[ubuntu/artful-proposed] python-django 1:1.10.7-2ubuntu1 (Accepted)
Steve Langasek
steve.langasek at ubuntu.com
Sun Jun 18 05:16:33 UTC 2017
python-django (1:1.10.7-2ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* All other changes dropped, as they were backports of upstream fixes.
python-django (1:1.10.7-2) unstable; urgency=medium
* Accept again migrations depending on initial migrations that
can be fake applied. Closes: #863267
* Add patch to fix DEP-8 test. Closes: #816435
python-django (1:1.10.7-1) unstable; urgency=medium
* New upstream security release:
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
"on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) "safe" when they shouldn't be.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack. (Closes: #859515)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve().
A maliciously crafted URL to a Django site using the
django.views.static.serve() view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known,
useful functionality.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a development
aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516)
python-django (1:1.10.6-1) unstable; urgency=medium
* New upstream bugfix release:
- Fixed ClearableFileInput’s “Clear” checkbox on model form fields where
the model field has a default (#27805).
- Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather
than generating a bad request response (#27820).
- Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
IntegerField from DateField (#27828).
- Fixed query expression date subtraction accuracy on PostgreSQL for
differences larger than a month (#27856).
- Fixed a GDALException raised by GDALClose on GDAL ≥ 2.0 (#27479).
python-django (1:1.10.5-1) unstable; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2017/jan/04/bugfix-release/>
- Drop 0003-Fix-test-suite-in-parallel-mode.patch; applied upstream.
python-django (1:1.10.3-2) unstable; urgency=medium
* Add patch to fix tests running in parallel. Closes: #844139
* Update copyright file (and drop new extra LICENSE.txt).
* Adjust lintian overrides.
python-django (1:1.10.3-1) unstable; urgency=medium
* New upstream release. (Closes: #844037)
python-django (1:1.10.1-1) unstable; urgency=medium
* New upstream bugfix release.
- Drop 07_fix-test-failures-due-to-translation-updates.diff; applied
upstream.
* Ensure that "django-admin startproject foo" using python3-django emits the
corrent shebang (Closes: #833275)
python-django (1:1.10-2) unstable; urgency=medium
* Add patch from upstream to fix admin_utils test failures due to translation
updates.
python-django (1:1.10-1) unstable; urgency=medium
* New upstream release.
* Drop debian/source/lintian-overrides now that #799861 is fixed in Lintian.
python-django (1:1.9.8-1) unstable; urgency=high
* New upstream security release:
https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- CVE-2016-6186: XSS in admin's add/change related popup
python-django (1:1.9.7-2) unstable; urgency=medium
* Re-upload 1.9.7 to unstable with epoch.
python-django (1.10~beta1-1) unstable; urgency=medium
[ Chris Lamb ]
* New upstream beta release.
* Drop fix-25761-add-traceback-attribute.patch; applied upstream.
[ Raphaël Hertzog ]
* Remove obsolete /etc/bash_completion.d/django_bash_completion on upgrade.
Closes: #801744
python-django (1.9.7-1) unstable; urgency=medium
[ Raphaël Hertzog ]
* New upstream bugfix release.
* Bump python-sphinx build dependency to >= 1.3. Closes: #824108
* Drop build dependency on locales. C.UTF-8 that we currently use is part of
libc-bin.
[ Chris Lamb ]
* Remove duplicated "of of" in python-django's README.Debian.
python-django (1.9.6-1) unstable; urgency=medium
* New upstream bugfix release.
python-django (1.9.5-2) unstable; urgency=medium
* Drop the dir_to_symlink transition that was only really needed
for upgrades between versions 1.9~rc2 and 1.9.4. Closes: #821789
python-django (1.9.5-1) unstable; urgency=medium
* New upstream bugfix release:
https://docs.djangoproject.com/en/1.9/releases/1.9.5/
* Fix the DEP-8 test suite (django-admin --with python3 failing
because ./manage.py does not have a good shebang).
* Update Standards-Version to 3.9.8.
* Add some lintian overrides.
* Tweak Vcs-Browser to use https.
