Merge python-django 1:1.11-1 from Debian unstable

Bug #1605278 reported by Jeremy Bicha on 2016-07-21
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MAAS
Wishlist
Unassigned
OpenStack Dashboard (Horizon)
High
Rob Cresswell
django-compat (Ubuntu)
Undecided
Nish Aravamudan
Declined for Yakkety by Nish Aravamudan
Artful
Undecided
Nish Aravamudan
python-django (Ubuntu)
Wishlist
Unassigned
Declined for Yakkety by Nish Aravamudan
Zesty
Wishlist
Unassigned
Artful
Wishlist
Unassigned

Bug Description

Please merge python-django 1:1.11-1 (main) from Debian experimental (main)

python-django (1:1.11-1ubuntu1) artful; urgency=medium

  * Merge from Debian unstable (LP: #1605278). Remaining changes:
    - debian/patches/pymysql-replacement.patch: Use pymysql as drop in
      replacement for MySQLdb.
    - debian/control: Drop python-mysqldb in favor of python-pymysql.
  * Drop:
    - SECURITY UPDATE: malicious redirect and possible XSS attack via
      user-supplied redirect URLs containing basic auth
      + debian/patches/CVE-2016-2512.patch: prevent spoofing in
        django/utils/http.py, added test to tests/utils_tests/test_http.py.
      + CVE-2016-2512
    - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
      + debian/patches/CVE-2016-2512-regression.patch: force url to unicode
        in django/utils/http.py, added test to
        tests/utils_tests/test_http.py.
      + CVE-2016-2512
    - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
      + debian/patches/CVE-2016-2512-regression.patch: updated to final
        upstream fix.
      + CVE-2016-2512
    [ Fixed upstream ]
    - SECURITY UPDATE: user enumeration through timing difference on password
      hasher work factor upgrade
      + debian/patches/CVE-2016-2513.patch: fix timing in
        django/contrib/auth/hashers.py, added note to
        docs/topics/auth/passwords.txt, added tests to
        tests/auth_tests/test_hashers.py.
      + CVE-2016-2513
    [ Fixed upstream ]
    - Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from
      upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
      LP #1528710
    [ Fixed upstream ]
    - Backport upstream fix for ipv6-formatted ipv4 addresses (LP #1611923)
    [ Fixed upstream ]
    - SECURITY UPDATE: XSS in admin's add/change related popup
      + debian/patches/CVE-2016-6186.patch: change to text in
        django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js,
        django/views/debug.py, added to tests in tests/admin_views/admin.py,
        tests/admin_views/models.py, tests/admin_views/tests.py.
      + CVE-2016-6186
    [ Fixed upstream ]
    - SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
      + debian/patches/CVE-2016-7401.patch: simplify cookie parsing in
        django/http/cookie.py, add tests to tests/httpwrappers/tests.py,
        tests/requests/tests.py.
      + CVE-2016-7401
    [ Fixed upstream ]
    - SECURITY UPDATE: user with hardcoded password created when running
      tests on Oracle
      + debian/patches/CVE-2016-9013.patch: remove hardcoded password in
        django/db/backends/oracle/creation.py, added note to
        docs/ref/settings.txt.
      + CVE-2016-9013
    [ Fixed upstream ]
    - SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True
      + debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in
        django/http/request.py, updated docs/ref/settings.txt, added test to
        tests/requests/tests.py.
      + CVE-2016-9014
    [ Fixed upstream ]

 -- Nishanth Aravamudan <email address hidden> Fri, 05 May 2017 09:41:07 -0700

Jeremy Bicha (jbicha) on 2016-07-21
Changed in python-django (Ubuntu):
importance: Undecided → Wishlist
Jeremy Bicha (jbicha) wrote :

I think it makes sense for Ubuntu 16.10 to include Django 1.10 which will be released in a few weeks.

https://www.djangoproject.com/download/

I'm submitting this merge proposal now because, well, I already did the work. I updated Ubuntu's pymysql patch and diff so that Django will still work with python-mysqldb for any one that wants to use that database driver instead of Ubuntu Server's preferred pymysql.

