[Bug 1892037] [NEW] Sync python-django 2:2.2.15-2 (main) from Debian unstable (main)

Launchpad Bug Tracker 1892037 at bugs.launchpad.net
Tue Aug 18 12:51:28 UTC 2020 

You have been subscribed to a public bug by Lucas Kanashiro (lucaskanashiro):

Please sync python-django 2:2.2.15-2 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: Potential data leakage via malformed memcached keys
    - debian/patches/CVE-2020-13254.patch: enforced cache key validation in
      memcached backends in django/core/cache/__init__.py,
      django/core/cache/backends/base.py,
      django/core/cache/backends/memcached.py, tests/cache/tests.py.
    - CVE-2020-13254
  * SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
    - debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
      ForeignKeyRawIdWidget in django/contrib/admin/widgets.py,
      tests/admin_widgets/models.py, tests/admin_widgets/tests.py.
    - CVE-2020-13596

Our delta contains the 2 security fixes mentioned above for CVE-2020-13254 and
CVE-2020-13596. They were applied by upstream in version 2.2.13:

https://docs.djangoproject.com/en/3.0/releases/2.2.13/

I uploaded this new version to this PPA to make sure it builds fine in
Groovy:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/groovy-python-
django/

The DEP-8 tests were failing in version 2:2.2.15-1, I filed a bug against
Debian and it was fixed in 2:2.2.15-2:

https://bugs.debian.org/968577

I ran autopkgtest locally to confirm it was fixed:

autopkgtest [09:41:04]: @@@@@@@@@@@@@@@@@@@@ summary
command1             PASS
command2             PASS

Changelog entries since current groovy version 2:2.2.12-1ubuntu1:

python-django (2:2.2.15-2) unstable; urgency=medium

  * Set the PYTHONPATH in the autopkgtests in the same way that we do in
    debian/rules. (Closes: #968577)

 -- Chris Lamb <lamby at debian.org>  Mon, 17 Aug 2020 23:02:17 +0100

python-django (2:2.2.15-1) unstable; urgency=medium

  * New upstream bugfix release.
    <https://docs.djangoproject.com/en/3.0/releases/2.2.15/>
  * Move to compat level 13.

 -- Chris Lamb <lamby at debian.org>  Mon, 03 Aug 2020 10:30:30 +0100

python-django (2:2.2.14-1) unstable; urgency=medium

  * New upstream bugfix release.
    <https://docs.djangoproject.com/en/3.0/releases/2.2.14/>
  * Refresh patches.

 -- Chris Lamb <lamby at debian.org>  Wed, 01 Jul 2020 15:23:50 +0100

python-django (2:2.2.13-2) unstable; urgency=medium

  * Backport a regression in the handling of CVE-2020-13254.

 -- Chris Lamb <lamby at debian.org>  Fri, 12 Jun 2020 11:08:07 +0100

python-django (2:2.2.13-1) unstable; urgency=medium

  * New upstream security release.
    <https://www.djangoproject.com/weblog/2020/jun/03/security-releases/>
  * Drop from debian/source/include-binaries the file
    debian/patches/0006-Fixed-a-missing-pyc-test-file-in-source-distribution.patch.

 -- Chris Lamb <lamby at debian.org>  Wed, 03 Jun 2020 20:41:57 +0100

** Affects: python-django (Ubuntu)
     Importance: Wishlist
         Status: Confirmed

-- 
Sync python-django 2:2.2.15-2 (main) from Debian unstable (main)
https://bugs.launchpad.net/bugs/1892037
You received this bug notification because you are a member of Ubuntu Package Archive Administrators, which is subscribed to the bug report.

More information about the ubuntu-archive mailing list