Ubuntu
python-django package

lp:ubuntu/oneiric-security/python-django

  1. Oneiric (11.10)
  2. oneiric-security
Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/oneiric-security/python-django
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

39. By Marc Deslauriers

* SECURITY UPDATE: host header poisoning (LP: #1089337)
  - debian/patches/fix_get_host.patch: tighten host header validation in
    django/http/__init__.py, add tests to
    tests/regressiontests/requests/tests.py.
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
  - debian/patches/fix_redirect_poisoning.patch: tighten validation in
    django/contrib/auth/views.py,
    django/contrib/comments/views/comments.py,
    django/contrib/comments/views/moderation.py,
    django/contrib/comments/views/utils.py, django/utils/http.py,
    django/views/i18n.py, add tests to
    tests/regressiontests/comment_tests/tests/comment_view_tests.py,
    tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
    tests/regressiontests/views/tests/i18n.py.
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
  - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
    to django/conf/global_settings.py,
    django/conf/project_template/settings.py,
    django/http/__init__.py, django/test/utils.py, add docs to
    docs/ref/settings.txt, add tests to
    tests/regressiontests/requests/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
  - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
    and external entities/DTDs in
    django/core/serializers/xml_serializer.py, add tests to
    tests/regressiontests/serializers_regress/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-1664
  - CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
  - debian/patches/CVE-2013-0305.patch: add permission checks to history
    view in django/contrib/admin/options.py, add tests to
    tests/regressiontests/admin_views/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
  - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
    django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
    docs/topics/forms/modelforms.txt, add tests to
    tests/regressiontests/forms/tests/formsets.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0306

38. By Jamie Strandboge

* Add additional tests for CVE-2012-4520
  - debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
    host header test material
* Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
  - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
  - https://code.djangoproject.com/ticket/19172
  - LP: #1080204

37. By Jamie Strandboge

* SECURITY UPDATE: fix Host header poisoning
  - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
    raise django.core.exceptions.SuspiciousOperation if Host headers contain
    potentially dangerous content.
  - CVE-2012-4520
  - LP: #1068486

36. By Marc Deslauriers

[ Scott Kitterman ]
* SECURITY UPDATE: multiple issues (LP: #1031733)
* References CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
  https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
* New upstream release to address three security issues:
  - Cross-site scripting in authentication views
  - Denial-of-service in image validation
  - Denial-of-service via get_image_dimensions()
* Added debian/patches/security_http_redirects,
  security_image_uploading_two, and security_image_uploading cherry picked
  from upstream git

[ Steve Beattie ]
* added debian/patches/10_fix_testsuite_failure.patch: adjust
  test_week_view_allow_future to ensure the first week of the year is
  selected

[ Marc Deslauriers ]
* debian/patches/security_http_redirects: remove unrelated changes, add
  python 2.4 regression fix.

35. By Jamie Strandboge

* SECURITY UPDATE: session manipulation when using django.contrib.sessions
  with memory-based sessions and caching
  - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
    for session instead of root namespace
  - CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
  URLField
  - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
    default and use a timeout if available. Also update to use a url opener
    that does not support local file access
  - CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
  - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
    default when constructing full URLs
  - CVE-2011-4139
* More information on these issues can be found at:
  https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

34. By Barry Warsaw

* 09_test_view_decorator_sleep.diff increases the sleep time to
  reduce race condition effects on build machines.
  https://code.djangoproject.com/ticket/16686 (LP: #829487)
* Remove build-dep on locales-all which isn't in the Ubuntu archive.

33. By Piotr Ożarowski

* Team upload.

[ Chris Lamb ]
* Don't remove "backup~" test file - upstream did ship it; we were just
  removing it with dh_clean.

[ Piotr Ożarowski ]
* Fix builds with non-default Python versions installed
* Bump Standards-Version to 3.9.2 (no changes needed)

32. By Jamie Strandboge

* Merge from Debian for security fixes (LP: #719031). Remaining changes:
  - debian/control: don't Build-Depends on locales-all, which doesn't exist
    in natty
* Drop the following patches, now included upstream:
  - debian/patches/07_security_admin_infoleak.diff
  - debian/patches/08_security_pasword_reset_dos.diff

31. By Jamie Strandboge

* SECURITY UPDATE: information leak in admin interface
  - debian/patches/07_security_admin_infoleak.diff: validate querystring
    lookup arguments either specify only fields on the model being viewed,
    or cross relations which have been explicitly whitelisted.
  - CVE-2010-XXXX
* SECURITY UPDATE:
  - debian/patches/08_security_pasword_reset_dos.diff: adjust
    base36_to_int() function in django.utils.http will now validate the
    length of its input; on input longer than 13 digits (sufficient to
    base36-encode any 64-bit integer), it will now raise ValueError.
    Additionally, the default URL patterns for django.contrib.auth will now
    enforce a maximum length on the relevant parameters.
  - CVE-2010-XXXX

30. By Jamie Strandboge

* SECURITY UPDATE: XSS in CSRF protections. New upstream release
  - CVE-2010-3082
* debian/patches/01_disable_url_verify_regression_tests.diff:
  - updated to disable another test that fails without internet connection
  - patch based on work by Kai Kasurinen and Krzysztof Klimonda
* debian/control: don't Build-Depends on locales-all, which doesn't exist
  in maverick

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/precise/python-django
This branch contains Public information 
Everyone can see this information.

Subscribers