Author: Luke Faraone
Revision Date: 2014-08-20 19:30:21 UTC

* New upstream security release.
  - reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
  - file upload denial of service (CVE-2014-0481)
  - RemoteUserMiddleware session hijacking (CVE-2014-0482)
  - data leakage via querystring manipulation in admin (CVE-2014-0483)

[ Brian May ]
* Don't output stuff to stdout in django-admin. Closes: #757145

[ Raphaël Hertzog ]
* Update Vcs-* fields since the packaging repository moved to git.

Author: Luke Faraone
Revision Date: 2014-08-20 19:30:21 UTC

* New upstream security release.
  - reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
  - file upload denial of service (CVE-2014-0481)
  - RemoteUserMiddleware session hijacking (CVE-2014-0482)
  - data leakage via querystring manipulation in admin (CVE-2014-0483)

[ Brian May ]
* Don't output stuff to stdout in django-admin. Closes: #757145

[ Raphaël Hertzog ]
* Update Vcs-* fields since the packaging repository moved to git.

Author: Marc Deslauriers
Revision Date: 2014-09-10 13:07:32 UTC

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, added tests to
    tests/modeltests/files/models.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

Author: Marc Deslauriers
Revision Date: 2014-09-10 13:07:32 UTC

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, added tests to
    tests/modeltests/files/models.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

Author: Marc Deslauriers
Revision Date: 2014-09-09 14:37:19 UTC

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt,
    added tests to tests/modeltests/files/tests.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483

Author: Marc Deslauriers
Revision Date: 2014-09-09 14:37:19 UTC

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt,
    added tests to tests/modeltests/files/tests.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483

Author: Marc Deslauriers
Revision Date: 2014-09-09 13:37:23 UTC

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt,
    added tests to tests/file_storage/tests.py, tests/files/tests.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/test_remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added docs to
    docs/ref/exceptions.txt, added tests to tests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/admin_views/{admin,models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/admin_views/{admin,models,tests}.py.
  - CVE-2014-0483

Author: Marc Deslauriers
Revision Date: 2014-09-09 13:37:23 UTC

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt,
    added tests to tests/file_storage/tests.py, tests/files/tests.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/test_remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added docs to
    docs/ref/exceptions.txt, added tests to tests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/admin_views/{admin,models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/admin_views/{admin,models,tests}.py.
  - CVE-2014-0483

Author: Luke Faraone
Revision Date: 2014-08-20 19:30:21 UTC

* New upstream security release.
  - reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
  - file upload denial of service (CVE-2014-0481)
  - RemoteUserMiddleware session hijacking (CVE-2014-0482)
  - data leakage via querystring manipulation in admin (CVE-2014-0483)

[ Brian May ]
* Don't output stuff to stdout in django-admin. Closes: #757145

[ Raphaël Hertzog ]
* Update Vcs-* fields since the packaging repository moved to git.

Author: Luke Faraone
Revision Date: 2014-08-20 19:30:21 UTC

* New upstream security release.
  - reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
  - file upload denial of service (CVE-2014-0481)
  - RemoteUserMiddleware session hijacking (CVE-2014-0482)
  - data leakage via querystring manipulation in admin (CVE-2014-0483)

[ Brian May ]
* Don't output stuff to stdout in django-admin. Closes: #757145

[ Raphaël Hertzog ]
* Update Vcs-* fields since the packaging repository moved to git.

Author: Seth Arnold
Revision Date: 2014-05-14 11:00:30 UTC

* SECURITY UPDATE: cache coherency problems in old Internet Explorer
  compatibility functions lead to loss of privacy and cache poisoning
  attacks. (LP: #1317663)
  - debian/patches/drop_fix_ie_for_vary_1_5.diff: remove fix_IE_for_vary()
    and fix_IE_for_attach() functions so Cache-Control and Vary headers are
    no longer modified. This may introduce some regressions for IE 6 and IE 7
    users. Patch from upstream.
  - CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
  some malformed URLs, which are accepted by some browsers. This allows a
  user to be redirected to an unsafe URL unexpectedly.
  - debian/patches/is_safe_url_1_5.diff: Forbid URLs starting with '///',
    forbid URLs without a host but with a path. Patch from upstream.

