-
python-django (1.7.6-1ubuntu2.3) vivid-security; urgency=medium
* SECURITY UPDATE: Settings leak possibility in date template filter
- debian/patches/CVE-2015-8213.patch: check format type in
django/utils/formats.py, added test to tests/i18n/tests.py.
- CVE-2015-8213
-- Marc Deslauriers <email address hidden> Wed, 18 Nov 2015 15:13:51 -0500
-
python-django (1.7.6-1ubuntu2.2) vivid-security; urgency=medium
* SECURITY UPDATE: denial of service by filling session store
- debian/patches/CVE-2015-596x.patch: don't create empty sessions in
django/contrib/sessions/backends/base.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/middleware.py, added tests to
django/contrib/sessions/tests.py, updated docs in
docs/topics/http/sessions.txt.
- CVE-2015-5963
- CVE-2015-5964
-- Marc Deslauriers <email address hidden> Thu, 13 Aug 2015 11:25:02 -0400
-
python-django (1.7.6-1ubuntu2.1) vivid-security; urgency=medium
* SECURITY UPDATE: denial of service via empty session records
- debian/patches/CVE-2015-5143.patch: avoid creating a session record
when loading the session in
django/contrib/sessions/backends/cache.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/backends/db.py,
django/contrib/sessions/backends/file.py,
added test to django/contrib/sessions/tests.py.
- CVE-2015-5143
* SECURITY UPDATE: header injection via newlines
- debian/patches/CVE-2015-5144.patch: check for newlines in
django/core/validators.py, added tests to tests/validators/tests.py.
- CVE-2015-5144
-- Marc Deslauriers <email address hidden> Thu, 02 Jul 2015 10:53:48 -0400
-
python-django (1.7.6-1ubuntu2) vivid; urgency=medium
* SECURITY UPDATE: denial-of-service possibility with strip_tags
- debian/patches/CVE-2015-2316.patch: fix infinite loop possibility
in django/utils/html.py, added test to
tests/utils_tests/test_html.py.
- CVE-2015-2316
* SECURITY UPDATE: XSS attack via user-supplied redirect URLs
- debian/patches/CVE-2015-2317.patch: reject URLs that start with
control characters in django/utils/http.py, added test to
tests/utils_tests/test_http.py.
- CVE-2015-2317
-- Marc Deslauriers <email address hidden> Fri, 20 Mar 2015 10:18:12 -0400
-
python-django (1.7.6-1ubuntu1) vivid; urgency=medium
* Merge with Debian; remaining changes:
- debian/patches/99_fix_multipart_base64_decoding_large_files.patch:
Fix Multipart base64 file decoding with large files ensuring that the
actual base64 content has a length a multiple of 4.
python-django (1.7.6-1) unstable; urgency=high
* New upstream security release:
https://www.djangoproject.com/weblog/2015/mar/09/security-releases/
* Fixes CVE-2015-2241: XSS attack via properties in
ModelAdmin.readonly_fields
python-django (1.7.5-1) unstable; urgency=medium
[ Chris Lamb ]
* Remove myself from Uploaders.
[ Raphaël Hertzog ]
* New upstream bugfix release:
https://docs.djangoproject.com/en/1.7/releases/1.7.5/
-- Marc Deslauriers <email address hidden> Wed, 11 Mar 2015 10:28:41 -0400
-
python-django (1.7.4-1ubuntu1) vivid; urgency=medium
* Merge with Debian; remaining changes:
- debian/patches/99_fix_multipart_base64_decoding_large_files.patch:
Fix Multipart base64 file decoding with large files ensuring that the
actual base64 content has a length a multiple of 4.
python-django (1.7.4-1) unstable; urgency=medium
* Release to unstable and hopefully to Jessie too.
python-django (1.7.4-1~exp1) experimental; urgency=medium
* New upstream bugfix release.
* Drop fix-24193-python34-test-failure.diff, merged upstream.
python-django (1.7.3-1~exp1) experimental; urgency=high
[ Luke Faraone ]
* New upstream security release.
- WSGI header spoofing via underscore/dash conflation (CVE-2015-0219)
- Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220)
- DoS attack against django.views.static.serve (CVE-2015-0221)
- Database DoS with ModelMultipleChoiceField (CVE-2015-0222)
Closes: #775375
[ Raphaël Hertzog ]
* Add patch fix-24193-python34-test-failure.diff to fix a test failure with
Python3.4.
python-django (1.7.2-1) experimental; urgency=medium
[ Raphaël Hertzog ]
* Add geoip-database-extra as an alternative to geoip-database-contrib.