Jeremy Bicha (jbicha) on 2016-07-21
tags: added: upgrade-software-version
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-django (Ubuntu):
status: New → Confirmed
Nish Aravamudan (nacc) wrote :

Note that openstack's upper constraints indicate django <= 1.8.14: https://github.com/openstack/requirements/blob/master/upper-constraints.txt

Jeremy Bicha (jbicha) wrote :

Unsubscribing ubuntu-sponsors since this apparently isn't ready for yakkety yet. Feel free to re-subscribe when you're ready.

Jeremy Bicha (jbicha) wrote :

There's no explanation given on the git commit that set the upper constraint :(

https://github.com/openstack/requirements/commit/441066a4228746309866e23b4582850d7ace0c28

Corey Bryant (corey.bryant) wrote :

I think we need to carefully consider the side-effects of merging a new python-django. Debian sid is now at 1.10 and it's caused quite a bit of breakage. It looks like a number of upstream projects are not updated wrt django 1.10 feature changes. One example is horizon, see Thomas' patches here: https://anonscm.debian.org/cgit/openstack/horizon.git/log/?h=debian/newton

Other packages that have required patches are: django-classy-tags django-nose python-django-babel python-django-bootstrap-form python-django-formtools python-django-openstack-auth python-django-sekizai python-django-appconf python-django-babel python-django-bootstrap-form python-django-compressor python-django-formtools python-django-openstack-auth python-django-overextends python-django-pyscss.

Robie Basak (racb) wrote :

Consensus seems to be to stay on 1.8 in Yakkety: https://lists.ubuntu.com/archives/ubuntu-devel/2016-August/039474.html

I agree staying in 1.8. It is an LTS and at this point in the cycle,
multiple projects would need updating and we are too close to feature
freeze for that.

On Thursday, August 4, 2016, Robie Basak <email address hidden> wrote:

> Consensus seems to be to stay on 1.8 in Yakkety:
> https://lists.ubuntu.com/archives/ubuntu-devel/2016-August/039474.html
>
> --
> You received this bug notification because you are subscribed to MAAS.
> https://bugs.launchpad.net/bugs/1605278
>
> Title:
> Merge python-django 1:1.9.8-1 (main) from Debian unstable (main)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions
>

--
Andres Rodriguez (RoAkSoAx)
Ubuntu Server Developer
MSc. Telecom & Networking
Systems Engineer

Marking this Won't Fix for now, to get it out of our triage list. Once Yakkety is released, feel free to change the status back to New for reconsideration (and we can ask for consensus again as needed).

Changed in python-django (Ubuntu):
status: Confirmed → Won't Fix
Changed in maas:
importance: Undecided → Wishlist
status: New → Triaged
milestone: none → next
Rob Cresswell (robcresswell) wrote :

Horizon *should* support 1.10 as of the Newton release, but it's not been extensively tested. I'll be working on bumping OpenStack's Django requirement to <1.11 over the following weeks.

Changed in horizon:
status: New → Confirmed
importance: Undecided → High
milestone: none → ocata-1
assignee: nobody → Rob Cresswell (robcresswell)
Jon Grimm (jgrimm) on 2016-11-22
Changed in python-django (Ubuntu Zesty):
assignee: nobody → Nish Aravamudan (nacc)
Changed in horizon:
milestone: ocata-1 → ocata-2
Jon Grimm (jgrimm) on 2016-11-30
summary: - Merge python-django 1:1.9.8-1 (main) from Debian unstable (main)
+ Merge python-django 1:1.10.3 from Debian unstable
Corey Bryant (corey.bryant) wrote :

I tested out openstack-dashboard for ocata with python-django 1.10.3 and python-django-compressor 2.1, and all looks to be working fine. I also upgraded from python-django 1.8.7 -> 1.10.3 with no issues. It's worth noting that my testing was limited to backported packages on xenial, and I don't see any reason why zesty results would be any different. I'm ok with syncing python-django 1.10.3 into zesty from an openstack perspective.

Nish Aravamudan (nacc) on 2016-12-13
Changed in python-django (Ubuntu Zesty):
status: New → In Progress
Changed in horizon:
milestone: ocata-2 → next
Jeremy Bicha (jbicha) wrote :

What's the status of this for zesty?

