-
python-django (1.3.1-4ubuntu1.23) precise-security; urgency=medium
* SECURITY UPDATE: Open redirect and possible XSS attack via
user-supplied numeric redirect URLs
- debian/patches/CVE-2017-7233.patch: fix is_safe_url() with numeric
URLs in django/utils/http.py, added tests to
tests/regressiontests/utils/http.py.
- CVE-2017-7233
* SECURITY UPDATE: Open redirect vulnerability in
django.views.static.serve()
- debian/patches/CVE-2017-7234.patch: remove redirect from
django/views/static.py.
- CVE-2017-7234
-- Marc Deslauriers <email address hidden> Wed, 29 Mar 2017 07:49:05 -0400
-
python-django (1.3.1-4ubuntu1.22) precise-security; urgency=medium
* SECURITY UPDATE: user with hardcoded password created when running
tests on Oracle
- debian/patches/CVE-2016-9013.patch: remove hardcoded password in
django/db/backends/oracle/creation.py, added note to
docs/ref/settings.txt.
- CVE-2016-9013
* SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True
- debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in
django/http/__init__.py, updated docs/ref/settings.txt, added test to
tests/regressiontests/requests/tests.py.
- CVE-2016-9014
-- Marc Deslauriers <email address hidden> Mon, 31 Oct 2016 10:31:12 -0400
-
python-django (1.3.1-4ubuntu1.21) precise-security; urgency=medium
* SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
- debian/patches/CVE-2016-7401.patch: simplify cookie parsing in
django/http/__init__.py, add tests to
tests/regressiontests/httpwrappers/tests.py,
tests/regressiontests/requests/tests.py.
- CVE-2016-7401
-- Marc Deslauriers <email address hidden> Mon, 26 Sep 2016 07:45:02 -0400
-
python-django (1.3.1-4ubuntu1.20) precise-security; urgency=medium
* SECURITY UPDATE: malicious redirect and possible XSS attack via
user-supplied redirect URLs containing basic auth
- debian/patches/CVE-2016-2512.patch: prevent spoofing in
django/utils/http.py, added test to
django/contrib/auth/tests/views.py.
- CVE-2016-2512
-- Marc Deslauriers <email address hidden> Thu, 25 Feb 2016 15:29:31 -0500
-
python-django (1.3.1-4ubuntu1.19) precise-security; urgency=medium
* SECURITY UPDATE: Settings leak possibility in date template filter
- debian/patches/CVE-2015-8213.patch: check format type in
django/utils/formats.py, added test to
tests/regressiontests/i18n/tests.py.
- CVE-2015-8213
-- Marc Deslauriers <email address hidden> Wed, 18 Nov 2015 15:19:37 -0500
-
python-django (1.3.1-4ubuntu1.18) precise-security; urgency=medium
* SECURITY UPDATE: denial of service by filling session store
- debian/patches/CVE-2015-596x.patch: don't create empty sessions in
django/contrib/sessions/backends/base.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/middleware.py, added tests to
django/contrib/sessions/tests.py, updated docs in
docs/topics/http/sessions.txt.
- CVE-2015-5963
- CVE-2015-5964
-- Marc Deslauriers <email address hidden> Thu, 13 Aug 2015 12:00:17 -0400
-
python-django (1.3.1-4ubuntu1.17) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via empty session records
- debian/patches/no_implicit_session_key.patch: don't perform implicit
initialization of the session key on the first access in
django/contrib/sessions/backends/base.py,
django/contrib/sessions/backends/cache.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/backends/db.py,
django/contrib/sessions/backends/file.py,
adjusted tests in django/contrib/sessions/tests.py,
tests/regressiontests/test_client_regress/session.py.
- debian/patches/CVE-2015-5143.patch: avoid creating a session record
when loading the session in
django/contrib/sessions/backends/cache.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/backends/db.py,
django/contrib/sessions/backends/file.py,
added test to django/contrib/sessions/tests.py.
- CVE-2015-5143
* SECURITY UPDATE: header injection via newlines
- debian/patches/CVE-2015-5144.patch: check for newlines in
django/core/validators.py, added tests to
tests/modeltests/validators/tests.py.
- CVE-2015-5144
-- Marc Deslauriers <email address hidden> Thu, 02 Jul 2015 11:52:43 -0400
-
python-django (1.3.1-4ubuntu1.16) precise-security; urgency=medium
* SECURITY UPDATE: XSS attack via user-supplied redirect URLs
- debian/patches/CVE-2015-2317.patch: reject URLs that start with
control characters in django/utils/http.py, added test to
tests/regressiontests/utils/http.py.
