Activity log for bug #1605278

Date Who What changed Old value New value Message
2016-07-21 14:31:17 Jeremy Bícha bug added bug
2016-07-21 14:31:22 Jeremy Bícha python-django (Ubuntu): importance Undecided Wishlist
2016-07-21 14:31:23 Jeremy Bícha bug added subscriber Ubuntu Sponsors Team
2016-07-21 14:36:43 Jeremy Bícha attachment added django-diff-from-debian.debdiff https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1605278/+attachment/4704686/+files/django-diff-from-debian.debdiff
2016-07-21 14:37:55 Jeremy Bícha bug added subscriber Corey Bryant
2016-07-21 18:02:20 Jeremy Bícha tags upgrade-software-version
2016-07-21 18:03:19 Launchpad Janitor python-django (Ubuntu): status New Confirmed
2016-07-21 19:05:36 Nish Aravamudan bug task added maas
2016-07-21 19:09:52 Nish Aravamudan bug task added horizon
2016-07-21 19:17:42 Jeremy Bícha removed subscriber Ubuntu Sponsors Team
2016-08-04 12:12:26 Jeremy Bícha nominated for series Ubuntu Z-series
2016-08-04 12:12:26 Jeremy Bícha bug task added python-django (Ubuntu Z-series)
2016-08-04 12:12:26 Jeremy Bícha nominated for series Ubuntu Yakkety
2016-08-04 12:12:42 Jeremy Bícha python-django (Ubuntu Z-series): importance Undecided Wishlist
2016-08-10 18:21:14 Robie Basak python-django (Ubuntu): status Confirmed Won't Fix
2016-08-10 18:21:28 Robie Basak bug added subscriber Robie Basak
2016-08-23 11:56:11 Andres Rodriguez maas: importance Undecided Wishlist
2016-08-23 11:56:14 Andres Rodriguez maas: status New Triaged
2016-08-23 11:56:17 Andres Rodriguez maas: milestone next
2016-11-01 12:25:59 Rob Cresswell horizon: status New Confirmed
2016-11-01 12:26:07 Rob Cresswell horizon: importance Undecided High
2016-11-01 12:26:12 Rob Cresswell horizon: milestone ocata-1
2016-11-01 12:26:18 Rob Cresswell horizon: assignee Rob Cresswell (robcresswell)
2016-11-22 16:16:34 Jon Grimm python-django (Ubuntu Zesty): assignee Nish Aravamudan (nacc)
2016-11-29 14:30:50 Rob Cresswell horizon: milestone ocata-1 ocata-2
2016-11-30 15:04:56 Jon Grimm summary Merge python-django 1:1.9.8-1 (main) from Debian unstable (main) Merge python-django 1:1.10.3 from Debian unstable
2016-12-13 16:06:41 Nish Aravamudan python-django (Ubuntu Zesty): status New In Progress
2017-01-30 16:28:44 Rob Cresswell horizon: milestone ocata-2 next
2017-03-10 20:10:31 Jeremy Bícha nominated for series Ubuntu Aa-series
2017-03-10 20:10:31 Jeremy Bícha bug task added python-django (Ubuntu Aa-series)
2017-03-10 20:10:54 Jeremy Bícha python-django (Ubuntu Aa-series): status New In Progress
2017-03-10 20:11:03 Jeremy Bícha python-django (Ubuntu Aa-series): importance Undecided Wishlist
2017-03-10 20:11:13 Jeremy Bícha python-django (Ubuntu Aa-series): assignee Nish Aravamudan (nacc)
2017-03-10 20:11:22 Jeremy Bícha python-django (Ubuntu Zesty): status In Progress Won't Fix
2017-05-05 16:42:15 Nish Aravamudan summary Merge python-django 1:1.10.3 from Debian unstable Merge python-django 1:1.11-1 from Debian unstable
2017-05-05 17:03:06 Nish Aravamudan description Please merge python-django 1:1.9.8-1 (main) from Debian unstable (main) Explanation of the Ubuntu delta and why it can be dropped: * SECURITY UPDATE: XSS in admin's add/change related popup - debian/patches/CVE-2016-6186.patch: change to text in django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js, django/views/debug.py, added to tests in tests/admin_views/admin.py, tests/admin_views/models.py, tests/admin_views/tests.py. - CVE-2016-6186 * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.) LP: #1528710 * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.) LP: #1528710 * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - debian/patches/CVE-2016-2512-regression.patch: updated to final upstream fix. - CVE-2016-2512 * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - debian/patches/CVE-2016-2512-regression.patch: force url to unicode in django/utils/http.py, added test to tests/utils_tests/test_http.py. - CVE-2016-2512 * SECURITY UPDATE: malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth - debian/patches/CVE-2016-2512.patch: prevent spoofing in django/utils/http.py, added test to tests/utils_tests/test_http.py. - CVE-2016-2512 * SECURITY UPDATE: user enumeration through timing difference on password hasher work factor upgrade - debian/patches/CVE-2016-2513.patch: fix timing in django/contrib/auth/hashers.py, added note to docs/topics/auth/passwords.txt, added tests to tests/auth_tests/test_hashers.py. - CVE-2016-2513 * Merge from Debian unstable. Remaining changes: - debian/patches/pymysql-replacement.patch: Use pymysql as drop in replacement for MySQLdb. - debian/control: Drop python-mysqldb in favor of python-pymysql. * Dropped changes: - debian/patches/99_skip_tests_due_python35.diff: no longer required, python 3.5 is now officially supported in 1.8.6+. All of that was applied in the new Debian version except for the pymysql replacement. Changelog entries since current yakkety version 1.8.7-1ubuntu6: python-django (1:1.9.8-1) unstable; urgency=high * New upstream security release: https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ - CVE-2016-6186: XSS in admin's add/change related popup -- Luke Faraone <lfaraone@debian.org> Tue, 19 Jul 2016 14:15:24 +0000 python-django (1:1.9.7-2) unstable; urgency=medium * Re-upload 1.9.7 to unstable with epoch. -- Chris Lamb <lamby@debian.org> Sun, 26 Jun 2016 09:58:19 +0200 python-django (1.10~beta1-1) unstable; urgency=medium [ Chris Lamb ] * New upstream beta release. * Drop fix-25761-add-traceback-attribute.patch; applied upstream. [ Raphaël Hertzog ] * Remove obsolete /etc/bash_completion.d/django_bash_completion on upgrade. Closes: #801744 -- Chris Lamb <lamby@debian.org> Sat, 25 Jun 2016 19:17:49 +0200 python-django (1.9.7-1) unstable; urgency=medium [ Raphaël Hertzog ] * New upstream bugfix release. * Bump python-sphinx build dependency to >= 1.3. Closes: #824108 * Drop build dependency on locales. C.UTF-8 that we currently use is part of libc-bin. [ Chris Lamb ] * Remove duplicated "of of" in python-django's README.Debian. -- Raphaël Hertzog <hertzog@debian.org> Tue, 14 Jun 2016 00:05:22 +0200 python-django (1.9.6-1) unstable; urgency=medium * New upstream bugfix release. -- Chris Lamb <lamby@debian.org> Sat, 07 May 2016 07:01:17 +0100 python-django (1.9.5-2) unstable; urgency=medium * Drop the dir_to_symlink transition that was only really needed for upgrades between versions 1.9~rc2 and 1.9.4. Closes: #821789 -- Raphaël Hertzog <hertzog@debian.org> Wed, 20 Apr 2016 17:47:05 +0200 python-django (1.9.5-1) unstable; urgency=medium * New upstream bugfix release: https://docs.djangoproject.com/en/1.9/releases/1.9.5/ * Fix the DEP-8 test suite (django-admin --with python3 failing because ./manage.py does not have a good shebang). * Update Standards-Version to 3.9.8. * Add some lintian overrides. * Tweak Vcs-Browser to use https. * Drop obsolete parts of the copyright file. -- Raphaël Hertzog <hertzog@debian.org> Wed, 06 Apr 2016 18:05:42 +0200 python-django (1.9.4-1) unstable; urgency=high [ Luke Faraone ] * New upstream security release: https://www.djangoproject.com/weblog/2016/mar/01/security-releases/ - CVE-2016-2512: Malicious redirect and possible XSS via user-supplied redirect URLs containing basic auth - CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade Closes: #816434 [ Raphaël Hertzog ] * Fix rules file to no longer mess with *_templates directories. They no longer contain invalid .py files but only *-tpl template files that are instantiated at runtime. -- Luke Faraone <lfaraone@debian.org> Mon, 07 Mar 2016 17:09:54 +0000 python-django (1.9.2-1) unstable; urgency=medium * New upstream security release fixing: - CVE-2016-2048: User with "change" but not "add" permission can create objects for ModelAdmin objects with save_as=True Closes: #813448 -- Raphaël Hertzog <hertzog@debian.org> Tue, 02 Feb 2016 09:06:46 +0100 python-django (1.9.1-1) unstable; urgency=medium * New upstream release. -- Chris Lamb <lamby@debian.org> Mon, 04 Jan 2016 17:51:40 +0000 python-django (1.9-2) unstable; urgency=medium [ Chris Lamb ] * Use dpkg-maintscript-helper's dir_to_symlink to correctly replace the app_template and project_template symlinks added in 1.9~rc2-2. (Closes: #807683) [ Raphaël Hertzog ] * Add some DEP-8 tests testing "django-admin" and running the test suite against the installed package. In both cases, we do it with python2 and python3. * Add python-tblib and python3-tblib to Build-Depends for the benefit of the parallel testing feature of the test suite. * Add "set -e" in the command line running the tests with all supported versions so that it actually fails as soon as one version is failing (and thus disallow later successes to shadow earlier failures). -- Raphaël Hertzog <hertzog@debian.org> Wed, 30 Dec 2015 16:44:04 +0100 python-django (1.9-1) unstable; urgency=medium * Upload to unstable * Adjust uversionmangle in debian/watch to mangle "1.9rc2" scheme (previously only "1.9-rc-2" would have matched). -- Chris Lamb <lamby@debian.org> Thu, 03 Dec 2015 16:48:30 +0200 python-django (1.9~rc2-2) experimental; urgency=medium * Move {app,project}_template to python-django-common to prevent byte-compilation (via pycompile) on installation, causing failure. They are not valid Python files until variables have been interpolated. -- Chris Lamb <lamby@debian.org> Thu, 26 Nov 2015 14:53:11 +0200 python-django (1.9~rc2-1) experimental; urgency=medium * New upstream release candidate. * Add myself to Uploaders. -- Chris Lamb <lamby@debian.org> Thu, 26 Nov 2015 10:14:15 +0200 python-django (1.8.7-2) unstable; urgency=high * Rely on C.UTF-8 to run the tests instead of building our locale ourselves. * Add debian/patches/fix-25761-add-traceback-attribute.patch: new patch to ensure exceptions registered in __cause__ attributes have a __traceback__ attribute. Closes: #802677 * Extend lintian overrides to cover more false positives of source-is-missing. * Cleanup debian/copyright for dropped/renamed files. * Run tests for all supported Python versions. -- Raphaël Hertzog <hertzog@debian.org> Wed, 25 Nov 2015 16:16:10 +0100 Please merge python-django 1:1.11-1 (main) from Debian experimental (main) python-django (1:1.11-1ubuntu1) artful; urgency=medium * Merge from Debian unstable (LP: #1605278). Remaining changes: - debian/patches/pymysql-replacement.patch: Use pymysql as drop in replacement for MySQLdb. - debian/control: Drop python-mysqldb in favor of python-pymysql. * Drop: - SECURITY UPDATE: malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth + debian/patches/CVE-2016-2512.patch: prevent spoofing in django/utils/http.py, added test to tests/utils_tests/test_http.py. + CVE-2016-2512 - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251) + debian/patches/CVE-2016-2512-regression.patch: force url to unicode in django/utils/http.py, added test to tests/utils_tests/test_http.py. + CVE-2016-2512 - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251) + debian/patches/CVE-2016-2512-regression.patch: updated to final upstream fix. + CVE-2016-2512 [ Fixed upstream ] - SECURITY UPDATE: user enumeration through timing difference on password hasher work factor upgrade + debian/patches/CVE-2016-2513.patch: fix timing in django/contrib/auth/hashers.py, added note to docs/topics/auth/passwords.txt, added tests to tests/auth_tests/test_hashers.py. + CVE-2016-2513 [ Fixed upstream ] - Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.) LP #1528710 [ Fixed upstream ] - Backport upstream fix for ipv6-formatted ipv4 addresses (LP #1611923) [ Fixed upstream ] - SECURITY UPDATE: XSS in admin's add/change related popup + debian/patches/CVE-2016-6186.patch: change to text in django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js, django/views/debug.py, added to tests in tests/admin_views/admin.py, tests/admin_views/models.py, tests/admin_views/tests.py. + CVE-2016-6186 [ Fixed upstream ] - SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics + debian/patches/CVE-2016-7401.patch: simplify cookie parsing in django/http/cookie.py, add tests to tests/httpwrappers/tests.py, tests/requests/tests.py. + CVE-2016-7401 [ Fixed upstream ] - SECURITY UPDATE: user with hardcoded password created when running tests on Oracle + debian/patches/CVE-2016-9013.patch: remove hardcoded password in django/db/backends/oracle/creation.py, added note to docs/ref/settings.txt. + CVE-2016-9013 [ Fixed upstream ] - SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True + debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in django/http/request.py, updated docs/ref/settings.txt, added test to tests/requests/tests.py. + CVE-2016-9014 [ Fixed upstream ] -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 05 May 2017 09:41:07 -0700
2017-05-05 17:05:28 Nish Aravamudan python-django (Ubuntu Zesty): assignee Nish Aravamudan (nacc)
2017-06-18 15:47:29 Jeremy Bícha python-django (Ubuntu Artful): status In Progress Fix Committed
2017-06-18 15:47:54 Jeremy Bícha python-django (Ubuntu Artful): status Fix Committed In Progress
2017-06-28 15:41:39 Nish Aravamudan python-django (Ubuntu Artful): status In Progress Fix Committed
2017-06-28 15:41:43 Nish Aravamudan python-django (Ubuntu Artful): assignee Nish Aravamudan (nacc)
2017-08-08 17:01:06 Nish Aravamudan bug task added django-compat (Ubuntu)
2017-08-08 17:39:05 Rob Cresswell horizon: status Confirmed Fix Released
2017-08-08 17:39:05 Rob Cresswell horizon: milestone next pike-3
2017-08-08 17:57:33 Nish Aravamudan bug task deleted django-compat (Ubuntu Zesty)
2017-08-08 17:58:05 Nish Aravamudan django-compat (Ubuntu Artful): status New Fix Committed
2017-08-08 17:58:08 Nish Aravamudan django-compat (Ubuntu Artful): assignee Nish Aravamudan (nacc)
2017-08-08 20:28:23 Launchpad Janitor django-compat (Ubuntu Artful): status Fix Committed Fix Released
2017-08-28 17:20:07 Nish Aravamudan python-django (Ubuntu Artful): status Fix Committed Fix Released
2019-09-19 14:51:38 Adam Collard maas: status Triaged Invalid
2021-08-24 09:32:43 Björn Tillenius maas: milestone next