Merge python-django 1:1.11-1 from Debian unstable
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | MAAS |
Wishlist
|
Unassigned | ||
| | OpenStack Dashboard (Horizon) |
High
|
Rob Cresswell | ||
| | django-compat (Ubuntu) |
Undecided
|
Nish Aravamudan | ||
| | Artful |
Undecided
|
Nish Aravamudan | ||
| | python-django (Ubuntu) |
Wishlist
|
Unassigned | ||
| | Zesty |
Wishlist
|
Unassigned | ||
| | Artful |
Wishlist
|
Unassigned | ||
Bug Description
Please merge python-django 1:1.11-1 (main) from Debian experimental (main)
python-django (1:1.11-1ubuntu1) artful; urgency=medium
* Merge from Debian unstable (LP: #1605278). Remaining changes:
- debian/
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* Drop:
- SECURITY UPDATE: malicious redirect and possible XSS attack via
user-supplied redirect URLs containing basic auth
+ debian/
+ CVE-2016-2512
- SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
+ debian/
in django/
+ CVE-2016-2512
- SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
+ debian/
upstream fix.
+ CVE-2016-2512
[ Fixed upstream ]
- SECURITY UPDATE: user enumeration through timing difference on password
hasher work factor upgrade
+ debian/
+ CVE-2016-2513
[ Fixed upstream ]
- Backport b1afebf882db529
upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
LP #1528710
[ Fixed upstream ]
- Backport upstream fix for ipv6-formatted ipv4 addresses (LP #1611923)
[ Fixed upstream ]
- SECURITY UPDATE: XSS in admin's add/change related popup
+ debian/
+ CVE-2016-6186
[ Fixed upstream ]
- SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
+ debian/
+ CVE-2016-7401
[ Fixed upstream ]
- SECURITY UPDATE: user with hardcoded password created when running
tests on Oracle
+ debian/
+ CVE-2016-9013
[ Fixed upstream ]
- SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True
+ debian/
+ CVE-2016-9014
[ Fixed upstream ]
-- Nishanth Aravamudan <email address hidden> Fri, 05 May 2017 09:41:07 -0700
| Changed in python-django (Ubuntu): | |
| importance: | Undecided → Wishlist |
| Jeremy Bicha (jbicha) wrote : | #1 |
| tags: | added: upgrade-software-version |
| Launchpad Janitor (janitor) wrote : | #2 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in python-django (Ubuntu): | |
| status: | New → Confirmed |
| Nish Aravamudan (nacc) wrote : | #3 |
Note that openstack's upper constraints indicate django <= 1.8.14: https:/
| Jeremy Bicha (jbicha) wrote : | #4 |
Unsubscribing ubuntu-sponsors since this apparently isn't ready for yakkety yet. Feel free to re-subscribe when you're ready.
| Jeremy Bicha (jbicha) wrote : | #5 |
There's no explanation given on the git commit that set the upper constraint :(
https:/
| Corey Bryant (corey.bryant) wrote : | #6 |
I think we need to carefully consider the side-effects of merging a new python-django. Debian sid is now at 1.10 and it's caused quite a bit of breakage. It looks like a number of upstream projects are not updated wrt django 1.10 feature changes. One example is horizon, see Thomas' patches here: https:/
Other packages that have required patches are: django-classy-tags django-nose python-django-babel python-
| Robie Basak (racb) wrote : | #7 |
Consensus seems to be to stay on 1.8 in Yakkety: https:/
| Andres Rodriguez (andreserl) wrote : Re: [Bug 1605278] Re: Merge python-django 1:1.9.8-1 (main) from Debian unstable (main) | #8 |
I agree staying in 1.8. It is an LTS and at this point in the cycle,
multiple projects would need updating and we are too close to feature
freeze for that.
On Thursday, August 4, 2016, Robie Basak <email address hidden> wrote:
> Consensus seems to be to stay on 1.8 in Yakkety:
> https:/
>
> --
> You received this bug notification because you are subscribed to MAAS.
> https:/
>
> Title:
> Merge python-django 1:1.9.8-1 (main) from Debian unstable (main)
>
> To manage notifications about this bug go to:
> https:/
>
--
Andres Rodriguez (RoAkSoAx)
Ubuntu Server Developer
MSc. Telecom & Networking
Systems Engineer
Marking this Won't Fix for now, to get it out of our triage list. Once Yakkety is released, feel free to change the status back to New for reconsideration (and we can ask for consensus again as needed).
| Changed in python-django (Ubuntu): | |
| status: | Confirmed → Won't Fix |
| Changed in maas: | |
| importance: | Undecided → Wishlist |
| status: | New → Triaged |
| milestone: | none → next |
| Rob Cresswell (robcresswell) wrote : | #10 |
Horizon *should* support 1.10 as of the Newton release, but it's not been extensively tested. I'll be working on bumping OpenStack's Django requirement to <1.11 over the following weeks.
| Changed in horizon: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| milestone: | none → ocata-1 |
| assignee: | nobody → Rob Cresswell (robcresswell) |
| Changed in python-django (Ubuntu Zesty): | |
| assignee: | nobody → Nish Aravamudan (nacc) |
| Changed in horizon: | |
| milestone: | ocata-1 → ocata-2 |
| summary: |
- Merge python-django 1:1.9.8-1 (main) from Debian unstable (main) + Merge python-django 1:1.10.3 from Debian unstable |
I just uploaded 1.10.3-
| Corey Bryant (corey.bryant) wrote : | #12 |
I tested out openstack-dashboard for ocata with python-django 1.10.3 and python-
| Changed in python-django (Ubuntu Zesty): | |
| status: | New → In Progress |
| Changed in horizon: | |
| milestone: | ocata-2 → next |
| Jeremy Bicha (jbicha) wrote : | #13 |
What's the status of this for zesty?
