-
python-django (1.8.7-1ubuntu5.15) xenial-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-28658.patch: properly sanitize filenames in
django/http/multipartparser.py, tests/file_uploads/tests.py,
tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py,
tests/file_uploads/views.py.
- CVE-2021-28658
-- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:57:56 -0400
-
python-django (1.8.7-1ubuntu5.14) xenial-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via archive.extract()
- debian/patches/CVE-2021-3281.patch: check for invalid paths in
django/utils/archive.py.
- CVE-2021-3281
-- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:56:58 -0500
-
python-django (1.8.7-1ubuntu5.13) xenial-security; urgency=medium
* SECURITY UPDATE: Potential data leakage via malformed memcached keys
- debian/patches/CVE-2020-13254.patch: enforced cache key validation in
memcached backends in django/core/cache/__init__.py,
django/core/cache/backends/base.py,
django/core/cache/backends/memcached.py, tests/cache/tests.py.
- CVE-2020-13254
* SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
- debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
ForeignKeyRawIdWidget in django/contrib/admin/widgets.py.
- CVE-2020-13596
-- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:48:45 -0400
-
python-django (1.8.7-1ubuntu5.12) xenial-security; urgency=medium
* SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
- debian/patches/CVE-2020-9402.patch: properly escaped tolerance
parameter in GIS functions and aggregates on Oracle in
django/contrib/gis/db/models/aggregates.py,
tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
- CVE-2020-9402
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:12:33 -0500
-
python-django (1.8.7-1ubuntu5.11) xenial-security; urgency=medium
* SECURITY UPDATE: Potential account hijack via password reset form
- debian/patches/CVE-2019-19844.patch: Use verified user email for
password reset requests.
- CVE-2019-19844
-- Steve Beattie <email address hidden> Wed, 18 Dec 2019 12:37:04 -0800
-
python-django (1.8.7-1ubuntu5.10) xenial-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
django.utils.text.Truncator
- debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
backtracking issues when truncating HTML in django/utils/text.py,
tests/template_tests/filter_tests/test_truncatewords_html.py,
tests/utils_tests/test_text.py.
- CVE-2019-14232
* SECURITY UPDATE: Denial-of-service possibility in strip_tags()
- debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
recursion in strip_tags() when handling incomplete HTML entities in
django/utils/html.py, tests/utils_tests/test_html.py.
- CVE-2019-14233
* SECURITY UPDATE: SQL injection possibility in key and index lookups for
JSONField/HStoreField
- debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
key and index lookups against SQL injection in
django/contrib/postgres/fields/hstore.py,
tests/postgres_tests/test_hstore.py.
- CVE-2019-14234
* SECURITY UPDATE: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2019-14235.patch: fixed potential memory
exhaustion in django.utils.encoding.uri_to_iri() in
django/utils/encoding.py, tests/utils_tests/test_encoding.py.
- CVE-2019-14235
-- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 07:41:12 -0400
-
python-django (1.8.7-1ubuntu5.9) xenial-security; urgency=medium
* SECURITY UPDATE: Incorrect HTTP detection with reverse-proxy
connecting via HTTPS
- debian/patches/CVE-2019-12781.patch: made HttpRequest always
trusty SECURE_PROXY_SSL_HEADER if set in django/http/request.py,
docs/ref/settings.txt and added tests to tests/settings_test/tests.py.
- CVE-2019-12781
-- <email address hidden> (Leonidas S. Barbosa) Mon, 24 Jun 2019 11:30:16 -0300
-
python-django (1.8.7-1ubuntu5.8) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via memory exhaustion
- debian/patches/CVE-2019-6975.patch: limit digits in
django/utils/numberformat.py, added tests to
tests/utils_tests/test_numberformat.py.
- CVE-2019-6975
-- Marc Deslauriers <email address hidden> Tue, 12 Feb 2019 08:55:08 -0500
-
python-django (1.8.7-1ubuntu5.7) xenial-security; urgency=medium
* SECURITY UPDATE: content spoofing in the default 404 page
- debian/patches/CVE-2019-3498.patch: properly quote string in
django/views/defaults.py, add test to tests/handlers/tests.py.
- CVE-2019-3498
-- Marc Deslauriers <email address hidden> Tue, 08 Jan 2019 13:45:35 -0500
-
python-django (1.8.7-1ubuntu5.6) xenial-security; urgency=medium
* SECURITY UPDATE: DoS in urlize and urlizetrunc template filters
- debian/patches/CVE-2018-7536.patch: fix backtracking in
django/utils/html.py, add test to tests/utils_tests/test_html.py.
- CVE-2018-7536
* SECURITY UPDATE: DoS in truncatechars_html and truncatewords_html
template filters
- debian/patches/CVE-2018-7537.patch: fix backtracking in
django/utils/text.py, add test to tests/utils_tests/test_text.py.
- CVE-2018-7537
-- Marc Deslauriers <email address hidden> Mon, 05 Mar 2018 15:32:46 +0100
-
python-django (1.8.7-1ubuntu5.5) xenial-security; urgency=medium
* SECURITY UPDATE: Open redirect and possible XSS attack via
user-supplied numeric redirect URLs
- debian/patches/CVE-2017-7233.patch: fix is_safe_url() with numeric
URLs in django/utils/http.py, added tests to
tests/utils_tests/test_http.py.
