Ubuntu
python-django package

  1. Bug #1605278
  2. Comment #0

Comment 0 for bug 1605278

Revision history for this message
Jeremy Bícha (jbicha) wrote : Merge python-django 1:1.9.8-1 (main) from Debian unstable (main)

Please merge python-django 1:1.9.8-1 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: XSS in admin's add/change related popup
    - debian/patches/CVE-2016-6186.patch: change to text in
      django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js,
      django/views/debug.py, added to tests in tests/admin_views/admin.py,
      tests/admin_views/models.py, tests/admin_views/tests.py.
    - CVE-2016-6186
  * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from
    upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
    LP: #1528710
  * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from
    upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
    LP: #1528710
  * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
    - debian/patches/CVE-2016-2512-regression.patch: updated to final
      upstream fix.
    - CVE-2016-2512
  * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
    - debian/patches/CVE-2016-2512-regression.patch: force url to unicode
      in django/utils/http.py, added test to
      tests/utils_tests/test_http.py.
    - CVE-2016-2512
  * SECURITY UPDATE: malicious redirect and possible XSS attack via
    user-supplied redirect URLs containing basic auth
    - debian/patches/CVE-2016-2512.patch: prevent spoofing in
      django/utils/http.py, added test to tests/utils_tests/test_http.py.
    - CVE-2016-2512
  * SECURITY UPDATE: user enumeration through timing difference on password
    hasher work factor upgrade
    - debian/patches/CVE-2016-2513.patch: fix timing in
      django/contrib/auth/hashers.py, added note to
      docs/topics/auth/passwords.txt, added tests to
      tests/auth_tests/test_hashers.py.
    - CVE-2016-2513
  * Merge from Debian unstable. Remaining changes:
    - debian/patches/pymysql-replacement.patch: Use pymysql as drop in
      replacement for MySQLdb.
    - debian/control: Drop python-mysqldb in favor of python-pymysql.
  * Dropped changes:
    - debian/patches/99_skip_tests_due_python35.diff: no longer required,
      python 3.5 is now officially supported in 1.8.6+.

All of that was applied in the new Debian version except for the
pymysql replacement.

Changelog entries since current yakkety version 1.8.7-1ubuntu6:

python-django (1:1.9.8-1) unstable; urgency=high

  * New upstream security release:
    https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
    - CVE-2016-6186: XSS in admin's add/change related popup

 -- Luke Faraone <email address hidden> Tue, 19 Jul 2016 14:15:24 +0000

python-django (1:1.9.7-2) unstable; urgency=medium

  * Re-upload 1.9.7 to unstable with epoch.

 -- Chris Lamb <email address hidden> Sun, 26 Jun 2016 09:58:19 +0200

python-django (1.10~beta1-1) unstable; urgency=medium

  [ Chris Lamb ]
  * New upstream beta release.
  * Drop fix-25761-add-traceback-attribute.patch; applied upstream.

  [ Raphaël Hertzog ]
  * Remove obsolete /etc/bash_completion.d/django_bash_completion on upgrade.
    Closes: #801744

 -- Chris Lamb <email address hidden> Sat, 25 Jun 2016 19:17:49 +0200

python-django (1.9.7-1) unstable; urgency=medium

  [ Raphaël Hertzog ]
  * New upstream bugfix release.
  * Bump python-sphinx build dependency to >= 1.3. Closes: #824108
  * Drop build dependency on locales. C.UTF-8 that we currently use is part of
    libc-bin.

  [ Chris Lamb ]
  * Remove duplicated "of of" in python-django's README.Debian.

 -- Raphaël Hertzog <email address hidden> Tue, 14 Jun 2016 00:05:22 +0200

python-django (1.9.6-1) unstable; urgency=medium

  * New upstream bugfix release.

