Created by Ubuntu Package Importer on 2011-12-09 and last modified on 2012-09-10
Get this branch:
bzr branch lp:ubuntu/natty-security/python-django
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

34. By Marc Deslauriers on 2012-09-06

* SECURITY UPDATE: Cross-site scripting in authentication views
  (LP: #1031733)
  - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
    fix unsafe redirects indjango/http/__init__.py, add test case to
    tests/regressiontests/httpwrappers/tests.py. Patch backport taken
    from Debian Squeeze and fixed for python 2.4 compatibility.
  - CVE-2012-3442
* SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
  - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
    immediately after the constructor in django/forms/fields.py.
  - CVE-2012-3443
* SECURITY UPDATE: Denial-of-service via get_image_dimensions()
  (LP: #1031733)
  - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
    chunk size in django/core/files/images.py.
  - CVE-2012-3444

33. By Jamie Strandboge on 2011-12-07

* SECURITY UPDATE: session manipulation when using django.contrib.sessions
  with memory-based sessions and caching
  - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
    for session instead of root namespace
  - CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
  - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
    default and use a timeout if available.
  - CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
  - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
    default when constructing full URLs
  - CVE-2011-4139
* More information on these issues can be found at:

32. By Jamie Strandboge on 2011-02-17

* Merge from Debian for security fixes (LP: #719031). Remaining changes:
  - debian/control: don't Build-Depends on locales-all, which doesn't exist
    in natty
* Drop the following patches, now included upstream:
  - debian/patches/07_security_admin_infoleak.diff
  - debian/patches/08_security_pasword_reset_dos.diff

31. By Jamie Strandboge on 2011-01-03

* SECURITY UPDATE: information leak in admin interface
  - debian/patches/07_security_admin_infoleak.diff: validate querystring
    lookup arguments either specify only fields on the model being viewed,
    or cross relations which have been explicitly whitelisted.
  - CVE-2010-XXXX
  - debian/patches/08_security_pasword_reset_dos.diff: adjust
    base36_to_int() function in django.utils.http will now validate the
    length of its input; on input longer than 13 digits (sufficient to
    base36-encode any 64-bit integer), it will now raise ValueError.
    Additionally, the default URL patterns for django.contrib.auth will now
    enforce a maximum length on the relevant parameters.
  - CVE-2010-XXXX

30. By Jamie Strandboge on 2010-10-12

* SECURITY UPDATE: XSS in CSRF protections. New upstream release
  - CVE-2010-3082
* debian/patches/01_disable_url_verify_regression_tests.diff:
  - updated to disable another test that fails without internet connection
  - patch based on work by Kai Kasurinen and Krzysztof Klimonda
* debian/control: don't Build-Depends on locales-all, which doesn't exist
  in maverick

29. By lamby on 2010-05-24

New upstream bugfix release.

28. By lamby on 2010-05-21

New upstream stable release.

27. By James Westby on 2010-01-31

Fix django test client cookie handling.

26. By lamby on 2009-12-01

* Remove embedded "decimal" code copy and use system version instead. The
  "doctest" code copy cannot be removed as parts of Django depend on modified
  behaviour. (Closes: #555419)
* Fix FTBFS in November by applying patch from upstream bug #12125.
  (Closes: #555931)
* Fix FTBFS under Python 2.6.3 by applying patch from upstream bug #11993.
  (Closes: #555969)

25. By Krzysztof Klimonda on 2009-10-12

* Merge python-django 1.1.1-1 from debian unstable (LP: #447617)
  for security and bug fixes, all Ubuntu changes merged by Debian.
* Add to debian/patches:
  - 20_python2.6.3_regression.patch - backported upstream commit 11620
    to make Django work with Python 2.6.3 properly. (LP: #445639)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.