* Drop obsolete parts of the copyright file.
python-django (1.9.4-1) unstable; urgency=high
[ Luke Faraone ]
* New upstream security release:
https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- CVE-2016-2512: Malicious redirect and possible XSS via user-supplied
redirect URLs containing basic auth
- CVE-2016-2513: User enumeration through timing difference on password
hasher work factor upgrade
Closes: #816434
[ Raphaël Hertzog ]
* Fix rules file to no longer mess with *_templates directories. They no
longer contain invalid .py files but only *-tpl template files that are
instantiated at runtime.
python-django (1.9.2-1) unstable; urgency=medium
* New upstream security release fixing:
- CVE-2016-2048: User with "change" but not "add" permission can create
objects for ModelAdmin objects with save_as=True
Closes: #813448
python-django (1.9.1-1) unstable; urgency=medium
* New upstream release.
python-django (1.9-2) unstable; urgency=medium
[ Chris Lamb ]
* Use dpkg-maintscript-helper's dir_to_symlink to correctly replace the
app_template and project_template symlinks added in 1.9~rc2-2.
(Closes: #807683)
[ Raphaël Hertzog ]
* Add some DEP-8 tests testing "django-admin" and running the test suite
against the installed package. In both cases, we do it with python2 and
python3.
* Add python-tblib and python3-tblib to Build-Depends for the benefit of
the parallel testing feature of the test suite.
* Add "set -e" in the command line running the tests with all supported
versions so that it actually fails as soon as one version is failing
(and thus disallow later successes to shadow earlier failures).
python-django (1.9-1) unstable; urgency=medium
* Upload to unstable
* Adjust uversionmangle in debian/watch to mangle "1.9rc2" scheme
(previously only "1.9-rc-2" would have matched).
python-django (1.9~rc2-2) experimental; urgency=medium
* Move {app,project}_template to python-django-common to prevent
byte-compilation (via pycompile) on installation, causing failure. They are
not valid Python files until variables have been interpolated.
python-django (1.9~rc2-1) experimental; urgency=medium
* New upstream release candidate.
* Add myself to Uploaders.
python-django (1.8.7-2) unstable; urgency=high
* Rely on C.UTF-8 to run the tests instead of building our locale ourselves.
* Add debian/patches/fix-25761-add-traceback-attribute.patch:
new patch to ensure exceptions registered in __cause__ attributes
have a __traceback__ attribute. Closes: #802677
* Extend lintian overrides to cover more false positives of
source-is-missing.
* Cleanup debian/copyright for dropped/renamed files.
* Run tests for all supported Python versions.
Date: Sat, 17 Jun 2017 21:55:34 -0700
Changed-By: Steve Langasek <steve.langasek at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/python-django/1:1.10.7-2ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Jun 2017 21:55:34 -0700
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source
Version: 1:1.10.7-2ubuntu1
Distribution: artful
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Steve Langasek <steve.langasek at ubuntu.com>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 801744 802677 807683 813448 816434 816435 821789 824108 833275 844037 844139 859515 859516 863267
Changes:
python-django (1:1.10.7-2ubuntu1) artful; urgency=low
.
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* All other changes dropped, as they were backports of upstream fixes.
.
python-django (1:1.10.7-2) unstable; urgency=medium
.
* Accept again migrations depending on initial migrations that
can be fake applied. Closes: #863267
* Add patch to fix DEP-8 test. Closes: #816435
.
python-django (1:1.10.7-1) unstable; urgency=medium
.
* New upstream security release:
.
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs.
.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
"on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) "safe" when they shouldn't be.
.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack. (Closes: #859515)
.
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve().
.
A maliciously crafted URL to a Django site using the
django.views.static.serve() view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known,
useful functionality.
.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a development
aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516)
.
python-django (1:1.10.6-1) unstable; urgency=medium
.
* New upstream bugfix release:
- Fixed ClearableFileInput’s “Clear” checkbox on model form fields where
the model field has a default (#27805).
- Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather
than generating a bad request response (#27820).
- Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
IntegerField from DateField (#27828).
- Fixed query expression date subtraction accuracy on PostgreSQL for
differences larger than a month (#27856).
- Fixed a GDALException raised by GDALClose on GDAL ≥ 2.0 (#27479).
.
python-django (1:1.10.5-1) unstable; urgency=medium
.
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2017/jan/04/bugfix-release/>
- Drop 0003-Fix-test-suite-in-parallel-mode.patch; applied upstream.
.
python-django (1:1.10.3-2) unstable; urgency=medium
.
* Add patch to fix tests running in parallel. Closes: #844139
* Update copyright file (and drop new extra LICENSE.txt).
* Adjust lintian overrides.
.
python-django (1:1.10.3-1) unstable; urgency=medium
.
* New upstream release. (Closes: #844037)
.
python-django (1:1.10.1-1) unstable; urgency=medium
.
* New upstream bugfix release.
- Drop 07_fix-test-failures-due-to-translation-updates.diff; applied
upstream.
* Ensure that "django-admin startproject foo" using python3-django emits the
corrent shebang (Closes: #833275)
.
python-django (1:1.10-2) unstable; urgency=medium
.
* Add patch from upstream to fix admin_utils test failures due to translation
updates.
.
python-django (1:1.10-1) unstable; urgency=medium
.
* New upstream release.
* Drop debian/source/lintian-overrides now that #799861 is fixed in Lintian.
.
python-django (1:1.9.8-1) unstable; urgency=high
.
* New upstream security release:
https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- CVE-2016-6186: XSS in admin's add/change related popup
.
python-django (1:1.9.7-2) unstable; urgency=medium
.
* Re-upload 1.9.7 to unstable with epoch.
.
python-django (1.10~beta1-1) unstable; urgency=medium
.
[ Chris Lamb ]
* New upstream beta release.
* Drop fix-25761-add-traceback-attribute.patch; applied upstream.
.
[ Raphaël Hertzog ]
* Remove obsolete /etc/bash_completion.d/django_bash_completion on upgrade.
Closes: #801744
.
python-django (1.9.7-1) unstable; urgency=medium
.
[ Raphaël Hertzog ]
* New upstream bugfix release.
* Bump python-sphinx build dependency to >= 1.3. Closes: #824108
* Drop build dependency on locales. C.UTF-8 that we currently use is part of
libc-bin.
.
[ Chris Lamb ]
* Remove duplicated "of of" in python-django's README.Debian.
.
python-django (1.9.6-1) unstable; urgency=medium
.
* New upstream bugfix release.
.
python-django (1.9.5-2) unstable; urgency=medium
.
* Drop the dir_to_symlink transition that was only really needed
for upgrades between versions 1.9~rc2 and 1.9.4. Closes: #821789
.
python-django (1.9.5-1) unstable; urgency=medium
.
* New upstream bugfix release:
https://docs.djangoproject.com/en/1.9/releases/1.9.5/
* Fix the DEP-8 test suite (django-admin --with python3 failing
because ./manage.py does not have a good shebang).
* Update Standards-Version to 3.9.8.
* Add some lintian overrides.
* Tweak Vcs-Browser to use https.
* Drop obsolete parts of the copyright file.
.
python-django (1.9.4-1) unstable; urgency=high
.
[ Luke Faraone ]
* New upstream security release:
https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- CVE-2016-2512: Malicious redirect and possible XSS via user-supplied
redirect URLs containing basic auth
- CVE-2016-2513: User enumeration through timing difference on password
hasher work factor upgrade
Closes: #816434
.
[ Raphaël Hertzog ]
* Fix rules file to no longer mess with *_templates directories. They no
longer contain invalid .py files but only *-tpl template files that are
instantiated at runtime.
.
python-django (1.9.2-1) unstable; urgency=medium
.
* New upstream security release fixing:
- CVE-2016-2048: User with "change" but not "add" permission can create
objects for ModelAdmin objects with save_as=True
Closes: #813448
.
python-django (1.9.1-1) unstable; urgency=medium
.
* New upstream release.
.
python-django (1.9-2) unstable; urgency=medium
.
[ Chris Lamb ]
* Use dpkg-maintscript-helper's dir_to_symlink to correctly replace the
app_template and project_template symlinks added in 1.9~rc2-2.
(Closes: #807683)
.
[ Raphaël Hertzog ]
* Add some DEP-8 tests testing "django-admin" and running the test suite
against the installed package. In both cases, we do it with python2 and
python3.
* Add python-tblib and python3-tblib to Build-Depends for the benefit of
the parallel testing feature of the test suite.
