lp:ubuntu/oneiric-security/python-django
- Get this branch:
- bzr branch lp:ubuntu/oneiric-security/python-django
Branch merges
Branch information
Recent revisions
- 39. By Marc Deslauriers
-
* SECURITY UPDATE: host header poisoning (LP: #1089337)
- debian/patches/ fix_get_ host.patch: tighten host header validation in
django/http/__ init__. py, add tests to
tests/regressiontests /requests/ tests.py.
- https://www.djangoproj ect.com/ weblog/ 2012/dec/ 10/security/
- No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
- debian/patches/ fix_redirect_ poisoning. patch: tighten validation in
django/contrib/ auth/views. py,
django/contrib/ comments/ views/comments. py,
django/contrib/ comments/ views/moderatio n.py,
django/contrib/ comments/ views/utils. py, django/ utils/http. py,
django/views/i18n. py, add tests to
tests/regressiontests /comment_ tests/tests/ comment_ view_tests. py,
tests/regressiontests /comment_ tests/tests/ moderation_ view_tests. py,
tests/regressiontests /views/ tests/i18n. py.
- https://www.djangoproj ect.com/ weblog/ 2012/dec/ 10/security/
- No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
- debian/patches/ add_allowed_ hosts.patch: add new ALLOWED_HOSTS setting
to django/conf/global_ settings. py,
django/conf/project_ template/ settings. py,
django/http/__ init__. py, django/ test/utils. py, add docs to
docs/ref/settings. txt, add tests to
tests/regressiontests /requests/ tests.py.
- https://www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
- debian/patches/ CVE-2013- 166x.patch: forbid DTDs, entity expansion,
and external entities/DTDs in
django/core/serializer s/xml_serialize r.py, add tests to
tests/regressiontests /serializers_ regress/ tests.py.
- https://www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- CVE-2013-1664
- CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
- debian/patches/ CVE-2013- 0305.patch: add permission checks to history
view in django/contrib/ admin/options. py, add tests to
tests/regressiontests /admin_ views/tests. py.
- https://www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
- debian/patches/ CVE-2013- 0306.patch: limit maximum number of forms in
django/forms/formsets. py, add docs to docs/topics/ forms/formsets. txt,
docs/topics/ forms/modelform s.txt, add tests to
tests/regressiontests /forms/ tests/formsets. py.
- https://www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- CVE-2013-0306 - 38. By Jamie Strandboge
-
* Add additional tests for CVE-2012-4520
- debian/patches/ CVE-2012- 4520-additional -tests. diff: add various poisoned
host header test material
* Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
- debian/patches/ lp1080204. diff: Isolate poisoned_http_host tests from 500
- https://code.djangopro ject.com/ ticket/ 19172
- LP: #1080204 - 37. By Jamie Strandboge
-
* SECURITY UPDATE: fix Host header poisoning
- debian/patches/ CVE-2012- 4520.diff: adjust HttpRequest. get_host( ) to
raise django.core.exceptions .SuspiciousOper ation if Host headers contain
potentially dangerous content.
- CVE-2012-4520
- LP: #1068486 - 36. By Marc Deslauriers
-
[ Scott Kitterman ]
* SECURITY UPDATE: multiple issues (LP: #1031733)
* References CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
https://www.djangoproj ect.com/ weblog/ 2012/jul/ 30/security- releases- issued/
* New upstream release to address three security issues:
- Cross-site scripting in authentication views
- Denial-of-service in image validation
- Denial-of-service via get_image_dimensions( )
* Added debian/patches/ security_ http_redirects,
security_image_uploading _two, and security_ image_uploading cherry picked
from upstream git[ Steve Beattie ]
* added debian/patches/ 10_fix_ testsuite_ failure. patch: adjust
test_week_view_ allow_future to ensure the first week of the year is
selected[ Marc Deslauriers ]
* debian/patches/ security_ http_redirects: remove unrelated changes, add
python 2.4 regression fix. - 35. By Jamie Strandboge
-
* SECURITY UPDATE: session manipulation when using django.
contrib. sessions
with memory-based sessions and caching
- debian/patches/ CVE-2011- 4136.patch: use namespace of cache to store keys
for session instead of root namespace
- CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
URLField
- debian/patches/ CVE-2011- 4137+4138. patch: set verify_exists to False by
default and use a timeout if available. Also update to use a url opener
that does not support local file access
- CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
- debian/patches/ CVE-2011- 4139.patch: ignore X-Forwarded-Host header by
default when constructing full URLs
- CVE-2011-4139
* More information on these issues can be found at:
https://www.djangoproj ect.com/ weblog/ 2011/sep/ 09/security- releases- issued/ - 34. By Barry Warsaw
-
* 09_test_
view_decorator_ sleep.diff increases the sleep time to
reduce race condition effects on build machines.
https://code.djangopro ject.com/ ticket/ 16686 (LP: #829487)
* Remove build-dep on locales-all which isn't in the Ubuntu archive. - 33. By Piotr Ożarowski
-
* Team upload.
[ Chris Lamb ]
* Don't remove "backup~" test file - upstream did ship it; we were just
removing it with dh_clean.[ Piotr Ożarowski ]
* Fix builds with non-default Python versions installed
* Bump Standards-Version to 3.9.2 (no changes needed) - 32. By Jamie Strandboge
-
* Merge from Debian for security fixes (LP: #719031). Remaining changes:
- debian/control: don't Build-Depends on locales-all, which doesn't exist
in natty
* Drop the following patches, now included upstream:
- debian/patches/ 07_security_ admin_infoleak. diff
- debian/patches/ 08_security_ pasword_ reset_dos. diff - 31. By Jamie Strandboge
-
* SECURITY UPDATE: information leak in admin interface
- debian/patches/ 07_security_ admin_infoleak. diff: validate querystring
lookup arguments either specify only fields on the model being viewed,
or cross relations which have been explicitly whitelisted.
- CVE-2010-XXXX
* SECURITY UPDATE:
- debian/patches/ 08_security_ pasword_ reset_dos. diff: adjust
base36_to_int() function in django.utils.http will now validate the
length of its input; on input longer than 13 digits (sufficient to
base36-encode any 64-bit integer), it will now raise ValueError.
Additionally, the default URL patterns for django.contrib.auth will now
enforce a maximum length on the relevant parameters.
- CVE-2010-XXXX - 30. By Jamie Strandboge
-
* SECURITY UPDATE: XSS in CSRF protections. New upstream release
- CVE-2010-3082
* debian/patches/ 01_disable_ url_verify_ regression_ tests.diff:
- updated to disable another test that fails without internet connection
- patch based on work by Kai Kasurinen and Krzysztof Klimonda
* debian/control: don't Build-Depends on locales-all, which doesn't exist
in maverick
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/precise/python-django