 -- Chris Lamb <email address hidden> Sat, 07 May 2016 07:01:17 +0100

python-django (1.9.5-2) unstable; urgency=medium

  * Drop the dir_to_symlink transition that was only really needed
    for upgrades between versions 1.9~rc2 and 1.9.4. Closes: #821789

 -- Raphaël Hertzog <email address hidden> Wed, 20 Apr 2016 17:47:05 +0200

python-django (1.9.5-1) unstable; urgency=medium

  * New upstream bugfix release:
    https://docs.djangoproject.com/en/1.9/releases/1.9.5/
  * Fix the DEP-8 test suite (django-admin --with python3 failing
    because ./manage.py does not have a good shebang).
  * Update Standards-Version to 3.9.8.
  * Add some lintian overrides.
  * Tweak Vcs-Browser to use https.
  * Drop obsolete parts of the copyright file.

 -- Raphaël Hertzog <email address hidden> Wed, 06 Apr 2016 18:05:42 +0200

python-django (1.9.4-1) unstable; urgency=high

  [ Luke Faraone ]
  * New upstream security release:
    https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
    - CVE-2016-2512: Malicious redirect and possible XSS via user-supplied
      redirect URLs containing basic auth
    - CVE-2016-2513: User enumeration through timing difference on password
      hasher work factor upgrade
      Closes: #816434

  [ Raphaël Hertzog ]
  * Fix rules file to no longer mess with *_templates directories. They no
    longer contain invalid .py files but only *-tpl template files that are
    instantiated at runtime.

 -- Luke Faraone <email address hidden> Mon, 07 Mar 2016 17:09:54 +0000

python-django (1.9.2-1) unstable; urgency=medium

  * New upstream security release fixing:
    - CVE-2016-2048: User with "change" but not "add" permission can create
      objects for ModelAdmin objects with save_as=True
      Closes: #813448

 -- Raphaël Hertzog <email address hidden> Tue, 02 Feb 2016 09:06:46 +0100

python-django (1.9.1-1) unstable; urgency=medium

  * New upstream release.

 -- Chris Lamb <email address hidden> Mon, 04 Jan 2016 17:51:40 +0000

python-django (1.9-2) unstable; urgency=medium

  [ Chris Lamb ]
  * Use dpkg-maintscript-helper's dir_to_symlink to correctly replace the
    app_template and project_template symlinks added in 1.9~rc2-2.
    (Closes: #807683)

  [ Raphaël Hertzog ]
  * Add some DEP-8 tests testing "django-admin" and running the test suite
    against the installed package. In both cases, we do it with python2 and
    python3.
  * Add python-tblib and python3-tblib to Build-Depends for the benefit of
    the parallel testing feature of the test suite.
  * Add "set -e" in the command line running the tests with all supported
    versions so that it actually fails as soon as one version is failing
    (and thus disallow later successes to shadow earlier failures).

 -- Raphaël Hertzog <email address hidden> Wed, 30 Dec 2015 16:44:04 +0100

python-django (1.9-1) unstable; urgency=medium

  * Upload to unstable
  * Adjust uversionmangle in debian/watch to mangle "1.9rc2" scheme
    (previously only "1.9-rc-2" would have matched).

 -- Chris Lamb <email address hidden> Thu, 03 Dec 2015 16:48:30 +0200

python-django (1.9~rc2-2) experimental; urgency=medium

  * Move {app,project}_template to python-django-common to prevent
    byte-compilation (via pycompile) on installation, causing failure. They are
    not valid Python files until variables have been interpolated.

 -- Chris Lamb <email address hidden> Thu, 26 Nov 2015 14:53:11 +0200

python-django (1.9~rc2-1) experimental; urgency=medium

  * New upstream release candidate.
  * Add myself to Uploaders.

 -- Chris Lamb <email address hidden> Thu, 26 Nov 2015 10:14:15 +0200

python-django (1.8.7-2) unstable; urgency=high

  * Rely on C.UTF-8 to run the tests instead of building our locale ourselves.
  * Add debian/patches/fix-25761-add-traceback-attribute.patch:
    new patch to ensure exceptions registered in __cause__ attributes
    have a __traceback__ attribute. Closes: #802677
  * Extend lintian overrides to cover more false positives of
    source-is-missing.
  * Cleanup debian/copyright for dropped/renamed files.
  * Run tests for all supported Python versions.

 -- Raphaël Hertzog <email address hidden> Wed, 25 Nov 2015 16:16:10 +0100