- Steve Beattie <email address hidden> Wed, 18 Dec 2019 08:40:29 -0800
-
python-django (1:1.11.22-1ubuntu1) eoan; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
django.utils.text.Truncator
- debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
backtracking issues when truncating HTML in django/utils/text.py,
tests/template_tests/filter_tests/test_truncatewords_html.py,
tests/utils_tests/test_text.py.
- CVE-2019-14232
* SECURITY UPDATE: Denial-of-service possibility in strip_tags()
- debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
recursion in strip_tags() when handling incomplete HTML entities in
django/utils/html.py, tests/utils_tests/test_html.py.
- CVE-2019-14233
* SECURITY UPDATE: SQL injection possibility in key and index lookups for
JSONField/HStoreField
- debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
key and index lookups against SQL injection in
django/contrib/postgres/fields/hstore.py,
django/contrib/postgres/fields/jsonb.py,
tests/postgres_tests/test_hstore.py,
tests/postgres_tests/test_json.py.
- CVE-2019-14234
* SECURITY UPDATE: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2019-14235.patch: fixed potential memory
exhaustion in django.utils.encoding.uri_to_iri() in
django/utils/encoding.py, tests/utils_tests/test_encoding.py.
- CVE-2019-14235
-- Marc Deslauriers <email address hidden> Thu, 19 Sep 2019 16:21:15 +0200
-
python-django (1:1.11.22-1) unstable; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/jul/01/security-releases/>
(Closes: #931316)
-- Chris Lamb <email address hidden> Mon, 01 Jul 2019 17:09:52 -0300
-
python-django (1:1.11.21-1) unstable; urgency=medium
* New upstream security release.
- CVE-2019-12308: XSS in Django admin via AdminURLFieldWidget
(Closes: #929927)
-- Luke W Faraone <email address hidden> Wed, 05 Jun 2019 00:07:07 +0000
-
python-django (1:1.11.20-1) unstable; urgency=medium
* New upstream security release.
- CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format().
(Closes: #922027)
-- Chris Lamb <email address hidden> Mon, 11 Feb 2019 19:08:53 +0100