* Add "set -e" in the command line running the tests with all supported
versions so that it actually fails as soon as one version is failing
(and thus disallow later successes to shadow earlier failures).
.
python-django (1.9-1) unstable; urgency=medium
.
* Upload to unstable
* Adjust uversionmangle in debian/watch to mangle "1.9rc2" scheme
(previously only "1.9-rc-2" would have matched).
.
python-django (1.9~rc2-2) experimental; urgency=medium
.
* Move {app,project}_template to python-django-common to prevent
byte-compilation (via pycompile) on installation, causing failure. They are
not valid Python files until variables have been interpolated.
.
python-django (1.9~rc2-1) experimental; urgency=medium
.
* New upstream release candidate.
* Add myself to Uploaders.
.
python-django (1.8.7-2) unstable; urgency=high
.
* Rely on C.UTF-8 to run the tests instead of building our locale ourselves.
* Add debian/patches/fix-25761-add-traceback-attribute.patch:
new patch to ensure exceptions registered in __cause__ attributes
have a __traceback__ attribute. Closes: #802677
* Extend lintian overrides to cover more false positives of
source-is-missing.
* Cleanup debian/copyright for dropped/renamed files.
* Run tests for all supported Python versions.
Checksums-Sha1:
b4150e7065a671b331e8720301bcd74f21747fc1 2887 python-django_1.10.7-2ubuntu1.dsc
5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz
9223316e3c1245b86a32ec943e7b65a4b7618247 33176 python-django_1.10.7-2ubuntu1.debian.tar.xz
Checksums-Sha256:
6c498a0497e5a83903b0e5c64cfe9a75b770d947632fdfdb089742ef00cd48bb 2887 python-django_1.10.7-2ubuntu1.dsc
593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz
83a354127732bf0da76e1b5ecc52023a72280ffd68e5e00cca8c178fe3e29a75 33176 python-django_1.10.7-2ubuntu1.debian.tar.xz
Files:
6e8b584c8d965aa75f447a9c25949210 2887 python optional python-django_1.10.7-2ubuntu1.dsc
693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz
739a45380bb8a9ee5afb805ec426a2d8 33176 python optional python-django_1.10.7-2ubuntu1.debian.tar.xz
Original-Maintainer: Debian Python Modules Team <python-modules-team at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
iQI3BAEBCgAhBQJZRgxEGhxzdGV2ZS5sYW5nYXNla0B1YnVudHUuY29tAAoJEFaN
MPMhshM9b4oQAMrYzqp17C1FpyjTbX9jLIrdZpfUG6VdQAnlwasT3nDFqMmvTI5H
skKwwjQ2edcDsZba4jisNymfPiWzfTavjxjl1OFwWNaQTlv6+71SZhyisf71eMvx
dntXIIYeqy7NfEFlI8eJEVWEBRSnuasDhxNjJiHFDkOivVPUImENT2OlUd2PjyKX
pBP/Ei3tEar1KkU/3d9bt1vRZgAbvGtvtqhAVNLAy3pj8l9Nhu71nma/2RYwU7X+
DqXaythbvT+iziMnBmHjdjjfVr6wnvaRwjyTqW4bY/NH/I2xx5kUcsF/r+9NZFPb
+M5lDvNAIV60Yqi91h33SJk1vnixcyJtZ1Fn4jPB8RLsM6/vQgJIqEVrawWwKVc0
RXJEnKXKzNUup+p1nFFI1U3NEV7LEf48I1XbmZl5Pj6tZId8F3XBea3aiezkjdvX
73GaaEtSd/C4SAQrZGQ+Oev27PdABYrJueTMV72vEAVBbXFI18TH70ems/QlLdg0
bv1SI3QbI1GeFlq2GJOm7qfb/LOh90D2lKW7CXiQHAsuauAk9TwFtksW63heKOCB
/nq761HKr2ENfD63g9HiaJI7G39+bCWuTwp/aKrGPU+hnl5JW0b/5QUup+xWdKsb
Lxa7jldenqbTYrVIHRNx5feEhEqFv+vsRG1rgRtpbXZBW68xRzGP5YXR
=LLup
-----END PGP SIGNATURE-----
More information about the Artful-changes
mailing list