Update python-django to 1.2.3 version to fix an XSS vulnerability

Package doesn't build currently - there are failing tests that I have to investigate. Still, an ACK would be great.

We want this in if there is a working / tested package.

Attached is an updated branch with 1.2.3 release. I've had to do some changes to packaging and backport two patches from 1.2.x branch to make tests pass.

Bug fix only, so no FFe needed.

Is not easier to upload a stricte patch to fix this security issue? We can sync new upstream release in next development cycle from Debian.

On Wed, 2010-09-15 at 14:11 +0000, Artur Rona wrote:
> Is not easier to upload a stricte patch to fix this security issue? We
> can sync new upstream release in next development cycle from Debian.
>

Easier for whom? The hard part has been figuring out how to re-enable
test suite (and make it pass without disabling tests) and it still had
to be done - it has been disabled by Debian maintainer because of
failures and running test suite at build-time has been one of
requirements made during MIR process.

I don't think we have to check a full delta between 1.2.1 and 1.2.3
releases as both are bug fix only. Django developers do a lot of work to
ensure that the concurrent releases are compatible and that's what the
tests are for anyway.

--
Sent from Ubuntu

test_correct_url_value_passes will fail if there's no Internet connection

@Kai: Thanks, I have disabled this test in our package (and will send it back to Debian).

What is the status of this? 1.2.3-1 is now in Debian. Can we perform a sync to get this fixed before release?

Not until release of 1.2.3-2 with a patch removing test mentioned by Kai Kasurinen is applied. Unless DDs decide not to apply the patch and wait for the next point release. I've opened a new bug about it on the debian BTS but, given a time frame, we may be better with updating it ourselves. The 1.2.3-1 release is basically what I've sent to Debian Maintainers and is a base for their update. The diff between 1.2.3-0ubuntu1 and 1.2.3-1 is a cosmetic one. Attached below.

a result or running diff -uNr debian/debian/ lp.636482/debian/ > filtered.diff

@ubuntu-release: can someone review and ACK/NAK 1.2.3-0ubuntu1 for maverick?

What testing has been done to check that the new release works?

On Mon, 2010-10-04 at 19:47 +0000, Scott Kitterman wrote:
> What testing has been done to check that the new release works?
>

All enabled tests have passed, this is a bug-fix only release dealing
almost entirely with the XSS vulnerability introduced in the 1.2.x
branch.

The resulting package installs and is upgradeable from 1.2.1-1, you can
create a new project and run it with use of the bundled http server.

--
Sent from Ubuntu

What is the verdict on this sync? It would be nice to not release with an open CVE.

Per comment #10, we can't sync it yet. If it's syncable before it would cause us to have a respin for Ubuntu Server, then I'm OK with this.

That or if someone sponsors Krzysztof's package.

[Updating] python-django (1.2.1-1 [Ubuntu] < 1.2.3-1 [Debian])
 * Trying to add python-django...
2010-10-08 05:37:13 INFO - <python-django_1.2.3-1.dsc: downloading from http://ftp.debian.org/debian/>
2010-10-08 05:37:13 INFO - <python-django_1.2.3.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
2010-10-08 05:37:13 INFO - <python-django_1.2.3-1.debian.tar.gz: downloading from http://ftp.debian.org/debian/>
I: python-django [main] -> python-django_1.2.1-1 [main].
I: python-django [main] -> python-django-doc_1.2.1-1 [main].

whoops - not actually synced, per comment #10 and ScottK's reminder thereof.

Uploaded 1.2.3-1ubuntu0.1 to security PPA.

This bug was fixed in the package python-django - 1.2.3-1ubuntu0.1

---------------
python-django (1.2.3-1ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: XSS in CSRF protections. New upstream release
    - CVE-2010-3082
  * debian/patches/01_disable_url_verify_regression_tests.diff:
    - updated to disable another test that fails without internet connection
    - patch based on work by Kai Kasurinen and Krzysztof Klimonda
  * debian/control: don't Build-Depends on locales-all, which doesn't exist
    in maverick

python-django (1.2.3-1) unstable; urgency=low

  [ Krzysztof Klimonda ]
  * New upstream release. Closes: #596893 LP: #636482
  * Fixes both a XSS vulnerability introduced in 1.2 series and
    the regressions caused by 1.2.2 release. Closes: #596205
  * debian/control:
    - depend on language packs for en_US.utf8 locales required for unit tests.
  * debian/rules:
    - re-enable build time tests.
    - set LC_ALL to en_US.utf8 for test suite.
  * debian/patches/series:
    - two new patches: 05_fix_regression_tests.diff and
      06_fix_regression_tests.diff backported from 1.2.x branch to fix
      test suite failures.

  [ Raphaël Hertzog ]
  * Update Standards-Version to 3.9.1.
  * Drop "--with quilt" and quilt build-dependency since the package is
    already using source format "3.0 (quilt)".
 -- Jamie Strandboge <email address hidden> Tue, 12 Oct 2010 11:34:35 -0500