- CVE-2017-7233
* SECURITY UPDATE: Open redirect vulnerability in
django.views.static.serve()
- debian/patches/CVE-2017-7234.patch: remove redirect from
django/views/static.py.
- CVE-2017-7234
-- Marc Deslauriers <email address hidden> Wed, 29 Mar 2017 07:34:09 -0400
-
python-django (1.8.7-1ubuntu5.4) xenial-security; urgency=medium
* SECURITY UPDATE: user with hardcoded password created when running
tests on Oracle
- debian/patches/CVE-2016-9013.patch: remove hardcoded password in
django/db/backends/oracle/creation.py, added note to
docs/ref/settings.txt.
- CVE-2016-9013
* SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True
- debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in
django/http/request.py, updated docs/ref/settings.txt, added test to
tests/requests/tests.py.
- CVE-2016-9014
* This update does _not_ contain the changes from 1.8.7-1ubuntu5.3 in
xenial-proposed.
-- Marc Deslauriers <email address hidden> Mon, 31 Oct 2016 09:57:03 -0400
-
python-django (1.8.7-1ubuntu5.3) xenial; urgency=medium
* Backport upstream fix for ipv6-formatted ipv4 addresses (LP: #1611923)
-- Jon Grimm <email address hidden> Wed, 28 Sep 2016 14:27:53 -0500
-
python-django (1.8.7-1ubuntu5.2) xenial-security; urgency=medium
* SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
- debian/patches/CVE-2016-7401.patch: simplify cookie parsing in
django/http/cookie.py, add tests to tests/httpwrappers/tests.py,
tests/requests/tests.py.
- CVE-2016-7401
-- Marc Deslauriers <email address hidden> Mon, 26 Sep 2016 07:29:01 -0400
-
python-django (1.8.7-1ubuntu5.1) xenial-security; urgency=medium
* SECURITY UPDATE: XSS in admin's add/change related popup
- debian/patches/CVE-2016-6186.patch: change to text in
django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js,
django/views/debug.py, added to tests in tests/admin_views/admin.py,
tests/admin_views/models.py, tests/admin_views/tests.py.
- CVE-2016-6186
-- Marc Deslauriers <email address hidden> Tue, 19 Jul 2016 07:56:43 -0400
-
python-django (1.8.7-1ubuntu5) xenial; urgency=medium
* Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from
upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
LP: #1528710
-- LaMont Jones <email address hidden> Mon, 11 Apr 2016 17:30:48 -0600
-
python-django (1.8.7-1ubuntu4) xenial; urgency=medium
* SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
- debian/patches/CVE-2016-2512-regression.patch: updated to final
upstream fix.
- CVE-2016-2512
-- Marc Deslauriers <email address hidden> Mon, 07 Mar 2016 08:43:38 -0500
-
python-django (1.8.7-1ubuntu3) xenial; urgency=medium
* SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
- debian/patches/CVE-2016-2512-regression.patch: force url to unicode
in django/utils/http.py, added test to
tests/utils_tests/test_http.py.
- CVE-2016-2512
-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 11:03:43 -0500
-
python-django (1.8.7-1ubuntu2) xenial; urgency=medium
* SECURITY UPDATE: malicious redirect and possible XSS attack via
user-supplied redirect URLs containing basic auth
- debian/patches/CVE-2016-2512.patch: prevent spoofing in
django/utils/http.py, added test to tests/utils_tests/test_http.py.
- CVE-2016-2512
* SECURITY UPDATE: user enumeration through timing difference on password
hasher work factor upgrade
- debian/patches/CVE-2016-2513.patch: fix timing in
django/contrib/auth/hashers.py, added note to
docs/topics/auth/passwords.txt, added tests to
tests/auth_tests/test_hashers.py.
- CVE-2016-2513
-- Marc Deslauriers <email address hidden> Thu, 25 Feb 2016 10:02:48 -0500
-
python-django (1.8.7-1ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* Dropped changes:
- debian/patches/99_skip_tests_due_python35.diff: no longer required,
python 3.5 is now officially supported in 1.8.6+.
python-django (1.8.7-1) unstable; urgency=high
* New upstream security release:
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
It fixes:
- CVE-2015-8213: settings leak possibility in date template filter
python-django (1.8.6-1) unstable; urgency=medium
* New upstream bugfix release.
-- Marc Deslauriers <email address hidden> Wed, 25 Nov 2015 07:08:03 -0500
-
python-django (1.8.5-2ubuntu1) xenial; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* Drop 99_fix_multipart_base64_decoding_large_files.patch: This patch
has been merged upstream.
* Drop CVE-2015-596x.patch: Merged upstream.
* Drop 0004-Added-a-dummy-class-for-HTMLParserError.patch: This patch
originally came from upstream. It is part of 1.8.
-- Andres Rodriguez <email address hidden> Tue, 10 Nov 2015 17:45:37 +0000
-
python-django (1.7.9-1ubuntu5) wily; urgency=medium
* d/p/0004-Added-a-dummy-class-for-HTMLParserError.patch: cherry-pick from
Debian 1.7.10-1 (which was cherry-picked from upstream) to fix FTBFS of
some reverse dependencies such as python-jingo. This partially restores an
API accidentally lost by the transition to Python 3.5 so may also fix other
yet-unknown runtime bugs in dependent packages.
-- Robie Basak <email address hidden> Tue, 20 Oct 2015 13:15:00 +0000