lp://staging/ubuntu/trusty-security/python-django
- Get this branch:
- bzr branch lp://staging/ubuntu/trusty-security/python-django
Branch merges
Branch information
Recent revisions
- 57. By Marc Deslauriers
-
* SECURITY UPDATE: incorrect url validation in core.urlresolve
rs.reverse
- debian/patches/ CVE-2014- 0480.patch: prevent reverse() from generating
URLs pointing to other hosts in django/core/urlresolve rs.py, added
tests to tests/urlpatterns_reverse/ {tests, urls}.py.
- CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
- debian/patches/ CVE-2014- 0481.patch: remove O(n) algorithm in
django/core/files/ storage. py, updated docs in
docs/howto/custom- file-storage. txt, docs/ref/ files/storage. txt,
added tests to tests/file_storage/ tests.py, tests/files/ tests.py.
- CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
- debian/patches/ CVE-2014- 0482.patch: modified RemoteUserMiddl eware to
logout on REMOTE_USE change in django/contrib/ auth/middleware .py,
added test to django/contrib/ auth/tests/ test_remote_ user.py.
- CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
- debian/patches/ CVE-2014- 0483.patch: validate to_field in
django/contrib/ admin/{ options, exceptions} .py,
django/contrib/ admin/views/ main.py, added docs to
docs/ref/exceptions. txt, added tests to tests/admin_ views/tests. py.
- debian/patches/ CVE-2014- 0483-bug23329.patch: regression fix in
django/contrib/ admin/options. py, added tests to
tests/admin_views/ {admin, models, tests}. py.
- debian/patches/ CVE-2014- 0483-bug23431.patch: regression fix in
django/contrib/ admin/options. py, added tests to
tests/admin_views/ {admin, models, tests}. py.
- CVE-2014-0483 - 56. By Seth Arnold
-
* SECURITY UPDATE: cache coherency problems in old Internet Explorer
compatibility functions lead to loss of privacy and cache poisoning
attacks. (LP: #1317663)
- debian/patches/ drop_fix_ ie_for_ vary_1_ 6.diff: remove fix_IE_for_vary()
and fix_IE_for_attach() functions so Cache-Control and Vary headers are
no longer modified. This may introduce some regressions for IE 6 and IE 7
users. Patch from upstream.
- CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
some malformed URLs, which are accepted by some browsers. This allows a
user to be redirected to an unsafe URL unexpectedly.
- debian/patches/ is_safe_ url_1_6. diff: Forbid URLs starting with '///',
forbid URLs without a host but with a path. Patch from upstream. - 55. By Marc Deslauriers
-
* SECURITY REGRESSION: security fix regression when a view is a partial
(LP: #1311433)
- debian/patches/ CVE-2014- 0472-regression .patch: create the lookup_str
from the original function whenever a partial is provided as an
argument to a url pattern in django/core/urlresolve rs.py,
added tests to tests/urlpatterns_reverse/ urls.py,
tests/urlpatterns_ reverse/ views.py.
- CVE-2014-0472 - 54. By Marc Deslauriers
-
* SECURITY UPDATE: unexpected code execution using reverse()
(LP: #1309779)
- debian/patches/ CVE-2014- 0472.patch: added filtering to
django/core/urlresolve rs.py, added tests to
tests/urlpatterns_ reverse/ nonimported_ module. py,
tests/urlpatterns_ reverse/ tests.py,
tests/urlpatterns_ reverse/ urls.py,
tests/urlpatterns_ reverse/ views.py.
- CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
(LP: #1309782)
- debian/patches/ CVE-2014- 0473.patch: don't cache responses with a
cookie in django/middleware/ cache.py, added tests to
tests/cache/tests. py.
- CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
- debian/patches/ CVE-2014- 0474.patch: convert arguments to correct
type in django/db/models/ fields/ __init_ _.py, updated docs in
docs/howto/custom- model-fields. txt, docs/ref/ databases. txt,
docs/ref/models/ querysets. txt, docs/topics/ db/sql. txt, added tests to
tests/model_fields/ tests.py.
- CVE-2014-0474 - 53. By Barry Warsaw
-
* Team upload.
* d/patches/ticket21869. diff: Cherry pick upstream fix for building
documentation against Sphinx 1.2.1. - 52. By Luke Faraone
-
* New upstream version.
* Fix broken encoding in translations attribution. (Closes: #729194) - 51. By Luke Faraone
-
* New upstream version. Closes: #557474, #724637.
* python-django now also suggests the installation of ipython,
bpython, python-django-doc, and libgdal1.
Closes: #636511, #686333, #704203
* Set package maintainer to Debian Python Modules Team.
* Bump standards version to 3.9.5, no changes needed. - 49. By Luke Faraone
-
* New upstream security release. Fixes CVE-2013-1443. Closes: #723043.
https://www.djangoproj ect.com/ weblog/ 2013/sep/ 15/security/
- Denial-of-service via large passwords. CVE-2013-1443 - 48. By Raphaƫl Hertzog
-
* New upstream security release. Fixes CVE-2013-4315. Closes: #722605
https://www.djangoproj ect.com/ weblog/ 2013/sep/ 10/security- releases- issued/
- Directory traversal with ssi template tag
* Update doc-base file to drop some removed directory in the HTML doc.
* Update Standards-Version to 3.9.4.
* Bump debhelper compat level to 9.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/ubuntu/utopic/python-django