lp://staging/ubuntu/utopic-proposed/python-django
- Get this branch:
- bzr branch lp://staging/ubuntu/utopic-proposed/python-django
Branch merges
Branch information
Recent revisions
- 60. By Luke Faraone
-
* New upstream security release.
- reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
- file upload denial of service (CVE-2014-0481)
- RemoteUserMiddleware session hijacking (CVE-2014-0482)
- data leakage via querystring manipulation in admin (CVE-2014-0483)[ Brian May ]
* Don't output stuff to stdout in django-admin. Closes: #757145[ Raphaël Hertzog ]
* Update Vcs-* fields since the packaging repository moved to git. - 59. By Brian May <email address hidden>
-
Replace django-admin with script that can be run as python and shell.
This means we can autodetect which python version to use when run as
shell, while maintaining compatability with processes that try to run it
with a specific python version.e.g. See bugs #755341 and #755321.
- 57. By Raphaël Hertzog
-
* New upstream security release.
- Caches may be allowed to store and serve private data (CVE-2014-1418)
- Malformed URLs from user input incorrectly validated
* Drop partial_functions_ reverse. patch (merged upstream). - 56. By Seth Arnold
-
* SECURITY UPDATE: cache coherency problems in old Internet Explorer
compatibility functions lead to loss of privacy and cache poisoning
attacks. (LP: #1317663)
- debian/patches/ drop_fix_ ie_for_ vary_1_ 6.diff: remove fix_IE_for_vary()
and fix_IE_for_attach() functions so Cache-Control and Vary headers are
no longer modified. This may introduce some regressions for IE 6 and IE 7
users. Patch from upstream.
- CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
some malformed URLs, which are accepted by some browsers. This allows a
user to be redirected to an unsafe URL unexpectedly.
- debian/patches/ is_safe_ url_1_6. diff: Forbid URLs starting with '///',
forbid URLs without a host but with a path. Patch from upstream. - 55. By Marc Deslauriers
-
* SECURITY REGRESSION: security fix regression when a view is a partial
(LP: #1311433)
- debian/patches/ CVE-2014- 0472-regression .patch: create the lookup_str
from the original function whenever a partial is provided as an
argument to a url pattern in django/core/urlresolve rs.py,
added tests to tests/urlpatterns_reverse/ urls.py,
tests/urlpatterns_ reverse/ views.py.
- CVE-2014-0472 - 54. By Marc Deslauriers
-
* SECURITY UPDATE: unexpected code execution using reverse()
(LP: #1309779)
- debian/patches/ CVE-2014- 0472.patch: added filtering to
django/core/urlresolve rs.py, added tests to
tests/urlpatterns_ reverse/ nonimported_ module. py,
tests/urlpatterns_ reverse/ tests.py,
tests/urlpatterns_ reverse/ urls.py,
tests/urlpatterns_ reverse/ views.py.
- CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
(LP: #1309782)
- debian/patches/ CVE-2014- 0473.patch: don't cache responses with a
cookie in django/middleware/ cache.py, added tests to
tests/cache/tests. py.
- CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
- debian/patches/ CVE-2014- 0474.patch: convert arguments to correct
type in django/db/models/ fields/ __init_ _.py, updated docs in
docs/howto/custom- model-fields. txt, docs/ref/ databases. txt,
docs/ref/models/ querysets. txt, docs/topics/ db/sql. txt, added tests to
tests/model_fields/ tests.py.
- CVE-2014-0474 - 53. By Barry Warsaw
-
* Team upload.
* d/patches/ticket21869. diff: Cherry pick upstream fix for building
documentation against Sphinx 1.2.1. - 52. By Luke Faraone
-
* New upstream version.
* Fix broken encoding in translations attribution. (Closes: #729194) - 51. By Luke Faraone
-
* New upstream version. Closes: #557474, #724637.
* python-django now also suggests the installation of ipython,
bpython, python-django-doc, and libgdal1.
Closes: #636511, #686333, #704203
* Set package maintainer to Debian Python Modules Team.
* Bump standards version to 3.9.5, no changes needed.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/ubuntu/utopic/python-django