[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
Nish Aravamudan
nish.aravamudan at canonical.com
Fri May 5 17:00:10 UTC 2017
I just uploaded a merge with 1:1.11-1 from experimental to the same PPA:
https://launchpad.net/~nacc/+archive/ubuntu/lp1605278
Note that I chose 1.11 rather than the 1.10 in unstable because 1.11 is
an LTS with support for a lot longer, which means (possibly) we don't
need to merge again for 18.04 (or it will be a trivial upstream minor
bump within the 1.11 series).
** Description changed:
- Please merge python-django 1:1.9.8-1 (main) from Debian unstable (main)
+ Please merge python-django 1:1.11-1 (main) from Debian experimental
+ (main)
- Explanation of the Ubuntu delta and why it can be dropped:
- * SECURITY UPDATE: XSS in admin's add/change related popup
- - debian/patches/CVE-2016-6186.patch: change to text in
- django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js,
- django/views/debug.py, added to tests in tests/admin_views/admin.py,
- tests/admin_views/models.py, tests/admin_views/tests.py.
- - CVE-2016-6186
- * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from
- upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
- LP: #1528710
- * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from
- upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
- LP: #1528710
- * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
- - debian/patches/CVE-2016-2512-regression.patch: updated to final
- upstream fix.
- - CVE-2016-2512
- * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
- - debian/patches/CVE-2016-2512-regression.patch: force url to unicode
- in django/utils/http.py, added test to
- tests/utils_tests/test_http.py.
- - CVE-2016-2512
- * SECURITY UPDATE: malicious redirect and possible XSS attack via
- user-supplied redirect URLs containing basic auth
- - debian/patches/CVE-2016-2512.patch: prevent spoofing in
- django/utils/http.py, added test to tests/utils_tests/test_http.py.
- - CVE-2016-2512
- * SECURITY UPDATE: user enumeration through timing difference on password
- hasher work factor upgrade
- - debian/patches/CVE-2016-2513.patch: fix timing in
- django/contrib/auth/hashers.py, added note to
- docs/topics/auth/passwords.txt, added tests to
- tests/auth_tests/test_hashers.py.
- - CVE-2016-2513
- * Merge from Debian unstable. Remaining changes:
+ python-django (1:1.11-1ubuntu1) artful; urgency=medium
+
+ * Merge from Debian unstable (LP: #1605278). Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
- * Dropped changes:
- - debian/patches/99_skip_tests_due_python35.diff: no longer required,
- python 3.5 is now officially supported in 1.8.6+.
+ * Drop:
+ - SECURITY UPDATE: malicious redirect and possible XSS attack via
+ user-supplied redirect URLs containing basic auth
+ + debian/patches/CVE-2016-2512.patch: prevent spoofing in
+ django/utils/http.py, added test to tests/utils_tests/test_http.py.
+ + CVE-2016-2512
+ - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
+ + debian/patches/CVE-2016-2512-regression.patch: force url to unicode
+ in django/utils/http.py, added test to
+ tests/utils_tests/test_http.py.
+ + CVE-2016-2512
+ - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
+ + debian/patches/CVE-2016-2512-regression.patch: updated to final
+ upstream fix.
+ + CVE-2016-2512
+ [ Fixed upstream ]
+ - SECURITY UPDATE: user enumeration through timing difference on password
+ hasher work factor upgrade
+ + debian/patches/CVE-2016-2513.patch: fix timing in
+ django/contrib/auth/hashers.py, added note to
+ docs/topics/auth/passwords.txt, added tests to
+ tests/auth_tests/test_hashers.py.
+ + CVE-2016-2513
+ [ Fixed upstream ]
+ - Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from
+ upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
+ LP #1528710
+ [ Fixed upstream ]
+ - Backport upstream fix for ipv6-formatted ipv4 addresses (LP #1611923)
+ [ Fixed upstream ]
+ - SECURITY UPDATE: XSS in admin's add/change related popup
+ + debian/patches/CVE-2016-6186.patch: change to text in
+ django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js,
+ django/views/debug.py, added to tests in tests/admin_views/admin.py,
+ tests/admin_views/models.py, tests/admin_views/tests.py.