If we don't do 1.10 for zesty, we might need to look through the Debian django related pacakges that have autosynced to see if they have any issues with being used with 1.8 instead.
| Nish Aravamudan (nacc) wrote : Re: [Bug 1605278] Re: Merge python-django 1:1.10.3 from Debian unstable | #14 |
The MAAS team are unable to proceed with the 1.10 version this cycle.
How would you propose we verify compatibility with 1.8? 1.10 was never
uploaded, so whatever build-time and autopkgtests run must have
passed.
Oh, I guess the problem was the other way around. Earlier there were concerns about packages being ready for 1.10 so hopefully they still work with 1.8.
The only way to verify it is to install them all and test it. But I don't use django and I'm not volunteering to do that.
Or we could just wait for bug reports if someone does experience a problem.
| Changed in python-django (Ubuntu Zesty): | |
| status: | In Progress → Won't Fix |
| summary: |
- Merge python-django 1:1.10.3 from Debian unstable + Merge python-django 1:1.11-1 from Debian unstable |
| Nish Aravamudan (nacc) wrote : | #16 |
I just uploaded a merge with 1:1.11-1 from experimental to the same PPA: https:/
Note that I chose 1.11 rather than the 1.10 in unstable because 1.11 is an LTS with support for a lot longer, which means (possibly) we don't need to merge again for 18.04 (or it will be a trivial upstream minor bump within the 1.11 series).
| description: | updated |
| Changed in python-django (Ubuntu Zesty): | |
| assignee: | Nish Aravamudan (nacc) → nobody |
| Nish Aravamudan (nacc) wrote : | #17 |
MAAS have acked that I can proceed with the upload and they will deal with the fallout.
I need to sync with the OpenStack team on testing with the 1.11 release.
| Jeremy Bicha (jbicha) wrote : | #18 |
Nish, did you see that django 1.10 was uploaded a few hours ago?
https:/
| Changed in python-django (Ubuntu Artful): | |
| status: | In Progress → Fix Committed |
| status: | Fix Committed → In Progress |
| Nish Aravamudan (nacc) wrote : | #19 |
Just an FYI that 1:1.11.2-2ubuntu1 is in artful-proposed.
| Changed in python-django (Ubuntu Artful): | |
| status: | In Progress → Fix Committed |
| assignee: | Nish Aravamudan (nacc) → nobody |
| Данило Шеган (danilo) wrote : | #20 |
For MAAS we need django-piston3 to be patched extensively to work with Django 1.11: https:/
| Nish Aravamudan (nacc) wrote : | #21 |
@danilo, that's done now, right?
I'm going to be unblocking (hopefully) python-django from a-p today, by uupdating' django-compat to be 1.11 ... compatible :)
| Rob Cresswell (robcresswell) wrote : | #22 |
Just updating to indicate that Horizon's Pike release has Django 1.11 support.
| Changed in horizon: | |
| milestone: | next → pike-3 |
| status: | Confirmed → Fix Released |
| Nish Aravamudan (nacc) wrote : | #23 |
@robcreswell, thanks!
Just upload django-compat 1.0.14-0ubuntu1 to artful-proposed, which should allow python-django 1.11 to migrate.
| no longer affects: | django-compat (Ubuntu Zesty) |
| Changed in django-compat (Ubuntu Artful): | |
| status: | New → Fix Committed |
| assignee: | nobody → Nish Aravamudan (nacc) |
| Nish Aravamudan (nacc) wrote : | #24 |
err, *Just uploaded!
| Launchpad Janitor (janitor) wrote : | #25 |
This bug was fixed in the package django-compat - 1.0.14-0ubuntu1
---------------
django-compat (1.0.14-0ubuntu1) artful; urgency=medium
* New upstream release (1.0.14)
- Needed for Django 1.11 support (LP: #1605278).
-- Nishanth Aravamudan <email address hidden> Tue, 08 Aug 2017 09:57:00 -0700
| Changed in django-compat (Ubuntu Artful): | |
| status: | Fix Committed → Fix Released |
| Changed in python-django (Ubuntu Artful): | |
| status: | Fix Committed → Fix Released |
| Adam Collard (adam-collard) wrote : | #26 |
This bug has not seen any activity in the last 6 months, so it is being automatically closed.
If you are still experiencing this issue, please feel free to re-open.
MAAS Team
| Changed in maas: | |
| status: | Triaged → Invalid |
I think it makes sense for Ubuntu 16.10 to include Django 1.10 which will be released in a few weeks.
https:/
I'm submitting this merge proposal now because, well, I already did the work. I updated Ubuntu's pymysql patch and diff so that Django will still work with python-mysqldb for any one that wants to use that database driver instead of Ubuntu Server's preferred pymysql.