~ubuntu-branches/ubuntu/precise/python-django/precise-security : changes

~ubuntu-branches/ubuntu/precise/python-django/precise-security » Changes from revision 46

From Revision 46 to 27

Rev	Summary	Authors	Tags	Date
46	* SECURITY UPDATE: incorrect url validation in core.urlresol... * SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating URLs pointing to other hosts in django/core/urlresolvers.py, added tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py. - CVE-2014-0480 * SECURITY UPDATE: denial of service via file upload handling - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in django/core/files/storage.py, updated docs in docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt, added tests to tests/modeltests/files/tests.py, tests/regressiontests/file_storage/tests.py, backport get_random_string() to django/utils/crypto.py. - CVE-2014-0481 * SECURITY UPDATE: web session hijack via REMOTE_USER header - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to logout on REMOTE_USE change in django/contrib/auth/middleware.py, added test to django/contrib/auth/tests/remote_user.py. - CVE-2014-0482 * SECURITY UPDATE: data leak in contrib.admin via query string manipulation - debian/patches/CVE-2014-0483.patch: validate to_field in django/contrib/admin/{options,exceptions}.py, django/contrib/admin/views/main.py, added tests to tests/regressiontests/admin_views/tests.py. - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in django/contrib/admin/options.py, added tests to tests/regressiontests/admin_views/{models,tests}.py. - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in django/contrib/admin/options.py, added tests to tests/regressiontests/admin_views/{models,tests}.py. - CVE-2014-0483	Marc Deslauriers	1.3.1-4ubuntu1.12	9 years ago
45	* SECURITY UPDATE: cache coherency problems in old Internet ... * SECURITY UPDATE: cache coherency problems in old Internet Explorer compatibility functions lead to loss of privacy and cache poisoning attacks. (LP: #1317663) - debian/patches/drop_fix_ie_for_vary_1_4.diff: remove fix_IE_for_vary() and fix_IE_for_attach() functions so Cache-Control and Vary headers are no longer modified. This may introduce some regressions for IE 6 and IE 7 users. Patch from upstream. - CVE-2014-1418 * SECURITY UPDATE: The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. - debian/patches/is_safe_url_1_4.diff: Forbid URLs starting with '///', forbid URLs without a host but with a path. Patch from upstream.	Seth Arnold	1.3.1-4ubuntu1.11	9 years ago
44	* SECURITY REGRESSION: security fix regression when a view i... * SECURITY REGRESSION: security fix regression when a view is a partial (LP: #1311433) - debian/patches/CVE-2014-0472-regression.patch: create the lookup_str from the original function whenever a partial is provided as an argument to a url pattern in django/core/urlresolvers.py, added tests to tests/regressiontests/urlpatterns_reverse/urls.py, tests/regressiontests/urlpatterns_reverse/views.py. - CVE-2014-0472	Marc Deslauriers	1.3.1-4ubuntu1.10	9 years ago
43	* SECURITY UPDATE: unexpected code execution using reverse() * SECURITY UPDATE: unexpected code execution using reverse() (LP: #1309779) - debian/patches/CVE-2014-0472.patch: added filtering to django/core/urlresolvers.py, added tests to tests/regressiontests/urlpatterns_reverse/nonimported_module.py, tests/regressiontests/urlpatterns_reverse/tests.py, tests/regressiontests/urlpatterns_reverse/urls.py, tests/regressiontests/urlpatterns_reverse/views.py. - CVE-2014-0472 * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token (LP: #1309782) - debian/patches/CVE-2014-0473.patch: don't cache responses with a cookie in django/middleware/cache.py. - CVE-2014-0473 * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784) - debian/patches/CVE-2014-0474.patch: convert arguments to correct type in django/db/models/fields/__init__.py, updated docs in docs/howto/custom-model-fields.txt, docs/ref/databases.txt, docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to tests/regressiontests/model_fields/tests.py. - CVE-2014-0474	Marc Deslauriers	1.3.1-4ubuntu1.9	10 years ago
42	* SECURITY UPDATE: denial of service via long passwords (LP:... * SECURITY UPDATE: denial of service via long passwords (LP: #1225784) - debian/patches/CVE-2013-1443.patch: enforce a maximum password length in django/contrib/auth/forms.py, django/contrib/auth/models.py, django/contrib/auth/tests/basic.py. - CVE-2013-1443 * SECURITY UPDATE: directory traversal with ssi template tag - debian/patches/CVE-2013-4315.patch: properly check absolute path in django/template/defaulttags.py, tests/regressiontests/templates/tests.py. - CVE-2013-4315 * SECURITY UPDATE: possible XSS via is_safe_url - debian/patches/security-is_safe_url.patch: properly reject URLs which specify a scheme other then HTTP or HTTPS. - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/ - No CVE number	Marc Deslauriers	1.3.1-4ubuntu1.8	10 years ago