+ + CVE-2016-6186
+ [ Fixed upstream ]
+ - SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
+ + debian/patches/CVE-2016-7401.patch: simplify cookie parsing in
+ django/http/cookie.py, add tests to tests/httpwrappers/tests.py,
+ tests/requests/tests.py.
+ + CVE-2016-7401
+ [ Fixed upstream ]
+ - SECURITY UPDATE: user with hardcoded password created when running
+ tests on Oracle
+ + debian/patches/CVE-2016-9013.patch: remove hardcoded password in
+ django/db/backends/oracle/creation.py, added note to
+ docs/ref/settings.txt.
+ + CVE-2016-9013
+ [ Fixed upstream ]
+ - SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True
+ + debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in
+ django/http/request.py, updated docs/ref/settings.txt, added test to
+ tests/requests/tests.py.
+ + CVE-2016-9014
+ [ Fixed upstream ]
- All of that was applied in the new Debian version except for the
- pymysql replacement.
-
- Changelog entries since current yakkety version 1.8.7-1ubuntu6:
-
- python-django (1:1.9.8-1) unstable; urgency=high
-
- * New upstream security release:
- https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- - CVE-2016-6186: XSS in admin's add/change related popup
-
- -- Luke Faraone <lfaraone at debian.org> Tue, 19 Jul 2016 14:15:24 +0000
-
- python-django (1:1.9.7-2) unstable; urgency=medium
-
- * Re-upload 1.9.7 to unstable with epoch.
-
- -- Chris Lamb <lamby at debian.org> Sun, 26 Jun 2016 09:58:19 +0200
-
- python-django (1.10~beta1-1) unstable; urgency=medium
-
- [ Chris Lamb ]
- * New upstream beta release.
- * Drop fix-25761-add-traceback-attribute.patch; applied upstream.
-
- [ Raphaël Hertzog ]
- * Remove obsolete /etc/bash_completion.d/django_bash_completion on upgrade.
- Closes: #801744
-
- -- Chris Lamb <lamby at debian.org> Sat, 25 Jun 2016 19:17:49 +0200
-
- python-django (1.9.7-1) unstable; urgency=medium
-
- [ Raphaël Hertzog ]
- * New upstream bugfix release.
- * Bump python-sphinx build dependency to >= 1.3. Closes: #824108
- * Drop build dependency on locales. C.UTF-8 that we currently use is part of
- libc-bin.
-
- [ Chris Lamb ]
- * Remove duplicated "of of" in python-django's README.Debian.
-
- -- Raphaël Hertzog <hertzog at debian.org> Tue, 14 Jun 2016 00:05:22
- +0200
-
- python-django (1.9.6-1) unstable; urgency=medium
-
- * New upstream bugfix release.
-
- -- Chris Lamb <lamby at debian.org> Sat, 07 May 2016 07:01:17 +0100
-
- python-django (1.9.5-2) unstable; urgency=medium
-
- * Drop the dir_to_symlink transition that was only really needed
- for upgrades between versions 1.9~rc2 and 1.9.4. Closes: #821789
-
- -- Raphaël Hertzog <hertzog at debian.org> Wed, 20 Apr 2016 17:47:05
- +0200
-
- python-django (1.9.5-1) unstable; urgency=medium
-
- * New upstream bugfix release:
- https://docs.djangoproject.com/en/1.9/releases/1.9.5/
- * Fix the DEP-8 test suite (django-admin --with python3 failing
- because ./manage.py does not have a good shebang).
- * Update Standards-Version to 3.9.8.
- * Add some lintian overrides.
- * Tweak Vcs-Browser to use https.
- * Drop obsolete parts of the copyright file.