Author: Seth Arnold
Revision Date: 2014-05-14 11:05:38 UTC

* SECURITY UPDATE: cache coherency problems in old Internet Explorer
  compatibility functions lead to loss of privacy and cache poisoning
  attacks. (LP: #1317663)
  - debian/patches/drop_fix_ie_for_vary_1_4.diff: remove fix_IE_for_vary()
    and fix_IE_for_attach() functions so Cache-Control and Vary headers are
    no longer modified. This may introduce some regressions for IE 6 and IE 7
    users. Patch from upstream.
  - CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
  some malformed URLs, which are accepted by some browsers. This allows a
  user to be redirected to an unsafe URL unexpectedly.
  - debian/patches/is_safe_url_1_4.diff: Forbid URLs starting with '///',
    forbid URLs without a host but with a path. Patch from upstream.

Author: Seth Arnold
Revision Date: 2014-05-14 11:05:38 UTC

* SECURITY UPDATE: cache coherency problems in old Internet Explorer
  compatibility functions lead to loss of privacy and cache poisoning
  attacks. (LP: #1317663)
  - debian/patches/drop_fix_ie_for_vary_1_4.diff: remove fix_IE_for_vary()
    and fix_IE_for_attach() functions so Cache-Control and Vary headers are
    no longer modified. This may introduce some regressions for IE 6 and IE 7
    users. Patch from upstream.
  - CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
  some malformed URLs, which are accepted by some browsers. This allows a
  user to be redirected to an unsafe URL unexpectedly.
  - debian/patches/is_safe_url_1_4.diff: Forbid URLs starting with '///',
    forbid URLs without a host but with a path. Patch from upstream.

Author: Seth Arnold
Revision Date: 2014-05-14 11:00:30 UTC

* SECURITY UPDATE: cache coherency problems in old Internet Explorer
  compatibility functions lead to loss of privacy and cache poisoning
  attacks. (LP: #1317663)
  - debian/patches/drop_fix_ie_for_vary_1_5.diff: remove fix_IE_for_vary()
    and fix_IE_for_attach() functions so Cache-Control and Vary headers are
    no longer modified. This may introduce some regressions for IE 6 and IE 7
    users. Patch from upstream.
  - CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
  some malformed URLs, which are accepted by some browsers. This allows a
  user to be redirected to an unsafe URL unexpectedly.
  - debian/patches/is_safe_url_1_5.diff: Forbid URLs starting with '///',
    forbid URLs without a host but with a path. Patch from upstream.

Author: Barry Warsaw
Revision Date: 2014-01-29 18:37:51 UTC

* Team upload.
* d/patches/ticket21869.diff: Cherry pick upstream fix for building
  documentation against Sphinx 1.2.1.

Author: Barry Warsaw
Revision Date: 2014-01-29 18:37:51 UTC

* Team upload.
* d/patches/ticket21869.diff: Cherry pick upstream fix for building
  documentation against Sphinx 1.2.1.

Author: Marc Deslauriers
Revision Date: 2013-09-20 08:48:09 UTC

* SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
  - debian/patches/CVE-2013-1443.patch: enforce a maximum password length
    in django/contrib/auth/forms.py, django/contrib/auth/hashers.py,
    django/contrib/auth/tests/hashers.py.
  - CVE-2013-1443
* SECURITY UPDATE: directory traversal with ssi template tag
  - debian/patches/CVE-2013-4315.patch: properly check absolute path in
    django/template/defaulttags.py,
    tests/regressiontests/templates/tests.py.
  - CVE-2013-4315
* SECURITY UPDATE: possible XSS via is_safe_url
  - debian/patches/security-is_safe_url.patch: properly reject URLs which
    specify a scheme other then HTTP or HTTPS.
  - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
  - No CVE number
* debian/patches/fix-validation-tests.patch: fix regression in tests
  since example.com is now available via https.

Author: Marc Deslauriers
Revision Date: 2013-09-20 08:48:09 UTC

* SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
  - debian/patches/CVE-2013-1443.patch: enforce a maximum password length
    in django/contrib/auth/forms.py, django/contrib/auth/hashers.py,
    django/contrib/auth/tests/hashers.py.
  - CVE-2013-1443
* SECURITY UPDATE: directory traversal with ssi template tag
  - debian/patches/CVE-2013-4315.patch: properly check absolute path in
    django/template/defaulttags.py,
    tests/regressiontests/templates/tests.py.
  - CVE-2013-4315
* SECURITY UPDATE: possible XSS via is_safe_url
  - debian/patches/security-is_safe_url.patch: properly reject URLs which
    specify a scheme other then HTTP or HTTPS.
  - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
  - No CVE number
* debian/patches/fix-validation-tests.patch: fix regression in tests
  since example.com is now available via https.

