lp:debian/squeeze/python-django

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

25. By Salvatore Bonaccorso on 2014-05-18

* Non-maintainer upload by the Security Team.
* Add CVE-2014-1418.patch patch.
  CVE-2014-1418: Caches may be allowed to store and serve private data.
* Add CVE-2014-3730.patch patch.
  CVE-2014-3730: Malformed URLs from user input incorrectly validated.

24. By Luke Faraone on 2013-09-15

* Stable security upload:
  https://www.djangoproject.com/weblog/2013/sep/15/security/
  - Denial-of-service via large passwords. CVE-2013-1443
  Closes: #723043

23. By Raphaël Hertzog on 2012-08-02

* Stable security upload:
  https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
  Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
* Apply/backport the 3 security patches:
  - debian/patches/16_fix_cross_site_scripting_in_authentication.diff
  - debian/patches/17_fix_dos_in_image_validation.diff
  - debian/patches/18_fix_dos_via_get_image_dimensions.diff
  Closes: #683364

22. By Raphaël Hertzog on 2011-10-06

* Stable security upload:
  https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
* Apply/backport the 3 security patches:
  - debian/patches/13_fix_safety_issue_with_session_data.diff
  - debian/patches/14_fix_dos_with_urlfield.diff
  - debian/patches/15_fix_spoofing_issue_with_x_forwarded_host.diff
  Closes: #641405

21. By lamby on 2011-02-08

* Resolve two vulnerabilities:

  - Flaw in CSRF handling

    Django includes a cross-site request forgery protection mechanism, which
    makes use of a token inserted into outgoing forms. Middleware then checks
    for the token's presence on form submission, and validates it.

    Previously, however, Django's CSRF protection made an exception for AJAX
    requests, on the following basis:

    1. Many AJAX toolkits add an 'X-Requested-With' header when using
       XMLHttpRequest.

    2. Browsers have strict same-origin policies regarding XMLHttpRequest.

    3. In the context of a browser, the only way that a custom header of this
       nature can be added is with XMLHttpRequest.

    Therefore, for ease of use, Django did not apply CSRF checks to requests
    that appeared to be AJAX on the basis of the X-Requested-With header. The
    Ruby on Rails web framework had a similar exemption.

    Recently, engineers at Google made members of the Ruby on Rails
    development team aware of a combination of browser plugins and redirects
    which can allow an attacker to provide custom HTTP headers on a request
    to any website. This can allow a forged request to appear to be an AJAX
    request, thereby defeating CSRF protection which trusts the same-origin
    nature of AJAX requests.

    Michael Koziarski of the Rails team brought this to the Django
    developers attention, and we were able to produce a proof-of-concept
    demonstrating the same vulnerability in Django's CSRF handling.

    To remedy this, Django will now apply full CSRF validation to all
    requests, regardless of apparent AJAX origin. This is technically
    backwards-incompatible, but the security risks have been judged to
    outweigh the compatibility concerns in this case.

    Extended notes on how to accomodate this change will be added to the
    Django homepage in following days.

  - Potential XSS in file field rendering

    Django's form system includes form fields and widgets for performing file
    uploads; in many cases, the name of the file currently stored in the
    field is displayed. In the process of rendering, the filename is
    displayed without being escaped.

    In many cases this does not result in a cross-site-scripting
    vulnerability, as file-storage backends can and are encouraged to (and
    the default backends provided with Django do) sanitize the supplied
    filename according to their requirements. However, the risk of a
    vulnerability appearing in a backend which does not sanitize, or which
    performs insufficient sanitization, is such that Django will now
    automatically escape filenames in form rendering.

 Thanks to James Bennett <email address hidden>.

20. By Raphaël Hertzog on 2011-01-01

* Squeeze upload with security fixes only:
  http://www.djangoproject.com/weblog/2010/dec/22/security/
* Add patches 08_fix_info_leakage.diff and 09_fix_dos_password_reset.diff
  taken from upstream SVN repository. They did not apply cleanly, I had to
  drop a test.

19. By Evgeni Golov on 2010-10-28

* Team upload.
* Disable model tests that require an internet connection.
  Closes: #601070
* Include python.mk conditionally as explained in its header.
  Helps backports to Lenny which has no python.mk.
  Closes: #601608

18. By Raphaël Hertzog on 2010-09-18

[ Krzysztof Klimonda ]
* New upstream release. Closes: #596893 LP: #636482
* Fixes both a XSS vulnerability introduced in 1.2 series and
  the regressions caused by 1.2.2 release. Closes: #596205
* debian/control:
  - depend on language packs for en_US.utf8 locales required for unit tests.
* debian/rules:
  - re-enable build time tests.
  - set LC_ALL to en_US.utf8 for test suite.
* debian/patches/series:
  - two new patches: 05_fix_regression_tests.diff and
    06_fix_regression_tests.diff backported from 1.2.x branch to fix
    test suite failures.

[ Raphaël Hertzog ]
* Update Standards-Version to 3.9.1.
* Drop "--with quilt" and quilt build-dependency since the package is
  already using source format "3.0 (quilt)".

17. By lamby on 2010-05-24

New upstream bugfix release.

16. By lamby on 2010-05-21

New upstream stable release.