- CVE-2015-2317
-- Marc Deslauriers <email address hidden> Fri, 20 Mar 2015 10:42:41 -0400
-
python-django (1.3.1-4ubuntu1.15) precise-security; urgency=medium
* SECURITY REGRESSION: static serve failure (LP: #1417274)
- debian/patches/CVE-2015-0221-regression.patch: allow GZipMiddleware
to work with streaming responses in django/middleware/gzip.py,
django/utils/text.py, django/http/__init__.py, added tests to
tests/regressiontests/middleware/tests.py.
-- Marc Deslauriers <email address hidden> Wed, 04 Feb 2015 09:03:07 -0500
-
python-django (1.3.1-4ubuntu1.13) precise-security; urgency=medium
* SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation
- debian/patches/CVE-2015-0219.patch: strip headers with underscores in
django/core/servers/basehttp.py, added test to
tests/regressiontests/servers/tests.py.
- CVE-2015-0219
* SECURITY UPDATE: Mitigated possible XSS attack via user-supplied
redirect URLs
- debian/patches/CVE-2015-0220.patch: filter url in
django/utils/http.py, added test to
tests/regressiontests/utils/http.py.
- CVE-2015-0220
* SECURITY UPDATE: Denial-of-service attack against
django.views.static.serve
- debian/patches/CVE-2015-0221.patch: limit large files in
django/views/static.py, added test to
tests/regressiontests/views/media/long-line.txt,
tests/regressiontests/views/tests/static.py.
- CVE-2015-0221
-- Marc Deslauriers <email address hidden> Tue, 13 Jan 2015 07:55:08 -0500
-
python-django (1.3.1-4ubuntu1.12) precise-security; urgency=medium
* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
- debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
URLs pointing to other hosts in django/core/urlresolvers.py, added
tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
- CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
- debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
django/core/files/storage.py, updated docs in
docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt,
added tests to tests/modeltests/files/tests.py,
tests/regressiontests/file_storage/tests.py, backport
get_random_string() to django/utils/crypto.py.
- CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
- debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
logout on REMOTE_USE change in django/contrib/auth/middleware.py,
added test to django/contrib/auth/tests/remote_user.py.
- CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
- debian/patches/CVE-2014-0483.patch: validate to_field in
django/contrib/admin/{options,exceptions}.py,
django/contrib/admin/views/main.py, added tests to
tests/regressiontests/admin_views/tests.py.
- debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
django/contrib/admin/options.py, added tests to
tests/regressiontests/admin_views/{models,tests}.py.
- debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
django/contrib/admin/options.py, added tests to
tests/regressiontests/admin_views/{models,tests}.py.
- CVE-2014-0483
-- Marc Deslauriers <email address hidden> Tue, 09 Sep 2014 14:37:19 -0400
-
python-django (1.3.1-4ubuntu1.11) precise-security; urgency=medium
* SECURITY UPDATE: cache coherency problems in old Internet Explorer
compatibility functions lead to loss of privacy and cache poisoning
attacks. (LP: #1317663)
- debian/patches/drop_fix_ie_for_vary_1_4.diff: remove fix_IE_for_vary()
and fix_IE_for_attach() functions so Cache-Control and Vary headers are
no longer modified. This may introduce some regressions for IE 6 and IE 7
users. Patch from upstream.
- CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
some malformed URLs, which are accepted by some browsers. This allows a
user to be redirected to an unsafe URL unexpectedly.
- debian/patches/is_safe_url_1_4.diff: Forbid URLs starting with '///',
forbid URLs without a host but with a path. Patch from upstream.
-- Seth Arnold <email address hidden> Wed, 14 May 2014 11:15:43 -0700
-
python-django (1.3.1-4ubuntu1.10) precise-security; urgency=medium
* SECURITY REGRESSION: security fix regression when a view is a partial
(LP: #1311433)
- debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
from the original function whenever a partial is provided as an
argument to a url pattern in django/core/urlresolvers.py,
added tests to tests/regressiontests/urlpatterns_reverse/urls.py,
tests/regressiontests/urlpatterns_reverse/views.py.
- CVE-2014-0472
-- Marc Deslauriers <email address hidden> Tue, 22 Apr 2014 23:17:22 -0400
-
python-django (1.3.1-4ubuntu1.9) precise-security; urgency=medium
* SECURITY UPDATE: unexpected code execution using reverse()
(LP: #1309779)
- debian/patches/CVE-2014-0472.patch: added filtering to
django/core/urlresolvers.py, added tests to
tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
tests/regressiontests/urlpatterns_reverse/tests.py,
tests/regressiontests/urlpatterns_reverse/urls.py,
tests/regressiontests/urlpatterns_reverse/views.py.
- CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
(LP: #1309782)
- debian/patches/CVE-2014-0473.patch: don't cache responses with a
cookie in django/middleware/cache.py.
- CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
- debian/patches/CVE-2014-0474.patch: convert arguments to correct
type in django/db/models/fields/__init__.py, updated docs in
docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
tests/regressiontests/model_fields/tests.py.
- CVE-2014-0474
-- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:27:04 -0400
-
python-django (1.3.1-4ubuntu1.8) precise-security; urgency=low
* SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
- debian/patches/CVE-2013-1443.patch: enforce a maximum password length
in django/contrib/auth/forms.py, django/contrib/auth/models.py,
django/contrib/auth/tests/basic.py.
- CVE-2013-1443
* SECURITY UPDATE: directory traversal with ssi template tag
- debian/patches/CVE-2013-4315.patch: properly check absolute path in
django/template/defaulttags.py,
tests/regressiontests/templates/tests.py.
- CVE-2013-4315
* SECURITY UPDATE: possible XSS via is_safe_url
- debian/patches/security-is_safe_url.patch: properly reject URLs which
specify a scheme other then HTTP or HTTPS.
- https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
- No CVE number
-- Marc Deslauriers <email address hidden> Fri, 20 Sep 2013 09:20:38 -0400
-
python-django (1.3.1-4ubuntu1.7) precise-proposed; urgency=low
[ Julian Edwards ]
* debian/patches:
- prefetch_related.diff: Backport prefetch_related from 1.4 (LP: #1081388)
- bug15496-base64-multipart-fix.diff: Include fix for upstream bug #15496
which makes 'Content-Transfer-Encoding: base64: work for multipart
messages. (LP: #1081392)
-- Andres Rodriguez <email address hidden> Thu, 07 Mar 2013 17:27:06 -0500
-
python-django (1.3.1-4ubuntu1.6) precise-security; urgency=low
* SECURITY UPDATE: host header poisoning (LP: #1089337)
- debian/patches/fix_get_host.patch: tighten host header validation in
django/http/__init__.py, add tests to
tests/regressiontests/requests/tests.py.
- https://www.djangoproject.com/weblog/2012/dec/10/security/
- No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
- debian/patches/fix_redirect_poisoning.patch: tighten validation in
django/contrib/auth/views.py,
django/contrib/comments/views/comments.py,
django/contrib/comments/views/moderation.py,
django/contrib/comments/views/utils.py, django/utils/http.py,
django/views/i18n.py, add tests to
tests/regressiontests/comment_tests/tests/comment_view_tests.py,
tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
tests/regressiontests/views/tests/i18n.py.
- https://www.djangoproject.com/weblog/2012/dec/10/security/
- No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
- debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
to django/conf/global_settings.py,
django/conf/project_template/settings.py,
django/http/__init__.py, django/test/utils.py, add docs to
docs/ref/settings.txt, add tests to
tests/regressiontests/requests/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
- debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
and external entities/DTDs in
django/core/serializers/xml_serializer.py, add tests to
tests/regressiontests/serializers_regress/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-1664
- CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
- debian/patches/CVE-2013-0305.patch: add permission checks to history
view in django/contrib/admin/options.py, add tests to
tests/regressiontests/admin_views/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
- debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
docs/topics/forms/modelforms.txt, add tests to
tests/regressiontests/forms/tests/formsets.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-0306
-- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 10:13:59 -0500
-
python-django (1.3.1-4ubuntu1.5) precise-proposed; urgency=low
[ Julian Edwards ]
* debian/patches:
- genericipaddressfield.diff: Backport GenericIPAddressField
from 1.4 (LP: #1081391)
- prefetch_related.diff: Backport prefetch_related from 1.4 (LP: #1081388)
- bug15496-base64-multipart-fix.diff: Include fix for upstream bug #15496
which makes 'Content-Transfer-Encoding: base64: work for multipart
messages. (LP: #1081392)
-- Andres Rodriguez <email address hidden> Tue, 20 Nov 2012 16:00:41 -0500
-
python-django (1.3.1-4ubuntu1.4) precise-security; urgency=low
* Add additional tests for CVE-2012-4520
- debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
host header test material
* Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
- debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
- https://code.djangoproject.com/ticket/19172
- LP: #1080204
-- Jamie Strandboge <email address hidden> Mon, 19 Nov 2012 15:12:35 -0600
-
python-django (1.3.1-4ubuntu1.3) precise-security; urgency=low
* SECURITY UPDATE: fix Host header poisoning
- debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
raise django.core.exceptions.SuspiciousOperation if Host headers contain
potentially dangerous content. Patch thanks to Mackenzie Morgan.