[ Brian May ]
* New upstream version.
python-django (1.7.1-1) unstable; urgency=medium
[ Raphaël Hertzog ]
* New upstream bugfix release.
* Drop 01_fix_test_loaddata_not_existant_fixture_file.patch, merged
upstream.
* Update Standards-Version to 3.9.6.
* Add lintian overrides for package-contains-timestamped-gzip (false
positive).
[ Brian May ]
* Fix django-admin wrapper to not even consider using python 2.6 as
that version is unsupported with Django 1.7.
python-django (1.7-3) unstable; urgency=medium
* Add 01_fix_test_loaddata_not_existant_fixture_file.patch
to fix FTBFS with Python 3.4.2. Closes: #765117
* Improve migrate-south script to look for Python files in the current dir.
./manage.py implicitely has the current directory but when we use
django-admin it's not the case. Thanks to Uwe Kleine-Koenig for the
report.
python-django (1.7-2) unstable; urgency=medium
* Release to unstable.
* Add a migrate-south sample script to help users apply their South
migrations. Thanks to Brian May.
python-django (1.7-1) experimental; urgency=medium
* New major upstream release.
* Add a NEWS file to document the incompatibility with South.
python-django (1.7~c3-1) experimental; urgency=medium
* New upstream release candidate with security fixes:
https://www.djangoproject.com/weblog/2014/aug/20/security/
python-django (1.7~c2-2) experimental; urgency=medium
* Merge changes from 1.6.5-4:
* Don't output stuff to stdout in django-admin. Closes: #757145
* Update Vcs-* fields since the packaging repository moved to git.
python-django (1.7~c2-1) experimental; urgency=medium
* New upstream release candidate.
python-django (1.7~c1+20140722-2) experimental; urgency=medium
* Move django-admin manual page in python-django-common. Bump version
constraint in Breaks/Replaces accordingly.
* Drop conflicting django-admin in python-django and python3-django that
were not removed as usual because upstream stopped installing them as
django-admin.py.
* Drop extra license files.
* Fix shebang lines in python3-django.
* Drop empty left-over /usr/bin directories in python-django/python3-django.
python-django (1.7~c1+20140722-1) experimental; urgency=medium
* New upstream release candidate. We want this version in jessie so we
should prepare now.
* Snapshot tarball generated with "python setup.py sdist" after having
applied fix submitted in https://code.djangoproject.com/ticket/23072
* Added python-sqlparse, python-tz to Recommends
* Added other optional dependencies (python-memcache, python-pil,
python-bcrypt) to Suggests
* Add all those dependencies in Build-Depends for the benefit of the
test suite.
* Run the test suite for python2 and python3.
* Differentiate descriptions of python2 and python3 packages.
-- Matthias Klose <email address hidden> Tue, 03 Mar 2015 20:34:47 +0100
-
python-django (1.6.6-1ubuntu3) vivid; urgency=medium
* SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation
- debian/patches/CVE-2015-0219.patch: strip headers with underscores in
django/core/servers/basehttp.py, added blurb to
docs/howto/auth-remote-user.txt, added test to
tests/servers/test_basehttp.py.
- CVE-2015-0219
* SECURITY UPDATE: Mitigated possible XSS attack via user-supplied
redirect URLs
- debian/patches/CVE-2015-0220.patch: filter url in
django/utils/http.py, added test to tests/utils_tests/test_http.py.
- CVE-2015-0220
* SECURITY UPDATE: Denial-of-service attack against
django.views.static.serve
- debian/patches/CVE-2015-0221.patch: limit large files in
django/views/static.py, added test to
tests/view_tests/media/long-line.txt,
tests/view_tests/tests/test_static.py.
- CVE-2015-0221
* SECURITY UPDATE: Database denial-of-service with
ModelMultipleChoiceField
- debian/patches/CVE-2015-0222.patch: check values in
django/forms/models.py, added test to tests/model_forms/tests.py.
- CVE-2015-0222
-- Marc Deslauriers <email address hidden> Tue, 13 Jan 2015 07:32:43 -0500
-
python-django (1.6.6-1ubuntu2) utopic; urgency=medium
* debian/patches/fix_test_encoding.patch: Fix test encoding headers,
otherwise it FTBFS.
-- Andres Rodriguez <email address hidden> Thu, 18 Sep 2014 19:01:13 -0500
