-
python-django (1.7.9-1ubuntu5.4) wily-security; urgency=medium
* SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
- debian/patches/CVE-2016-2512-regression.patch: updated to final
upstream fix.
- CVE-2016-2512
-- Marc Deslauriers <email address hidden> Mon, 07 Mar 2016 08:48:40 -0500
-
python-django (1.7.9-1ubuntu5.3) wily-security; urgency=medium
* SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
- debian/patches/CVE-2016-2512-regression.patch: force url to unicode
in django/utils/http.py, added test to
tests/utils_tests/test_http.py.
- CVE-2016-2512
-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 11:06:58 -0500
-
python-django (1.7.9-1ubuntu5.2) wily-security; urgency=medium
* SECURITY UPDATE: malicious redirect and possible XSS attack via
user-supplied redirect URLs containing basic auth
- debian/patches/CVE-2016-2512.patch: prevent spoofing in
django/utils/http.py, added test to tests/utils_tests/test_http.py.
- CVE-2016-2512
* SECURITY UPDATE: user enumeration through timing difference on password
hasher work factor upgrade
- debian/patches/CVE-2016-2513.patch: fix timing in
django/contrib/auth/hashers.py, added note to
docs/topics/auth/passwords.txt, added tests to
django/contrib/auth/tests/test_hashers.py.
- debian/control: added python-mock and python3-mock to Build-Depends
- CVE-2016-2513
-- Marc Deslauriers <email address hidden> Thu, 25 Feb 2016 10:11:15 -0500
-
python-django (1.7.9-1ubuntu5.1) wily-security; urgency=medium
* SECURITY UPDATE: Settings leak possibility in date template filter
- debian/patches/CVE-2015-8213.patch: check format type in
django/utils/formats.py, added test to tests/i18n/tests.py.
- CVE-2015-8213
-- Marc Deslauriers <email address hidden> Wed, 18 Nov 2015 14:42:15 -0500
-
python-django (1.7.9-1ubuntu5) wily; urgency=medium
* d/p/0004-Added-a-dummy-class-for-HTMLParserError.patch: cherry-pick from
Debian 1.7.10-1 (which was cherry-picked from upstream) to fix FTBFS of
some reverse dependencies such as python-jingo. This partially restores an
API accidentally lost by the transition to Python 3.5 so may also fix other
yet-unknown runtime bugs in dependent packages.
-- Robie Basak <email address hidden> Tue, 20 Oct 2015 13:15:00 +0000
-
python-django (1.7.9-1ubuntu4) wily; urgency=medium
* debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
-- Corey Bryant <email address hidden> Tue, 25 Aug 2015 15:06:09 -0400
-
python-django (1.7.9-1ubuntu3) wily; urgency=medium
* debian/control: Drop python-mysqldb in favor of python-pymysql.
-- Corey Bryant <email address hidden> Mon, 24 Aug 2015 11:01:47 -0400
-
python-django (1.7.9-1ubuntu2) wily; urgency=medium
* SECURITY UPDATE: denial of service by filling session store
- debian/patches/CVE-2015-596x.patch: don't create empty sessions in
django/contrib/sessions/backends/base.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/middleware.py, added tests to
django/contrib/sessions/tests.py, updated docs in
docs/topics/http/sessions.txt.
- CVE-2015-5963
- CVE-2015-5964
-- Marc Deslauriers <email address hidden> Thu, 20 Aug 2015 15:59:13 -0400
-
python-django (1.7.9-1ubuntu1) wily; urgency=medium
* Merge with Debian; remaining changes:
- debian/patches/99_fix_multipart_base64_decoding_large_files.patch:
Fix Multipart base64 file decoding with large files ensuring that the
actual base64 content has a length a multiple of 4.
* Removed patches included in new version:
- debian/patches/fix_sqlite_ftbfs.patch
- debian/patches/fix_ftbfs_python2710.patch
python-django (1.7.9-1) unstable; urgency=medium
* New upstream security release:
https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
It fixes:
- CVE-2015-5143: possible denial-of-service by filling session store
- CVE-2015-5144: possible header injection since validators accept
newlines in input
-- Marc Deslauriers <email address hidden> Thu, 09 Jul 2015 07:50:08 -0400
-
python-django (1.7.7-1ubuntu1) wily; urgency=medium
* Merge with Debian; remaining changes:
- debian/patches/99_fix_multipart_base64_decoding_large_files.patch:
Fix Multipart base64 file decoding with large files ensuring that the
actual base64 content has a length a multiple of 4.
* Removed patches included in new version:
- debian/patches/CVE-2015-2316.patch
- debian/patches/CVE-2015-2317.patch
* debian/patches/fix_sqlite_ftbfs.patch: fix FTBFS with newer SQLite.
* debian/patches/fix_ftbfs_python2710.patch: fix FTBFS with newer python.
python-django (1.7.7-1) unstable; urgency=high
* New upstream security and bugfix release:
https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
It fixes:
- CVE-2015-2317: possible XSS attack via user-supplied redirect URLs
Closes: #780873
- CVE-2015-2316: Denial-of-service possibility with strip_tags()
Closes: #780874
-- Marc Deslauriers <email address hidden> Fri, 26 Jun 2015 08:58:01 -0400
-
python-django (1.7.6-1ubuntu2) vivid; urgency=medium
* SECURITY UPDATE: denial-of-service possibility with strip_tags
- debian/patches/CVE-2015-2316.patch: fix infinite loop possibility
in django/utils/html.py, added test to
tests/utils_tests/test_html.py.
- CVE-2015-2316
* SECURITY UPDATE: XSS attack via user-supplied redirect URLs
- debian/patches/CVE-2015-2317.patch: reject URLs that start with
control characters in django/utils/http.py, added test to
tests/utils_tests/test_http.py.
- CVE-2015-2317
-- Marc Deslauriers <email address hidden> Fri, 20 Mar 2015 10:18:12 -0400