-
python-django (1.2.5-1ubuntu1.2) natty-security; urgency=low
* SECURITY UPDATE: Cross-site scripting in authentication views
(LP: #1031733)
- debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
fix unsafe redirects indjango/http/__init__.py, add test case to
tests/regressiontests/httpwrappers/tests.py. Patch backport taken
from Debian Squeeze and fixed for python 2.4 compatibility.
- CVE-2012-3442
* SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
- debian/patches/17_fix_dos_in_image_validation.diff: call verify()
immediately after the constructor in django/forms/fields.py.
- CVE-2012-3443
* SECURITY UPDATE: Denial-of-service via get_image_dimensions()
(LP: #1031733)
- debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
chunk size in django/core/files/images.py.
- CVE-2012-3444
-- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 09:39:29 -0400
-
python-django (1.2.5-1ubuntu1.1) natty-security; urgency=low
* SECURITY UPDATE: session manipulation when using django.contrib.sessions
with memory-based sessions and caching
- debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
for session instead of root namespace
- CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
URLField
- debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
default and use a timeout if available.
- CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
- debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
default when constructing full URLs
- CVE-2011-4139
* More information on these issues can be found at:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
-- Jamie Strandboge <email address hidden> Wed, 07 Dec 2011 15:28:04 -0600
-
python-django (1.2.5-1ubuntu1) natty; urgency=low
* Merge from Debian for security fixes (LP: #719031). Remaining changes:
- debian/control: don't Build-Depends on locales-all, which doesn't exist
in natty
* Drop the following patches, now included upstream:
- debian/patches/07_security_admin_infoleak.diff
- debian/patches/08_security_pasword_reset_dos.diff
python-django (1.2.5-1) unstable; urgency=low
* New upstream release.
* Do not compress objects.inv used by Sphinx generated documentation.
Thanks to Michael Fladischer for the report. Closes: #608769
python-django (1.2.4-1) unstable; urgency=high
* New bugfix-only upstream release. It includes security fixes.
http://www.djangoproject.com/weblog/2010/dec/22/security/
* Drop patches merged upstream:
- debian/patches/05_fix_regression_tests.diff
- debian/patches/06_fix_regression_tests.diff
* Update 01_disable_url_verify_regression_tests.diff to cope with the
updated regressions tests.
* Update 03_manpage.diff and 04_hyphen-manpage.diff to cope with changes in
the manual page.
python-django (1.2.3-2) unstable; urgency=low
* Team upload.
* Disable model tests that require an internet connection.
Closes: #601070
* Include python.mk conditionally as explained in its header.
Helps backports to Lenny which has no python.mk.
Closes: #601608
-- Jamie Strandboge <email address hidden> Thu, 17 Feb 2011 13:34:07 -0600
-
python-django (1.2.3-1ubuntu0.2.11.04.1) natty; urgency=low
* SECURITY UPDATE: information leak in admin interface
- debian/patches/07_security_admin_infoleak.diff: validate querystring
lookup arguments either specify only fields on the model being viewed,
or cross relations which have been explicitly whitelisted.
- CVE-2010-XXXX
* SECURITY UPDATE:
- debian/patches/08_security_pasword_reset_dos.diff: adjust
base36_to_int() function in django.utils.http will now validate the
length of its input; on input longer than 13 digits (sufficient to
base36-encode any 64-bit integer), it will now raise ValueError.
Additionally, the default URL patterns for django.contrib.auth will now
enforce a maximum length on the relevant parameters.
- CVE-2010-XXXX
-- Jamie Strandboge <email address hidden> Mon, 03 Jan 2011 10:12:39 -0600
-
python-django (1.2.3-1ubuntu0.1) maverick-security; urgency=low
* SECURITY UPDATE: XSS in CSRF protections. New upstream release
- CVE-2010-3082
* debian/patches/01_disable_url_verify_regression_tests.diff:
- updated to disable another test that fails without internet connection
- patch based on work by Kai Kasurinen and Krzysztof Klimonda
* debian/control: don't Build-Depends on locales-all, which doesn't exist
in maverick
python-django (1.2.3-1) unstable; urgency=low
[ Krzysztof Klimonda ]
* New upstream release. Closes: #596893 LP: #636482
* Fixes both a XSS vulnerability introduced in 1.2 series and
the regressions caused by 1.2.2 release. Closes: #596205
* debian/control:
- depend on language packs for en_US.utf8 locales required for unit tests.
* debian/rules:
- re-enable build time tests.
- set LC_ALL to en_US.utf8 for test suite.
* debian/patches/series:
- two new patches: 05_fix_regression_tests.diff and
06_fix_regression_tests.diff backported from 1.2.x branch to fix
test suite failures.
[ Raphaƫl Hertzog ]
* Update Standards-Version to 3.9.1.
* Drop "--with quilt" and quilt build-dependency since the package is
already using source format "3.0 (quilt)".
-- Jamie Strandboge <email address hidden> Tue, 12 Oct 2010 11:34:35 -0500
-
python-django (1.2.1-1) unstable; urgency=low
* New upstream bugfix release.
-- Thomas Bechtold <email address hidden> Tue, 08 Jun 2010 23:35:34 +0100
