lp://staging/ubuntu/utopic-proposed/python-django

Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp://staging/ubuntu/utopic-proposed/python-django
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

60. By Luke Faraone

* New upstream security release.
  - reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
  - file upload denial of service (CVE-2014-0481)
  - RemoteUserMiddleware session hijacking (CVE-2014-0482)
  - data leakage via querystring manipulation in admin (CVE-2014-0483)

[ Brian May ]
* Don't output stuff to stdout in django-admin. Closes: #757145

[ Raphaël Hertzog ]
* Update Vcs-* fields since the packaging repository moved to git.

59. By Brian May <email address hidden>

Replace django-admin with script that can be run as python and shell.

This means we can autodetect which python version to use when run as
shell, while maintaining compatability with processes that try to run it
with a specific python version.

e.g. See bugs #755341 and #755321.

58. By Brian May <email address hidden>

python3-django package. Closes: #736878.

57. By Raphaël Hertzog

* New upstream security release.
 - Caches may be allowed to store and serve private data (CVE-2014-1418)
 - Malformed URLs from user input incorrectly validated
* Drop partial_functions_reverse.patch (merged upstream).

56. By Seth Arnold

* SECURITY UPDATE: cache coherency problems in old Internet Explorer
  compatibility functions lead to loss of privacy and cache poisoning
  attacks. (LP: #1317663)
  - debian/patches/drop_fix_ie_for_vary_1_6.diff: remove fix_IE_for_vary()
    and fix_IE_for_attach() functions so Cache-Control and Vary headers are
    no longer modified. This may introduce some regressions for IE 6 and IE 7
    users. Patch from upstream.
  - CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
  some malformed URLs, which are accepted by some browsers. This allows a
  user to be redirected to an unsafe URL unexpectedly.
  - debian/patches/is_safe_url_1_6.diff: Forbid URLs starting with '///',
    forbid URLs without a host but with a path. Patch from upstream.

55. By Marc Deslauriers

* SECURITY REGRESSION: security fix regression when a view is a partial
  (LP: #1311433)
  - debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
    from the original function whenever a partial is provided as an
    argument to a url pattern in django/core/urlresolvers.py,
    added tests to tests/urlpatterns_reverse/urls.py,
    tests/urlpatterns_reverse/views.py.
  - CVE-2014-0472

54. By Marc Deslauriers

* SECURITY UPDATE: unexpected code execution using reverse()
  (LP: #1309779)
  - debian/patches/CVE-2014-0472.patch: added filtering to
    django/core/urlresolvers.py, added tests to
    tests/urlpatterns_reverse/nonimported_module.py,
    tests/urlpatterns_reverse/tests.py,
    tests/urlpatterns_reverse/urls.py,
    tests/urlpatterns_reverse/views.py.
  - CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
  (LP: #1309782)
  - debian/patches/CVE-2014-0473.patch: don't cache responses with a
    cookie in django/middleware/cache.py, added tests to
    tests/cache/tests.py.
  - CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
  - debian/patches/CVE-2014-0474.patch: convert arguments to correct
    type in django/db/models/fields/__init__.py, updated docs in
    docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
    docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
    tests/model_fields/tests.py.
  - CVE-2014-0474

53. By Barry Warsaw

* Team upload.
* d/patches/ticket21869.diff: Cherry pick upstream fix for building
  documentation against Sphinx 1.2.1.

52. By Luke Faraone

* New upstream version.
* Fix broken encoding in translations attribution. (Closes: #729194)

51. By Luke Faraone

* New upstream version. Closes: #557474, #724637.
* python-django now also suggests the installation of ipython,
  bpython, python-django-doc, and libgdal1.
  Closes: #636511, #686333, #704203
* Set package maintainer to Debian Python Modules Team.
* Bump standards version to 3.9.5, no changes needed.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/utopic/python-django
This branch contains Public information 
Everyone can see this information.

Subscribers