Ubuntu
python-django package

lp:ubuntu/maverick-security/python-django

  1. Maverick (10.10)
  2. maverick-security
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/maverick-security/python-django
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

33. By Jamie Strandboge

* SECURITY UPDATE: session manipulation when using django.contrib.sessions
  with memory-based sessions and caching
  - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
    for session instead of root namespace
  - CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
  URLField
  - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
    default and use a timeout if available.
  - CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
  - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
    default when constructing full URLs
  - CVE-2011-4139
* debian/patches/01_disable_url_verify_regression_tests.diff: remove the
  test_correct_url_but_nonexisting_gives_404() test from the
  modeltests/validation/tests.py too. Not sure how it passed before, but
  this makes the CVE-2011-4137+4138.patch consistent with our other releases
  since the upstream fix for CVE-2011-4137+4138.patch removed this test too.
* More information on these issues can be found at:
  https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

32. By Jamie Strandboge

* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
  - debian/patches/09_CVE-2011-0696.diff: apply full CSRF validation to all
    requests, regardless of apparent AJAX origin. This is technically
    backwards-incompatible, but the security risks have been judged to
    outweigh the compatibility concerns in this case. See the Django project
    notes for more information:
    http://www.djangoproject.com/weblog/2011/feb/08/security/
  - CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
  - debian/patches/10_admin_widgets-to-unittest.diff: prepare testsuite for
    security fix tests
  - debian/patches/11_CVE-2011-0697.diff: properly escape URL in
    django/contrib/admin/widgets.py
  - CVE-2011-0697

31. By Jamie Strandboge

* SECURITY UPDATE: information leak in admin interface
  - debian/patches/07_security_admin_infoleak.diff: validate querystring
    lookup arguments either specify only fields on the model being viewed,
    or cross relations which have been explicitly whitelisted.
  - CVE-2010-4534
* SECURITY UPDATE:
  - debian/patches/08_security_pasword_reset_dos.diff: adjust
    base36_to_int() function in django.utils.http will now validate the
    length of its input; on input longer than 13 digits (sufficient to
    base36-encode any 64-bit integer), it will now raise ValueError.
    Additionally, the default URL patterns for django.contrib.auth will now
    enforce a maximum length on the relevant parameters.
  - CVE-2010-4535

30. By Jamie Strandboge

* SECURITY UPDATE: XSS in CSRF protections. New upstream release
  - CVE-2010-3082
* debian/patches/01_disable_url_verify_regression_tests.diff:
  - updated to disable another test that fails without internet connection
  - patch based on work by Kai Kasurinen and Krzysztof Klimonda
* debian/control: don't Build-Depends on locales-all, which doesn't exist
  in maverick

29. By lamby

New upstream bugfix release.

28. By lamby

New upstream stable release.

27. By James Westby

Fix django test client cookie handling.

26. By lamby

* Remove embedded "decimal" code copy and use system version instead. The
  "doctest" code copy cannot be removed as parts of Django depend on modified
  behaviour. (Closes: #555419)
* Fix FTBFS in November by applying patch from upstream bug #12125.
  (Closes: #555931)
* Fix FTBFS under Python 2.6.3 by applying patch from upstream bug #11993.
  (Closes: #555969)

25. By Krzysztof Klimonda

* Merge python-django 1.1.1-1 from debian unstable (LP: #447617)
  for security and bug fixes, all Ubuntu changes merged by Debian.
* Add to debian/patches:
  - 20_python2.6.3_regression.patch - backported upstream commit 11620
    to make Django work with Python 2.6.3 properly. (LP: #445639)

24. By Krzysztof Klimonda

* debian/patches/20_disable_url_verify_regression_tests.diff
  - Disable regression tests that require internet connection.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/natty/python-django
This branch contains Public information 
Everyone can see this information.

Subscribers