lp://staging/ubuntu/maverick-security/python-django

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

33. By Jamie Strandboge on 2011-12-07

* SECURITY UPDATE: session manipulation when using django.contrib.sessions
  with memory-based sessions and caching
  - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
    for session instead of root namespace
  - CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
  URLField
  - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
    default and use a timeout if available.
  - CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
  - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
    default when constructing full URLs
  - CVE-2011-4139
* debian/patches/01_disable_url_verify_regression_tests.diff: remove the
  test_correct_url_but_nonexisting_gives_404() test from the
  modeltests/validation/tests.py too. Not sure how it passed before, but
  this makes the CVE-2011-4137+4138.patch consistent with our other releases
  since the upstream fix for CVE-2011-4137+4138.patch removed this test too.
* More information on these issues can be found at:
  https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

32. By Jamie Strandboge on 2011-02-15

* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
  - debian/patches/09_CVE-2011-0696.diff: apply full CSRF validation to all
    requests, regardless of apparent AJAX origin. This is technically
    backwards-incompatible, but the security risks have been judged to
    outweigh the compatibility concerns in this case. See the Django project
    notes for more information:
    http://www.djangoproject.com/weblog/2011/feb/08/security/
  - CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
  - debian/patches/10_admin_widgets-to-unittest.diff: prepare testsuite for
    security fix tests
  - debian/patches/11_CVE-2011-0697.diff: properly escape URL in
    django/contrib/admin/widgets.py
  - CVE-2011-0697

31. By Jamie Strandboge on 2011-01-03

* SECURITY UPDATE: information leak in admin interface
  - debian/patches/07_security_admin_infoleak.diff: validate querystring
    lookup arguments either specify only fields on the model being viewed,
    or cross relations which have been explicitly whitelisted.
  - CVE-2010-4534
* SECURITY UPDATE:
  - debian/patches/08_security_pasword_reset_dos.diff: adjust
    base36_to_int() function in django.utils.http will now validate the
    length of its input; on input longer than 13 digits (sufficient to
    base36-encode any 64-bit integer), it will now raise ValueError.
    Additionally, the default URL patterns for django.contrib.auth will now
    enforce a maximum length on the relevant parameters.
  - CVE-2010-4535

30. By Jamie Strandboge on 2010-10-12

* SECURITY UPDATE: XSS in CSRF protections. New upstream release
  - CVE-2010-3082
* debian/patches/01_disable_url_verify_regression_tests.diff:
  - updated to disable another test that fails without internet connection
  - patch based on work by Kai Kasurinen and Krzysztof Klimonda
* debian/control: don't Build-Depends on locales-all, which doesn't exist
  in maverick

29. By lamby on 2010-05-24

New upstream bugfix release.

28. By lamby on 2010-05-21

New upstream stable release.

27. By James Westby on 2010-01-31

Fix django test client cookie handling.

26. By lamby on 2009-12-01

* Remove embedded "decimal" code copy and use system version instead. The
  "doctest" code copy cannot be removed as parts of Django depend on modified
  behaviour. (Closes: #555419)
* Fix FTBFS in November by applying patch from upstream bug #12125.
  (Closes: #555931)
* Fix FTBFS under Python 2.6.3 by applying patch from upstream bug #11993.
  (Closes: #555969)

25. By Krzysztof Klimonda on 2009-10-12

* Merge python-django 1.1.1-1 from debian unstable (LP: #447617)
  for security and bug fixes, all Ubuntu changes merged by Debian.
* Add to debian/patches:
  - 20_python2.6.3_regression.patch - backported upstream commit 11620
    to make Django work with Python 2.6.3 properly. (LP: #445639)

24. By Krzysztof Klimonda on 2009-08-15

* debian/patches/20_disable_url_verify_regression_tests.diff
  - Disable regression tests that require internet connection.