Publishing details
Changelog
python-django (1.6.1-2ubuntu0.11~ctools0) precise; urgency=medium
* New update for the Ubuntu Cloud Archive.
python-django (1.6.1-2ubuntu0.11) trusty-security; urgency=medium
* SECURITY UPDATE: Settings leak possibility in date template filter
- debian/patches/CVE-2015-8213.patch: check format type in
django/utils/formats.py, added test to tests/i18n/tests.py.
- CVE-2015-8213
python-django (1.6.1-2ubuntu0.10) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service by filling session store
- debian/patches/CVE-2015-596x.patch: don't create empty sessions in
django/contrib/sessions/backends/base.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/middleware.py, added tests to
django/contrib/sessions/tests.py, updated docs in
docs/topics/http/sessions.txt.
- CVE-2015-5963
- CVE-2015-5964
python-django (1.6.1-2ubuntu0.9) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via empty session records
- debian/patches/CVE-2015-5143.patch: avoid creating a session record
when loading the session in
django/contrib/sessions/backends/cache.py,
django/contrib/sessions/backends/cached_db.py,
django/contrib/sessions/backends/db.py,
django/contrib/sessions/backends/file.py,
added test to django/contrib/sessions/tests.py.
- CVE-2015-5143
* SECURITY UPDATE: header injection via newlines
- debian/patches/CVE-2015-5144.patch: check for newlines in
django/core/validators.py, added tests to tests/validators/tests.py.
- CVE-2015-5144
python-django (1.6.1-2ubuntu0.8) trusty-security; urgency=medium
* SECURITY UPDATE: denial-of-service possibility with strip_tags
- debian/patches/CVE-2015-2316.patch: improve and fix infinite loop
possibility in django/utils/html.py, added tests to
tests/utils_tests/test_html.py, clarified documentation in
docs/ref/templates/builtins.txt, docs/ref/utils.txt.
- CVE-2015-2316
* SECURITY UPDATE: XSS attack via user-supplied redirect URLs
- debian/patches/CVE-2015-2317.patch: reject URLs that start with
control characters in django/utils/http.py, added test to
tests/utils_tests/test_http.py.
- CVE-2015-2317
python-django (1.6.1-2ubuntu0.7) trusty-proposed; urgency=medium
* SRU LP: #1433376.
* tests/utils_tests/test_jslex.py: Fix file encoding for python 2.7.9.
python-django (1.6.1-2ubuntu0.6) trusty-security; urgency=medium
* SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation
- debian/patches/CVE-2015-0219.patch: strip headers with underscores in
django/core/servers/basehttp.py, added blurb to
docs/howto/auth-remote-user.txt, added test to
tests/servers/test_basehttp.py.
- CVE-2015-0219
* SECURITY UPDATE: Mitigated possible XSS attack via user-supplied
redirect URLs
- debian/patches/CVE-2015-0220.patch: filter url in
django/utils/http.py, added test to tests/utils_tests/test_http.py.
- CVE-2015-0220
* SECURITY UPDATE: Denial-of-service attack against
django.views.static.serve
- debian/patches/CVE-2015-0221.patch: limit large files in
django/views/static.py, added test to
tests/view_tests/media/long-line.txt,
tests/view_tests/tests/test_static.py.
- CVE-2015-0221
* SECURITY UPDATE: Database denial-of-service with
ModelMultipleChoiceField
- debian/patches/CVE-2015-0222.patch: check values in
django/forms/models.py, added test to tests/model_forms/tests.py.
- CVE-2015-0222
-- Scott Moser <email address hidden> Mon, 14 Dec 2015 14:24:51 -0500
Builds
Built packages
-
python-django
High-level Python web development framework
-
python-django-doc
High-level Python web development framework (documentation)
Package files