Author: Adam Conrad
Revision Date: 2013-09-27 04:51:31 UTC

Pull patch from git to isolate a DB test in testsuite (LP: #1231923)

Author: Adam Conrad
Revision Date: 2013-09-27 04:51:31 UTC

Pull patch from git to isolate a DB test in testsuite (LP: #1231923)

Author: Marc Deslauriers
Revision Date: 2013-03-04 10:33:54 UTC

* SECURITY UPDATE: host header poisoning (LP: #1089337)
  - debian/patches/fix_get_host.patch: tighten host header validation in
    django/http/__init__.py, add tests to
    tests/regressiontests/requests/tests.py.
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
  - debian/patches/fix_redirect_poisoning.patch: tighten validation in
    django/contrib/auth/views.py,
    django/contrib/comments/views/comments.py,
    django/contrib/comments/views/moderation.py,
    django/contrib/comments/views/utils.py, django/utils/http.py,
    django/views/i18n.py, add tests to
    tests/regressiontests/comment_tests/tests/comment_view_tests.py,
    tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
    tests/regressiontests/views/tests/i18n.py.
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
  - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
    to django/conf/global_settings.py,
    django/conf/project_template/settings.py,
    django/http/__init__.py, django/test/utils.py, add docs to
    docs/ref/settings.txt, add tests to
    tests/regressiontests/requests/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
  - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
    and external entities/DTDs in
    django/core/serializers/xml_serializer.py, add tests to
    tests/regressiontests/serializers_regress/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-1664
  - CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
  - debian/patches/CVE-2013-0305.patch: add permission checks to history
    view in django/contrib/admin/options.py, add tests to
    tests/regressiontests/admin_views/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
  - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
    django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
    docs/topics/forms/modelforms.txt, add tests to
    tests/regressiontests/forms/tests/formsets.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0306

Author: Andres Rodriguez
Revision Date: 2013-03-07 17:27:06 UTC

[ Julian Edwards ]
* debian/patches:
  - prefetch_related.diff: Backport prefetch_related from 1.4 (LP: #1081388)
  - bug15496-base64-multipart-fix.diff: Include fix for upstream bug #15496
    which makes 'Content-Transfer-Encoding: base64: work for multipart
    messages. (LP: #1081392)

Author: Marc Deslauriers
Revision Date: 2013-03-04 10:33:54 UTC

* SECURITY UPDATE: host header poisoning (LP: #1089337)
  - debian/patches/fix_get_host.patch: tighten host header validation in
    django/http/__init__.py, add tests to
    tests/regressiontests/requests/tests.py.
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
  - debian/patches/fix_redirect_poisoning.patch: tighten validation in
    django/contrib/auth/views.py,
    django/contrib/comments/views/comments.py,
    django/contrib/comments/views/moderation.py,
    django/contrib/comments/views/utils.py, django/utils/http.py,
    django/views/i18n.py, add tests to
    tests/regressiontests/comment_tests/tests/comment_view_tests.py,
    tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
    tests/regressiontests/views/tests/i18n.py.
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
  - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
    to django/conf/global_settings.py,
    django/conf/project_template/settings.py,
    django/http/__init__.py, django/test/utils.py, add docs to
    docs/ref/settings.txt, add tests to
    tests/regressiontests/requests/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
  - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
    and external entities/DTDs in
    django/core/serializers/xml_serializer.py, add tests to
    tests/regressiontests/serializers_regress/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-1664
  - CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
  - debian/patches/CVE-2013-0305.patch: add permission checks to history
    view in django/contrib/admin/options.py, add tests to
    tests/regressiontests/admin_views/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
  - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
    django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
    docs/topics/forms/modelforms.txt, add tests to
    tests/regressiontests/forms/tests/formsets.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0306

Author: Raphaël Hertzog
Revision Date: 2013-02-24 10:28:08 UTC

* New upstream maintenance release dropping some undesired .pyc files
  and fixing a documentation link.
* High urgency due to former security updates.

Author: Raphaël Hertzog
Revision Date: 2013-02-24 10:28:08 UTC

* New upstream maintenance release dropping some undesired .pyc files
  and fixing a documentation link.
* High urgency due to former security updates.

Author: Marc Deslauriers
Revision Date: 2012-09-06 09:39:29 UTC

* SECURITY UPDATE: Cross-site scripting in authentication views
  (LP: #1031733)
  - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
    fix unsafe redirects indjango/http/__init__.py, add test case to
    tests/regressiontests/httpwrappers/tests.py. Patch backport taken
    from Debian Squeeze and fixed for python 2.4 compatibility.
  - CVE-2012-3442
* SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
  - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
    immediately after the constructor in django/forms/fields.py.
  - CVE-2012-3443
* SECURITY UPDATE: Denial-of-service via get_image_dimensions()
  (LP: #1031733)
  - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
    chunk size in django/core/files/images.py.
  - CVE-2012-3444

Author: Marc Deslauriers
Revision Date: 2012-09-06 09:39:29 UTC

* SECURITY UPDATE: Cross-site scripting in authentication views
  (LP: #1031733)
  - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
    fix unsafe redirects indjango/http/__init__.py, add test case to
    tests/regressiontests/httpwrappers/tests.py. Patch backport taken
    from Debian Squeeze and fixed for python 2.4 compatibility.
  - CVE-2012-3442
* SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
  - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
    immediately after the constructor in django/forms/fields.py.
  - CVE-2012-3443
* SECURITY UPDATE: Denial-of-service via get_image_dimensions()
  (LP: #1031733)
  - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
    chunk size in django/core/files/images.py.
  - CVE-2012-3444

Author: Raphaël Hertzog
Revision Date: 2012-08-21 08:42:10 UTC

* New patch 01_use_stdlib_htmlparser_when_possible.diff to not override
  Python stdlib's HTMLParser with Python versions which are unaffected by
  http://bugs.python.org/issue670664 Closes: #683648
  Thanks to David Watson <david@planetwatson.co.uk> for the patch.
* Update the above patch to use the version committed upstream (commit
  57d9ccc).

Author: Dave Walker
Revision Date: 2012-02-17 14:59:51 UTC

* Merge with Debian. Remaining changes:
  - 09_test_view_decorator_sleep.diff increases the sleep time to
    reduce race condition effects on build machines.
    https://code.djangoproject.com/ticket/16686 (LP: #829487)
* debian/patches/{psycopg2_creation.diff,compat-psycopg2-plus2.4.2.diff}:
  - New patches, resolve compatibility with psycopg2 > 2.4.1, patches
    based on upstream submissions, rebasing courtesy of Dave Pifke.
  - LP: #905837

Author: Jamie Strandboge
Revision Date: 2011-12-07 15:52:55 UTC

* SECURITY UPDATE: session manipulation when using django.contrib.sessions
  with memory-based sessions and caching
  - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
    for session instead of root namespace
  - CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
  URLField
  - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
    default and use a timeout if available.
  - CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
  - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
    default when constructing full URLs
  - CVE-2011-4139
* debian/patches/01_disable_url_verify_regression_tests.diff: remove the
  test_correct_url_but_nonexisting_gives_404() test from the
  modeltests/validation/tests.py too. Not sure how it passed before, but
  this makes the CVE-2011-4137+4138.patch consistent with our other releases
  since the upstream fix for CVE-2011-4137+4138.patch removed this test too.
* More information on these issues can be found at:
  https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

Author: Jamie Strandboge
Revision Date: 2011-12-07 15:52:55 UTC

* SECURITY UPDATE: session manipulation when using django.contrib.sessions
  with memory-based sessions and caching
  - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
    for session instead of root namespace
  - CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
  URLField
  - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
    default and use a timeout if available.
  - CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
  - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
    default when constructing full URLs
  - CVE-2011-4139
* debian/patches/01_disable_url_verify_regression_tests.diff: remove the
  test_correct_url_but_nonexisting_gives_404() test from the
  modeltests/validation/tests.py too. Not sure how it passed before, but
  this makes the CVE-2011-4137+4138.patch consistent with our other releases
  since the upstream fix for CVE-2011-4137+4138.patch removed this test too.
* More information on these issues can be found at:
  https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

Author: Colin Watson
Revision Date: 2011-09-07 11:04:19 UTC

sync up history from manually-created branch

Author: Colin Watson
Revision Date: 2011-09-07 11:04:19 UTC

sync up history from manually-created branch

Author: Barry Warsaw
Revision Date: 2011-08-29 14:41:25 UTC

Actually remove locales-all this time.