If we don't do 1.10 for zesty, we might need to look through the Debian django related pacakges that have autosynced to see if they have any issues with being used with 1.8 instead.

The MAAS team are unable to proceed with the 1.10 version this cycle.

How would you propose we verify compatibility with 1.8? 1.10 was never
uploaded, so whatever build-time and autopkgtests run must have
passed.

Oh, I guess the problem was the other way around. Earlier there were concerns about packages being ready for 1.10 so hopefully they still work with 1.8.

The only way to verify it is to install them all and test it. But I don't use django and I'm not volunteering to do that.

Or we could just wait for bug reports if someone does experience a problem.

Jeremy Bicha (jbicha) on 2017-03-10
Changed in python-django (Ubuntu Zesty):
status: In Progress → Won't Fix
Nish Aravamudan (nacc) on 2017-05-05
summary: - Merge python-django 1:1.10.3 from Debian unstable
+ Merge python-django 1:1.11-1 from Debian unstable
Nish Aravamudan (nacc) wrote :

I just uploaded a merge with 1:1.11-1 from experimental to the same PPA: https://launchpad.net/~nacc/+archive/ubuntu/lp1605278

Note that I chose 1.11 rather than the 1.10 in unstable because 1.11 is an LTS with support for a lot longer, which means (possibly) we don't need to merge again for 18.04 (or it will be a trivial upstream minor bump within the 1.11 series).

description: updated
Nish Aravamudan (nacc) on 2017-05-05
Changed in python-django (Ubuntu Zesty):
assignee: Nish Aravamudan (nacc) → nobody
Nish Aravamudan (nacc) wrote :

MAAS have acked that I can proceed with the upload and they will deal with the fallout.

I need to sync with the OpenStack team on testing with the 1.11 release.

Jeremy Bicha (jbicha) wrote :

Nish, did you see that django 1.10 was uploaded a few hours ago?

https://launchpad.net/ubuntu/+source/python-django/1:1.10.7-2ubuntu1

Changed in python-django (Ubuntu Artful):
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Nish Aravamudan (nacc) wrote :

Just an FYI that 1:1.11.2-2ubuntu1 is in artful-proposed.

Changed in python-django (Ubuntu Artful):
status: In Progress → Fix Committed
assignee: Nish Aravamudan (nacc) → nobody

For MAAS we need django-piston3 to be patched extensively to work with Django 1.11: https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1702062

Nish Aravamudan (nacc) wrote :

@danilo, that's done now, right?

I'm going to be unblocking (hopefully) python-django from a-p today, by uupdating' django-compat to be 1.11 ... compatible :)

Rob Cresswell (robcresswell) wrote :

Just updating to indicate that Horizon's Pike release has Django 1.11 support.

Changed in horizon:
milestone: next → pike-3
status: Confirmed → Fix Released
Nish Aravamudan (nacc) wrote :

@robcreswell, thanks!

Just upload django-compat 1.0.14-0ubuntu1 to artful-proposed, which should allow python-django 1.11 to migrate.

no longer affects: django-compat (Ubuntu Zesty)
Changed in django-compat (Ubuntu Artful):
status: New → Fix Committed
assignee: nobody → Nish Aravamudan (nacc)
Nish Aravamudan (nacc) wrote :

err, *Just uploaded!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package django-compat - 1.0.14-0ubuntu1

---------------
django-compat (1.0.14-0ubuntu1) artful; urgency=medium

  * New upstream release (1.0.14)
    - Needed for Django 1.11 support (LP: #1605278).

 -- Nishanth Aravamudan <email address hidden> Tue, 08 Aug 2017 09:57:00 -0700

Changed in django-compat (Ubuntu Artful):
status: Fix Committed → Fix Released
Nish Aravamudan (nacc) on 2017-08-28
Changed in python-django (Ubuntu Artful):
status: Fix Committed → Fix Released
Adam Collard (adam-collard) wrote :

This bug has not seen any activity in the last 6 months, so it is being automatically closed.

If you are still experiencing this issue, please feel free to re-open.

MAAS Team

Changed in maas:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers