-
python-django (1.1.1-2ubuntu1.17) lucid-security; urgency=medium
* SECURITY UPDATE: XSS attack via user-supplied redirect URLs
- debian/patches/CVE-2015-2317.patch: reject URLs that start with
control characters in django/utils/http.py.
- CVE-2015-2317
-- Marc Deslauriers <email address hidden> Fri, 20 Mar 2015 10:48:06 -0400
-
python-django (1.1.1-2ubuntu1.16) lucid-security; urgency=medium
* SECURITY REGRESSION: static serve failure (LP: #1417274)
- debian/patches/CVE-2015-0221-regression.patch: allow GZipMiddleware
to work with streaming responses in django/middleware/gzip.py,
django/utils/text.py, django/http/__init__.py, added tests to
tests/regressiontests/middleware/tests.py.
-- Marc Deslauriers <email address hidden> Wed, 04 Feb 2015 10:08:10 -0500
-
python-django (1.1.1-2ubuntu1.14) lucid-security; urgency=medium
* SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation
- debian/patches/CVE-2015-0219.patch: strip headers with underscores in
django/core/servers/basehttp.py, added test to
tests/regressiontests/servers/tests.py.
- CVE-2015-0219
* SECURITY UPDATE: Mitigated possible XSS attack via user-supplied
redirect URLs
- debian/patches/CVE-2015-0220.patch: filter url in
django/utils/http.py.
- CVE-2015-0220
* SECURITY UPDATE: Denial-of-service attack against
django.views.static.serve
- debian/patches/CVE-2015-0221.patch: limit large files in
django/views/static.py, added test to
tests/regressiontests/views/media/long-line.txt,
tests/regressiontests/views/tests/static.py.
- CVE-2015-0221
-- Marc Deslauriers <email address hidden> Tue, 13 Jan 2015 08:14:45 -0500
-
python-django (1.1.1-2ubuntu1.13) lucid-security; urgency=medium
* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
- debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
URLs pointing to other hosts in django/core/urlresolvers.py, added
tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
- CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
- debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
django/core/files/storage.py, updated docs in
docs/howto/custom-file-storage.txt, added tests to
tests/modeltests/files/models.py,
tests/regressiontests/file_storage/tests.py, backport
get_random_string() to django/utils/crypto.py.
- CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
- debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
logout on REMOTE_USE change in django/contrib/auth/middleware.py,
added test to django/contrib/auth/tests/remote_user.py.
- CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
- debian/patches/CVE-2014-0483.patch: validate to_field in
django/contrib/admin/{options,exceptions}.py,
django/contrib/admin/views/main.py, added tests to
tests/regressiontests/admin_views/tests.py.
- debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
django/contrib/admin/options.py, added tests to
tests/regressiontests/admin_views/{models,tests}.py.
- debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
django/contrib/admin/options.py, added tests to
tests/regressiontests/admin_views/{models,tests}.py.
- CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.
-- Marc Deslauriers <email address hidden> Wed, 10 Sep 2014 13:07:32 -0400
-
python-django (1.1.1-2ubuntu1.12) lucid-security; urgency=medium
* SECURITY UPDATE: cache coherency problems in old Internet Explorer
compatibility functions lead to loss of privacy and cache poisoning
attacks. (LP: #1317663)
- debian/patches/drop_fix_ie_for_vary_1_4.diff: remove fix_IE_for_vary()
and fix_IE_for_attach() functions so Cache-Control and Vary headers are
no longer modified. This may introduce some regressions for IE 6 and IE 7
users. Patch from upstream.
- CVE-2014-1418
-- Seth Arnold <email address hidden> Wed, 14 May 2014 11:24:15 -0700
-
python-django (1.1.1-2ubuntu1.11) lucid-security; urgency=medium
* SECURITY REGRESSION: security fix regression when a view is a partial
(LP: #1311433)
- debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
from the original function whenever a partial is provided as an
argument to a url pattern in django/core/urlresolvers.py,
added tests to tests/regressiontests/urlpatterns_reverse/urls.py,
tests/regressiontests/urlpatterns_reverse/views.py.
- CVE-2014-0472
-- Marc Deslauriers <email address hidden> Tue, 22 Apr 2014 23:20:22 -0400
-
python-django (1.1.1-2ubuntu1.10) lucid-security; urgency=medium
* SECURITY UPDATE: unexpected code execution using reverse()
(LP: #1309779)
- debian/patches/CVE-2014-0472.patch: added filtering to
django/core/urlresolvers.py, added tests to
tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
tests/regressiontests/urlpatterns_reverse/tests.py,
tests/regressiontests/urlpatterns_reverse/urls.py,
tests/regressiontests/urlpatterns_reverse/views.py.
- CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
(LP: #1309782)
- debian/patches/CVE-2014-0473.patch: don't cache responses with a
cookie in django/middleware/cache.py, backport has_vary_header() to
django/utils/cache.py.
- CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
- debian/patches/CVE-2014-0474.patch: convert arguments to correct
type in django/db/models/fields/__init__.py, added tests to
tests/regressiontests/model_fields/tests.py.
- CVE-2014-0474
-- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 11:21:00 -0400
-
python-django (1.1.1-2ubuntu1.9) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
- debian/patches/CVE-2013-1443.patch: enforce a maximum password length
in django/contrib/auth/forms.py, django/contrib/auth/models.py,
django/contrib/auth/tests/basic.py.
- CVE-2013-1443
* SECURITY UPDATE: directory traversal with ssi template tag
- debian/patches/CVE-2013-4315.patch: properly check absolute path in
django/template/defaulttags.py,
tests/regressiontests/templates/tests.py,
tests/regressiontests/templates/templates/*.
- CVE-2013-4315
* SECURITY UPDATE: possible XSS via is_safe_url
- debian/patches/security-is_safe_url.patch: properly reject URLs which
specify a scheme other then HTTP or HTTPS.
- https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
- No CVE number
-- Marc Deslauriers <email address hidden> Fri, 20 Sep 2013 09:33:23 -0400
-
python-django (1.1.1-2ubuntu1.8) lucid-security; urgency=low
* SECURITY UPDATE: host header poisoning (LP: #1089337)
- debian/patches/fix_get_host.patch: tighten host header validation in
django/http/__init__.py, add tests to
tests/regressiontests/requests/tests.py.
- https://www.djangoproject.com/weblog/2012/dec/10/security/
- No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
- debian/patches/fix_redirect_poisoning.patch: tighten validation in
django/contrib/auth/views.py,
django/contrib/comments/views/comments.py,
django/contrib/comments/views/moderation.py,
django/contrib/comments/views/utils.py, django/utils/http.py,
django/views/i18n.py, add tests to
tests/regressiontests/comment_tests/tests/comment_view_tests.py,
tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
tests/regressiontests/views/tests/i18n.py.
- https://www.djangoproject.com/weblog/2012/dec/10/security/
- No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
- debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
to django/conf/global_settings.py,
django/conf/project_template/settings.py,
django/http/__init__.py, django/test/utils.py, add docs to
docs/ref/settings.txt, add tests to
tests/regressiontests/requests/tests.py, backport required function
to django/utils/functional.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
- debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
and external entities/DTDs in
django/core/serializers/xml_serializer.py, add tests to
tests/regressiontests/serializers_regress/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-1664
- CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
- debian/patches/CVE-2013-0305.patch: add permission checks to history
view in django/contrib/admin/options.py, add tests to
tests/regressiontests/admin_views/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
- debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-0306
-- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 14:08:31 -0500
-
python-django (1.1.1-2ubuntu1.7) lucid-security; urgency=low
* Add additional tests for CVE-2012-4520
- debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
host header test material
* Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
- debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
- https://code.djangoproject.com/ticket/19172
- LP: #1080204
-- Jamie Strandboge <email address hidden> Mon, 19 Nov 2012 15:20:21 -0600
-
python-django (1.1.1-2ubuntu1.6) lucid-security; urgency=low
* SECURITY UPDATE: fix Host header poisoning
- debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
raise django.core.exceptions.SuspiciousOperation if Host headers contain
potentially dangerous content.
- CVE-2012-4520
- LP: #1068486
-- Jamie Strandboge <email address hidden> Fri, 09 Nov 2012 16:16:26 -0600
-
python-django (1.1.1-2ubuntu1.5) lucid-security; urgency=low
* SECURITY UPDATE: Cross-site scripting in authentication views
(LP: #1031733)
- debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
fix unsafe redirects indjango/http/__init__.py. Patch backported from
Debian Squeeze and fixed for python 2.4 compatibility.
- CVE-2012-3442
* SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
- debian/patches/17_fix_dos_in_image_validation.diff: call verify()
immediately after the constructor in django/forms/fields.py.
- CVE-2012-3443
* SECURITY UPDATE: Denial-of-service via get_image_dimensions()
(LP: #1031733)
- debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
chunk size in django/core/files/images.py.
- CVE-2012-3444
-- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 09:56:37 -0400
-
python-django (1.1.1-2ubuntu1.4) lucid-security; urgency=low
* SECURITY UPDATE: session manipulation when using django.contrib.sessions
with memory-based sessions and caching
- debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
for session instead of root namespace
- CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
URLField
- debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
default and use a timeout if available.
- CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
- debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
default when constructing full URLs
- CVE-2011-4139
* More information on these issues can be found at:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
-- Jamie Strandboge <email address hidden> Wed, 07 Dec 2011 16:02:57 -0600
-
python-django (1.1.1-2ubuntu1.3) lucid-security; urgency=low
* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
- debian/patches/10_CVE-2011-0696.diff: apply full CSRF validation to all
requests, regardless of apparent AJAX origin. This is technically
backwards-incompatible, but the security risks have been judged to
outweigh the compatibility concerns in this case. See the Django project
notes for more information:
http://www.djangoproject.com/weblog/2011/feb/08/security/
- CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
- debian/patches/11_CVE-2011-0697.diff: properly escape URL in
django/contrib/admin/widgets.py
- CVE-2011-0697
-- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:11:08 -0600
-
python-django (1.1.1-2ubuntu1.2) lucid-security; urgency=low
* SECURITY UPDATE: information leak in admin interface
- debian/patches/08_security_admin_infoleak.diff: validate querystring
lookup arguments either specify only fields on the model being viewed,
or cross relations which have been explicitly whitelisted.
- CVE-2010-4534
* SECURITY UPDATE:
- debian/patches/09_security_pasword_reset_dos.diff: adjust
base36_to_int() function in django.utils.http will now validate the
length of its input; on input longer than 13 digits (sufficient to
base36-encode any 64-bit integer), it will now raise ValueError.
Additionally, the default URL patterns for django.contrib.auth will now
enforce a maximum length on the relevant parameters.
- CVE-2010-4535
-- Jamie Strandboge <email address hidden> Mon, 03 Jan 2011 11:31:57 -0600
-
python-django (1.1.1-2ubuntu1.1) lucid-proposed; urgency=low
* Take fix from http://code.djangoproject.com/ticket/10976 in order to fix
the django.contrib.auth tests when the project provides its own auth
templates. (LP: #650473)
-- James Westby <email address hidden> Tue, 28 Sep 2010 14:05:47 -0400
-
python-django (1.1.1-2ubuntu1) lucid; urgency=low
* Fix django test client cookie handling (LP: #513719)
-- Elliot Murphy <email address hidden> Fri, 29 Jan 2010 13:01:27 -0500
-
python-django (1.1.1-2) unstable; urgency=low
* Remove embedded "decimal" code copy and use system version instead. The
"doctest" code copy cannot be removed as parts of Django depend on modified
behaviour. (Closes: #555419)
* Fix FTBFS in November by applying patch from upstream bug #12125.
(Closes: #555931)
* Fix FTBFS under Python 2.6.3 by applying patch from upstream bug #11993.
(Closes: #555969)
-- Bhavani Shankar <email address hidden> Wed, 20 Jan 2010 02:27:30 +0000
-
python-django (1.1.1-1ubuntu1) karmic; urgency=low
* Merge python-django 1.1.1-1 from debian unstable (LP: #447617)
for security and bug fixes, all Ubuntu changes merged by Debian.
* Add to debian/patches:
- 20_python2.6.3_regression.patch - backported upstream commit 11620
to make Django work with Python 2.6.3 properly. (LP: #445639)
python-django (1.1.1-1) unstable; urgency=high
* New upstream security release - fixes pathological regular expression
backtracking performance in URL and email fields which can be used as part
of a denial of service attack.
* Set Maintainer: to myself with thanks to Brett Parker.
* Bump versioned build dependency on quilt to help backporters.
(Closes: #547955)
python-django (1.1-4) unstable; urgency=low
* Sourceful upload to drop dependency on Python 2.4.
python-django (1.1-3) unstable; urgency=low
* Disable regression tests that require an internet connection. Patch by
Krzysztof Klimonda <email address hidden>. (Closes: #542996)
* Bump Standards-Version to 3.8.3.
-- Krzysztof Klimonda <email address hidden> Mon, 12 Oct 2009 19:22:16 +0200