-
- -- Raphaël Hertzog <hertzog at debian.org> Wed, 06 Apr 2016 18:05:42
- +0200
-
- python-django (1.9.4-1) unstable; urgency=high
-
- [ Luke Faraone ]
- * New upstream security release:
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- - CVE-2016-2512: Malicious redirect and possible XSS via user-supplied
- redirect URLs containing basic auth
- - CVE-2016-2513: User enumeration through timing difference on password
- hasher work factor upgrade
- Closes: #816434
-
- [ Raphaël Hertzog ]
- * Fix rules file to no longer mess with *_templates directories. They no
- longer contain invalid .py files but only *-tpl template files that are
- instantiated at runtime.
-
- -- Luke Faraone <lfaraone at debian.org> Mon, 07 Mar 2016 17:09:54 +0000
-
- python-django (1.9.2-1) unstable; urgency=medium
-
- * New upstream security release fixing:
- - CVE-2016-2048: User with "change" but not "add" permission can create
- objects for ModelAdmin objects with save_as=True
- Closes: #813448
-
- -- Raphaël Hertzog <hertzog at debian.org> Tue, 02 Feb 2016 09:06:46
- +0100
-
- python-django (1.9.1-1) unstable; urgency=medium
-
- * New upstream release.
-
- -- Chris Lamb <lamby at debian.org> Mon, 04 Jan 2016 17:51:40 +0000
-
- python-django (1.9-2) unstable; urgency=medium
-
- [ Chris Lamb ]
- * Use dpkg-maintscript-helper's dir_to_symlink to correctly replace the
- app_template and project_template symlinks added in 1.9~rc2-2.
- (Closes: #807683)
-
- [ Raphaël Hertzog ]
- * Add some DEP-8 tests testing "django-admin" and running the test suite
- against the installed package. In both cases, we do it with python2 and
- python3.
- * Add python-tblib and python3-tblib to Build-Depends for the benefit of
- the parallel testing feature of the test suite.
- * Add "set -e" in the command line running the tests with all supported
- versions so that it actually fails as soon as one version is failing
- (and thus disallow later successes to shadow earlier failures).
-
- -- Raphaël Hertzog <hertzog at debian.org> Wed, 30 Dec 2015 16:44:04
- +0100
-
- python-django (1.9-1) unstable; urgency=medium
-
- * Upload to unstable
- * Adjust uversionmangle in debian/watch to mangle "1.9rc2" scheme
- (previously only "1.9-rc-2" would have matched).
-
- -- Chris Lamb <lamby at debian.org> Thu, 03 Dec 2015 16:48:30 +0200
-
- python-django (1.9~rc2-2) experimental; urgency=medium
-
- * Move {app,project}_template to python-django-common to prevent
- byte-compilation (via pycompile) on installation, causing failure. They are
- not valid Python files until variables have been interpolated.
-
- -- Chris Lamb <lamby at debian.org> Thu, 26 Nov 2015 14:53:11 +0200
-
- python-django (1.9~rc2-1) experimental; urgency=medium
-
- * New upstream release candidate.
- * Add myself to Uploaders.
-
- -- Chris Lamb <lamby at debian.org> Thu, 26 Nov 2015 10:14:15 +0200
-
- python-django (1.8.7-2) unstable; urgency=high
-
- * Rely on C.UTF-8 to run the tests instead of building our locale ourselves.
- * Add debian/patches/fix-25761-add-traceback-attribute.patch:
- new patch to ensure exceptions registered in __cause__ attributes
- have a __traceback__ attribute. Closes: #802677
- * Extend lintian overrides to cover more false positives of
- source-is-missing.
- * Cleanup debian/copyright for dropped/renamed files.
- * Run tests for all supported Python versions.
-
- -- Raphaël Hertzog <hertzog at debian.org> Wed, 25 Nov 2015 16:16:10
- +0100
+ -- Nishanth Aravamudan <nish.aravamudan at canonical.com> Fri, 05 May
+ 2017 09:41:07 -0700
** Changed in: python-django (Ubuntu Zesty)
Assignee: Nish Aravamudan (nacc) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1605278
Title:
Merge python-django 1:1.11-1 from Debian unstable
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions
More information about the Ubuntu-server-bugs
mailing list