Author: Scott Moser
Revision Date: 2011-06-13 15:07:47 UTC

* Merge from debian unstable (LP: #796649). Remaining changes:
  - debian/control: don't Build-Depends on locales-all, which doesn't exist
    in oneiric
* Team upload.
* Don't remove "backup~" test file - upstream did ship it; we were just
  removing it with dh_clean.
* Fix builds with non-default Python versions installed
* Bump Standards-Version to 3.9.2 (no changes needed)
* New upstream release.
  - Update 01_disable_url_verify_regression_tests.diff.
  - Update 07_disable_url_verify_model_tests.diff.
  - Merge patch from Krzysztof Klimonda to disable more network access tests.
    (Closes: #598674)
* Add workaround for missing "backup~" file in release tarball. See
  <http://code.djangoproject.com/ticket/15677>.

Author: Zygmunt Krynicki
Revision Date: 2011-03-16 18:32:22 UTC

Add patch for django ticket 15622

Author: Jamie Strandboge
Revision Date: 2011-02-17 13:34:07 UTC

* Merge from Debian for security fixes (LP: #719031). Remaining changes:
  - debian/control: don't Build-Depends on locales-all, which doesn't exist
    in natty
* Drop the following patches, now included upstream:
  - debian/patches/07_security_admin_infoleak.diff
  - debian/patches/08_security_pasword_reset_dos.diff

Author: Jamie Strandboge
Revision Date: 2011-02-15 17:18:54 UTC

* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
  - debian/patches/24_CVE-2011-0696.diff: apply full CSRF validation to all
    requests, regardless of apparent AJAX origin. This is technically
    backwards-incompatible, but the security risks have been judged to
    outweigh the compatibility concerns in this case. See the Django project
    notes for more information:
    http://www.djangoproject.com/weblog/2011/feb/08/security/
  - CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
  - debian/patches/25_CVE-2011-0697.diff: properly escape URL in
    django/contrib/admin/widgets.py
  - CVE-2011-0697

Author: Jamie Strandboge
Revision Date: 2011-02-15 17:18:54 UTC

* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
  - debian/patches/24_CVE-2011-0696.diff: apply full CSRF validation to all
    requests, regardless of apparent AJAX origin. This is technically
    backwards-incompatible, but the security risks have been judged to
    outweigh the compatibility concerns in this case. See the Django project
    notes for more information:
    http://www.djangoproject.com/weblog/2011/feb/08/security/
  - CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
  - debian/patches/25_CVE-2011-0697.diff: properly escape URL in
    django/contrib/admin/widgets.py
  - CVE-2011-0697

Author: Krzysztof Klimonda
Revision Date: 2009-10-13 21:59:00 UTC

* SECURITY UPDATE: Certain email addresses/URLs can trigger
  a catastrophic backtracking situation, causing 100% CPU
  and server overload. (LP: #447617, LP: #478328)
  http://www.djangoproject.com/weblog/2009/oct/09/security/
  - Applied upstream changeset 11605
  - CVE-2009-3695

Author: James Westby
Revision Date: 2010-09-28 14:05:47 UTC

Take fix from http://code.djangoproject.com/ticket/10976 in order to fix
the django.contrib.auth tests when the project provides its own auth
templates. (LP: #650473)

Author: James Westby
Revision Date: 2010-09-28 18:08:49 UTC

Take fix from http://code.djangoproject.com/ticket/10976

Fixes the django.contrib.auth tests when the project provides its
own auth templates. (LP: #650473)

Author: Krzysztof Klimonda
Revision Date: 2010-09-21 18:57:18 UTC

add .pc part of the patch

Author: lamby
Revision Date: 2010-05-24 22:44:32 UTC

New upstream bugfix release.

Author: Morten Kjeldgaard
Revision Date: 2010-03-20 19:29:26 UTC

This package contains a backport of python-django_1.1.1 without
bumping dependencies and without changing the packaging from version
1.0.2-1ubuntu0.1. Patches from python_django_1.1.1-1ubuntu1 (karmic)
are applied, with the exception of a patch addressing a regression in
the karmic version of Python (2.6.3).

Author: James Westby
Revision Date: 2010-01-31 21:15:35 UTC

Fix django test client cookie handling.

Author: Elliot Murphy
Revision Date: 2010-01-31 04:36:37 UTC

Tagged patch 7 per debian patch tagging guidelines.

