Please merge with 1.9.7-2 from Debian unstable

Bug #1602893 reported by Nish Aravamudan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
New
Undecided
Unassigned

Bug Description

python-django (1:1.9.7-2ubuntu1~ppa1) yakkety; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/patches/pymysql-replacement.patch: Use pymysql as drop in
      replacement for MySQLdb.
    - debian/control: Drop python-mysqldb in favor of python-pymysql.
  * Drop:
    - SECURITY UPDATE: malicious redirect and possible XSS attack via
      user-supplied redirect URLs containing basic auth
      + debian/patches/CVE-2016-2512.patch: prevent spoofing in
        django/utils/http.py, added test to tests/utils_tests/test_http.py.
      + CVE-2016-2512
      [ Fixed upstream ]
    - SECURITY UPDATE: user enumeration through timing difference on
      password hasher work factor upgrade
      + debian/patches/CVE-2016-2513.patch: fix timing in
        django/contrib/auth/hashers.py, added note to
        docs/topics/auth/passwords.txt, added tests to
        tests/auth_tests/test_hashers.py.
      + CVE-2016-2513
      [ Fixed upstream ]
    - SECURITY REGRESSION: is_safe_url() with non-unicode url
      (LP #1553251)
      + debian/patches/CVE-2016-2512-regression.patch: force url to
        unicode in django/utils/http.py, added test to
        tests/utils_tests/test_http.py. Updated to final upstream fix.
      + CVE-2016-2512
      [ Fixed upstream ]
    - Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204
      from upstream (1.8.10) to allow dashes in TLDs again (in the
      URL validator.) LP #1528710
      [ Fixed upstream ]

 -- Nishanth Aravamudan <email address hidden> Wed, 13 Jul 2016 17:16:48 -0700

Revision history for this message
Jeremy Bícha (jbicha) wrote :

I'm marking this a duplicate of bug 1605278 since this bug is a bit incomplete. (The other bug has a .debdiff.)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.