-
python-django (1.6.6-1ubuntu2.3) utopic-security; urgency=medium
* SECURITY UPDATE: denial of service via empty session records
- debian/patches/CVE-2015-5143.patch: avoid creating a session record
when loading the session in
django/contrib/sessions/backends/cache.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/backends/db.py,
django/contrib/sessions/backends/file.py,
added test to django/contrib/sessions/tests.py.
- CVE-2015-5143
* SECURITY UPDATE: header injection via newlines
- debian/patches/CVE-2015-5144.patch: check for newlines in
django/core/validators.py, added tests to tests/validators/tests.py.
- CVE-2015-5144
-- Marc Deslauriers <email address hidden> Thu, 02 Jul 2015 11:06:40 -0400
-
python-django (1.6.6-1ubuntu2.2) utopic-security; urgency=medium
* SECURITY UPDATE: denial-of-service possibility with strip_tags
- debian/patches/CVE-2015-2316.patch: fix infinite loop possibility
in django/utils/html.py, added test to
tests/utils_tests/test_html.py.
- CVE-2015-2316
* SECURITY UPDATE: XSS attack via user-supplied redirect URLs
- debian/patches/CVE-2015-2317.patch: reject URLs that start with
control characters in django/utils/http.py, added test to
tests/utils_tests/test_http.py.
- CVE-2015-2317
-- Marc Deslauriers <email address hidden> Fri, 20 Mar 2015 10:22:16 -0400
-
python-django (1.6.6-1ubuntu2.1) utopic-security; urgency=medium
* SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation
- debian/patches/CVE-2015-0219.patch: strip headers with underscores in
django/core/servers/basehttp.py, added blurb to
docs/howto/auth-remote-user.txt, added test to
tests/servers/test_basehttp.py.
- CVE-2015-0219
* SECURITY UPDATE: Mitigated possible XSS attack via user-supplied
redirect URLs
- debian/patches/CVE-2015-0220.patch: filter url in
django/utils/http.py, added test to tests/utils_tests/test_http.py.
- CVE-2015-0220
* SECURITY UPDATE: Denial-of-service attack against
django.views.static.serve
- debian/patches/CVE-2015-0221.patch: limit large files in
django/views/static.py, added test to
tests/view_tests/media/long-line.txt,
tests/view_tests/tests/test_static.py.
- CVE-2015-0221
* SECURITY UPDATE: Database denial-of-service with
ModelMultipleChoiceField
- debian/patches/CVE-2015-0222.patch: check values in
django/forms/models.py, added test to tests/model_forms/tests.py.
- CVE-2015-0222
-- Marc Deslauriers <email address hidden> Tue, 13 Jan 2015 07:32:43 -0500
-
python-django (1.6.6-1ubuntu2) utopic; urgency=medium
* debian/patches/fix_test_encoding.patch: Fix test encoding headers,
otherwise it FTBFS.
-- Andres Rodriguez <email address hidden> Thu, 18 Sep 2014 19:01:13 -0500
-
python-django (1.6.6-1ubuntu1) utopic; urgency=medium
* debian/patches/99_fix_multipart_base64_decoding_large_files.patch:
Fix Multipart base64 file decoding with large files ensuring that the
actual base64 content has a length a multiple of 4. (LP: #1363348)
-- Andres Rodriguez <email address hidden> Thu, 18 Sep 2014 17:37:57 -0500
-
python-django (1.6.6-1) unstable; urgency=high
* New upstream security release.
- reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
- file upload denial of service (CVE-2014-0481)
- RemoteUserMiddleware session hijacking (CVE-2014-0482)
- data leakage via querystring manipulation in admin (CVE-2014-0483)
[ Brian May ]
* Don't output stuff to stdout in django-admin. Closes: #757145
[ Raphaël Hertzog ]
* Update Vcs-* fields since the packaging repository moved to git.
-- Luke Faraone <email address hidden> Wed, 20 Aug 2014 19:30:21 -0700
-
python-django (1.6.5-3) unstable; urgency=low
* Replace django-admin with script that can be run as python and shell.
This means we can autodetect which python version to use when run as
shell, while maintaining compatability with processes that try to run it
with a specific python version.
e.g. See bugs #755341 and #755321.
-- Brian May <email address hidden> Mon, 21 Jul 2014 10:18:39 +1000
-
python-django (1.6.5-2) unstable; urgency=low
* python3-django package. Closes: #736878.
-- Brian May <email address hidden> Tue, 24 Jun 2014 10:51:47 +1000
-
python-django (1.6.5-1) unstable; urgency=high
* New upstream security release.
- Caches may be allowed to store and serve private data (CVE-2014-1418)
- Malformed URLs from user input incorrectly validated
* Drop partial_functions_reverse.patch (merged upstream).
-- Raphaël Hertzog <email address hidden> Wed, 14 May 2014 22:49:59 +0200
-
python-django (1.6.1-2ubuntu0.3) trusty-security; urgency=medium
* SECURITY UPDATE: cache coherency problems in old Internet Explorer
compatibility functions lead to loss of privacy and cache poisoning
attacks. (LP: #1317663)
- debian/patches/drop_fix_ie_for_vary_1_6.diff: remove fix_IE_for_vary()
and fix_IE_for_attach() functions so Cache-Control and Vary headers are
no longer modified. This may introduce some regressions for IE 6 and IE 7
users. Patch from upstream.
- CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
some malformed URLs, which are accepted by some browsers. This allows a
user to be redirected to an unsafe URL unexpectedly.
- debian/patches/is_safe_url_1_6.diff: Forbid URLs starting with '///',
forbid URLs without a host but with a path. Patch from upstream.
-- Seth Arnold <email address hidden> Wed, 14 May 2014 10:27:37 -0700
-
python-django (1.6.1-2ubuntu0.2) trusty-security; urgency=medium
* SECURITY REGRESSION: security fix regression when a view is a partial
(LP: #1311433)
- debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
from the original function whenever a partial is provided as an
argument to a url pattern in django/core/urlresolvers.py,
added tests to tests/urlpatterns_reverse/urls.py,
tests/urlpatterns_reverse/views.py.
- CVE-2014-0472
-- Marc Deslauriers <email address hidden> Tue, 22 Apr 2014 23:05:51 -0400
-
python-django (1.6.1-2) unstable; urgency=medium
* Team upload.
* d/patches/ticket21869.diff: Cherry pick upstream fix for building
documentation against Sphinx 1.2.1.
-- Barry Warsaw <email address hidden> Wed, 29 Jan 2014 18:37:51 +0000