Author: Krzysztof Klimonda
Revision Date: 2009-10-12 19:22:16 UTC

* Merge python-django 1.1.1-1 from debian unstable (LP: #447617)
  for security and bug fixes, all Ubuntu changes merged by Debian.
* Add to debian/patches:
  - 20_python2.6.3_regression.patch - backported upstream commit 11620
    to make Django work with Python 2.6.3 properly. (LP: #445639)

Author: Krzysztof Klimonda
Revision Date: 2009-10-13 21:59:00 UTC

* SECURITY UPDATE: Certain email addresses/URLs can trigger
  a catastrophic backtracking situation, causing 100% CPU
  and server overload. (LP: #447617, LP: #478328)
  http://www.djangoproject.com/weblog/2009/oct/09/security/
  - Applied upstream changeset 11605
  - CVE-2009-3695

Author: Andrea Gasparini
Revision Date: 2008-05-29 17:00:38 UTC

* SECURITY UPDATE: security vulnerability in django admin
* debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
  escaping request path in login page of admin site.(LP: #234631)
* References:
  CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
  upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
  upstream fix: http://code.djangoproject.com/changeset/7527

Author: Andrea Gasparini
Revision Date: 2008-05-29 17:00:38 UTC

* SECURITY UPDATE: security vulnerability in django admin
* debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
  escaping request path in login page of admin site.(LP: #234631)
* References:
  CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
  upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
  upstream fix: http://code.djangoproject.com/changeset/7527

Author: lamby
Revision Date: 2008-11-19 21:31:00 UTC

[ Chris Lamb ]
* New upstream bugfix release. Closes: #505783
* Add myself to Uploaders with ACK from Brett.

[ David Spreen ]
* Remove python-pysqlite2 from Recommends because Python 2.5 includes
  sqlite library used by Django. Closes: 497886

[ Sandro Tosi ]
* debian/control
  - switch Vcs-Browser field to viewsvn

Author: Scott James Remnant (Canonical)
Revision Date: 2008-09-16 12:18:47 UTC

* Merge from Debian (LP: #264191), remaining changes:
  - Run test suite on build.

[Eddy Mulyono]
* Update patch to workaround network test case failures.

Author: Andrea Gasparini
Revision Date: 2008-06-03 09:08:38 UTC

* SECURITY UPDATE: security vulnerability in django admin
* debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
  escaping request path in login page of admin site.(LP: #234631)
* References:
  CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
  upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
  upstream fix: http://code.djangoproject.com/changeset/7527

Author: Andrea Gasparini
Revision Date: 2008-05-29 17:00:38 UTC

* SECURITY UPDATE: security vulnerability in django admin
* debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
  escaping request path in login page of admin site.(LP: #234631)
* References:
  CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
  upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
  upstream fix: http://code.djangoproject.com/changeset/7527

Author: Eddy Mulyono
Revision Date: 2008-03-28 18:03:37 UTC

run testsuite during build process (LP: #208587)

Author: Andrea Gasparini
Revision Date: 2008-05-29 17:00:38 UTC

* SECURITY UPDATE: security vulnerability in django admin
* debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
  escaping request path in login page of admin site.(LP: #234631)
* References:
  CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
  upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
  upstream fix: http://code.djangoproject.com/changeset/7527

Author: Brett Parker
Revision Date: 2007-03-25 19:18:39 UTC

[ Brett Parker ]
* New upstream release - introduces some backwards incompatible changes, see
  README.Debian or the backwards incompatible changes page at
  http://code.djangoproject.com/wiki/BackwardsIncompatibleChanges
* Add documentation from upstream to /usr/share/doc/python-django
  Closes: #411249
* Install the bash completion file from extras in to
  /etc/bash_completion.d/django_bash_completion
  Closes: #414399
* Egg support dropped as it's been dropped by upstream.

Author: John Dong
Revision Date: 2007-11-19 17:04:34 UTC

Automated backport upload; no source changes.

Author: Andrea Gasparini
Revision Date: 2008-06-03 09:08:38 UTC

* SECURITY UPDATE: security vulnerability in django admin
* debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix
  escaping request path in login page of admin site.(LP: #234631)
* References:
  CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302
  upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/
  upstream fix: http://code.djangoproject.com/changeset/7527

Author: Lionel Porcheron
Revision Date: 2007-03-11 15:18:04 UTC

* adding bash completion (Closes LP: #87107)
* debian/control: Change Maintainer/XSBC-Original-Maintainer field