- CVE-2012-4520
- LP: #1068486
-- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 15:56:15 -0600
-
python-django (1.3.1-4ubuntu1.2) precise-security; urgency=high
[ Scott Kitterman ]
* SECURITY UPDATE: multiple issues (LP: #1031733)
* References CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
* New upstream release to address three security issues:
- Cross-site scripting in authentication views
- Denial-of-service in image validation
- Denial-of-service via get_image_dimensions()
* Added debian/patches/security_http_redirects,
security_image_uploading_two, and security_image_uploading cherry picked
from upstream git
[ Marc Deslauriers ]
* debian/patches/security_http_redirects: remove unrelated changes, add
python 2.4 regression fix.
-- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 08:36:28 -0400
-
python-django (1.3.1-4ubuntu1) precise; urgency=low
* Merge with Debian. Remaining changes:
- 09_test_view_decorator_sleep.diff increases the sleep time to
reduce race condition effects on build machines.
https://code.djangoproject.com/ticket/16686 (LP: #829487)
* debian/patches/{psycopg2_creation.diff,compat-psycopg2-plus2.4.2.diff}:
- New patches, resolve compatibility with psycopg2 > 2.4.1, patches
based on upstream submissions, rebasing courtesy of Dave Pifke.
- LP: #905837
python-django (1.3.1-4) unstable; urgency=medium
* Add 08_fix_test_week_view_allow_future.diff to fix a regression test that
only worked in 2011. Closes: #655666
python-django (1.3.1-3) unstable; urgency=low
* Add 06_use_debian_geoip_database_as_default.diff to use the default
location of the GeoIP database used by the Debian package
geoip-database-contrib. Closes: #645094
Add this package to suggests. Thanks to Tapio Rantala
<email address hidden> for the patch.
* Bump build-dep on python-sphinx to 1.0.8 to ensure we have a version
where #641710 is fixed. Closes: #647134
* Add 07_fix_for_sphinx1.1.2.diff to fix build with Sphinx 1.1.2. Thanks to
Jakub Wilk for the advance warning. Closes: #649624
python-django (1.3.1-2) unstable; urgency=low
* Update Build-Depends on locales to included a version requirement
so that locales-all cannot satisfy it with its Provides: locales.
Thanks to Jakub Wilk for the suggestion.
* Enable 02_disable-sources-in-sphinxdoc.diff since #641710 has been
fixed.
* Add 05_fix_djangodocs_sphinx_ext.diff to support Sphinx 1.0.8.
Closes: #643758
-- Dave Walker (Daviey) <email address hidden> Fri, 17 Feb 2012 14:59:51 +0000
-
python-django (1.3.1-1ubuntu1) precise; urgency=low
* Merge with Debian. Remaining changes:
- 09_test_view_decorator_sleep.diff increases the sleep time to
reduce race condition effects on build machines.
https://code.djangoproject.com/ticket/16686 (LP: #829487)
-- Barry Warsaw <email address hidden> Wed, 19 Oct 2011 10:13:01 -0400
-
python-django (1.3.1-1) unstable; urgency=low
* New upstream release. It includes security updates described here:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Closes: #641405
* Update 01_disable_url_verify_regression_tests.diff and merge
07_disable_url_verify_model_tests.diff into it.
* Update patch headers to conform to DEP-3.
* Apply patch from Steve Langasek to dynamically build the UTF-8
locale required by the test-suite instead of build-depending on
locales-all. Closes: #630421
* Use "dh --with sphinxdoc" to clean up the Sphinx generated documentation
and avoid the embedded-javascript-library lintian warning. Build-Depends
on python-sphinx >= 1.0.7+dfsg-1 for this and also add
${sphinxdoc:Depends} to python-django-doc Depends field.
* Cleanup build-dependencies now that even oldstable has python 2.5.
* Switch to dh_python2 as python helper tool. Drop legacy files
debian/pyversions and debian/pycompat.
* New patch 02_disable-sources-in-sphinxdoc.diff to not generate
the _sources directory that we used to remove manually within the rules
file. But must be kept disabled until #641710 is fixed.
* Properly support DEB_BUILD_OPTIONS=nocheck despite the override
of dh_auto_test.
-- Raphaƫl Hertzog <email address hidden> Thu, 15 Sep 2011 12:43:51 +0200
-
python-django (1.3-2ubuntu1) oneiric; urgency=low
* 09_test_view_decorator_sleep.diff increases the sleep time to
reduce race condition effects on build machines.
https://code.djangoproject.com/ticket/16686 (LP: #829487)
* Remove build-dep on locales-all which isn't in the Ubuntu archive.
-- Barry Warsaw <email address hidden> Tue, 23 Aug 2011 17:57:46 -0400
