lp://staging/ubuntu/trusty-security/python-django

Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp://staging/ubuntu/trusty-security/python-django
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

57. By Marc Deslauriers

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt,
    added tests to tests/file_storage/tests.py, tests/files/tests.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/test_remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added docs to
    docs/ref/exceptions.txt, added tests to tests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/admin_views/{admin,models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/admin_views/{admin,models,tests}.py.
  - CVE-2014-0483

56. By Seth Arnold

* SECURITY UPDATE: cache coherency problems in old Internet Explorer
  compatibility functions lead to loss of privacy and cache poisoning
  attacks. (LP: #1317663)
  - debian/patches/drop_fix_ie_for_vary_1_6.diff: remove fix_IE_for_vary()
    and fix_IE_for_attach() functions so Cache-Control and Vary headers are
    no longer modified. This may introduce some regressions for IE 6 and IE 7
    users. Patch from upstream.
  - CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
  some malformed URLs, which are accepted by some browsers. This allows a
  user to be redirected to an unsafe URL unexpectedly.
  - debian/patches/is_safe_url_1_6.diff: Forbid URLs starting with '///',
    forbid URLs without a host but with a path. Patch from upstream.

55. By Marc Deslauriers

* SECURITY REGRESSION: security fix regression when a view is a partial
  (LP: #1311433)
  - debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
    from the original function whenever a partial is provided as an
    argument to a url pattern in django/core/urlresolvers.py,
    added tests to tests/urlpatterns_reverse/urls.py,
    tests/urlpatterns_reverse/views.py.
  - CVE-2014-0472

54. By Marc Deslauriers

* SECURITY UPDATE: unexpected code execution using reverse()
  (LP: #1309779)
  - debian/patches/CVE-2014-0472.patch: added filtering to
    django/core/urlresolvers.py, added tests to
    tests/urlpatterns_reverse/nonimported_module.py,
    tests/urlpatterns_reverse/tests.py,
    tests/urlpatterns_reverse/urls.py,
    tests/urlpatterns_reverse/views.py.
  - CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
  (LP: #1309782)
  - debian/patches/CVE-2014-0473.patch: don't cache responses with a
    cookie in django/middleware/cache.py, added tests to
    tests/cache/tests.py.
  - CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
  - debian/patches/CVE-2014-0474.patch: convert arguments to correct
    type in django/db/models/fields/__init__.py, updated docs in
    docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
    docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
    tests/model_fields/tests.py.
  - CVE-2014-0474

53. By Barry Warsaw

* Team upload.
* d/patches/ticket21869.diff: Cherry pick upstream fix for building
  documentation against Sphinx 1.2.1.

52. By Luke Faraone

* New upstream version.
* Fix broken encoding in translations attribution. (Closes: #729194)

51. By Luke Faraone

* New upstream version. Closes: #557474, #724637.
* python-django now also suggests the installation of ipython,
  bpython, python-django-doc, and libgdal1.
  Closes: #636511, #686333, #704203
* Set package maintainer to Debian Python Modules Team.
* Bump standards version to 3.9.5, no changes needed.

50. By Adam Conrad

Pull patch from git to isolate a DB test in testsuite (LP: #1231923)

49. By Luke Faraone

* New upstream security release. Fixes CVE-2013-1443. Closes: #723043.
  https://www.djangoproject.com/weblog/2013/sep/15/security/
  - Denial-of-service via large passwords. CVE-2013-1443

48. By Raphaƫl Hertzog

* New upstream security release. Fixes CVE-2013-4315. Closes: #722605
  https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
  - Directory traversal with ssi template tag
* Update doc-base file to drop some removed directory in the HTML doc.
* Update Standards-Version to 3.9.4.
* Bump debhelper compat level to 9.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/utopic/python-django
This branch contains Public information 
Everyone can see this information.

Subscribers