41	* SECURITY UPDATE: host header poisoning (LP: #1089337) * SECURITY UPDATE: host header poisoning (LP: #1089337) - debian/patches/fix_get_host.patch: tighten host header validation in django/http/__init__.py, add tests to tests/regressiontests/requests/tests.py. - https://www.djangoproject.com/weblog/2012/dec/10/security/ - No CVE number * SECURITY UPDATE: redirect poisoning (LP: #1089337) - debian/patches/fix_redirect_poisoning.patch: tighten validation in django/contrib/auth/views.py, django/contrib/comments/views/comments.py, django/contrib/comments/views/moderation.py, django/contrib/comments/views/utils.py, django/utils/http.py, django/views/i18n.py, add tests to tests/regressiontests/comment_tests/tests/comment_view_tests.py, tests/regressiontests/comment_tests/tests/moderation_view_tests.py, tests/regressiontests/views/tests/i18n.py. - https://www.djangoproject.com/weblog/2012/dec/10/security/ - No CVE number * SECURITY UPDATE: host header poisoning (LP: #1130445) - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting to django/conf/global_settings.py, django/conf/project_template/settings.py, django/http/__init__.py, django/test/utils.py, add docs to docs/ref/settings.txt, add tests to tests/regressiontests/requests/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - No CVE number * SECURITY UPDATE: XML attacks (LP: #1130445) - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion, and external entities/DTDs in django/core/serializers/xml_serializer.py, add tests to tests/regressiontests/serializers_regress/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-1664 - CVE-2013-1665 * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445) - debian/patches/CVE-2013-0305.patch: add permission checks to history view in django/contrib/admin/options.py, add tests to tests/regressiontests/admin_views/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-0305 * SECURITY UPDATE: Formset denial-of-service (LP: #1130445) - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt, docs/topics/forms/modelforms.txt, add tests to tests/regressiontests/forms/tests/formsets.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-0306	Marc Deslauriers	1.3.1-4ubuntu1.6	11 years ago
40	* Add additional tests for CVE-2012-4520 * Add additional tests for CVE-2012-4520 - debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned host header test material * Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500 - https://code.djangoproject.com/ticket/19172 - LP: #1080204	Jamie Strandboge	1.3.1-4ubuntu1.4	11 years ago
39	* SECURITY UPDATE: fix Host header poisoning * SECURITY UPDATE: fix Host header poisoning - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to raise django.core.exceptions.SuspiciousOperation if Host headers contain potentially dangerous content. Patch thanks to Mackenzie Morgan. - CVE-2012-4520 - LP: #1068486	Jamie Strandboge	1.3.1-4ubuntu1.3	11 years ago
38	[ Scott Kitterman ] [ Scott Kitterman ] * SECURITY UPDATE: multiple issues (LP: #1031733) * References CVE-2012-3442 CVE-2012-3443 CVE-2012-3444 https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ * New upstream release to address three security issues: - Cross-site scripting in authentication views - Denial-of-service in image validation - Denial-of-service via get_image_dimensions() * Added debian/patches/security_http_redirects, security_image_uploading_two, and security_image_uploading cherry picked from upstream git [ Marc Deslauriers ] * debian/patches/security_http_redirects: remove unrelated changes, add python 2.4 regression fix.	Marc Deslauriers	1.3.1-4ubuntu1.2	11 years ago
37	* Merge with Debian. Remaining changes: * Merge with Debian. Remaining changes: - 09_test_view_decorator_sleep.diff increases the sleep time to reduce race condition effects on build machines. https://code.djangoproject.com/ticket/16686 (LP: #829487) * debian/patches/{psycopg2_creation.diff,compat-psycopg2-plus2.4.2.diff}: - New patches, resolve compatibility with psycopg2 > 2.4.1, patches based on upstream submissions, rebasing courtesy of Dave Pifke. - LP: #905837	Dave Walker (Daviey)	1.3.1-4ubuntu1	12 years ago
36	* Merge with Debian. Remaining changes: * Merge with Debian. Remaining changes: - 09_test_view_decorator_sleep.diff increases the sleep time to reduce race condition effects on build machines. https://code.djangoproject.com/ticket/16686 (LP: #829487)	Barry Warsaw	1.3.1-1ubuntu1	12 years ago
35	* New upstream release. It includes security updates describ... * New upstream release. It includes security updates described here: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/ Closes: #641405 * Update 01_disable_url_verify_regression_tests.diff and merge 07_disable_url_verify_model_tests.diff into it. * Update patch headers to conform to DEP-3. * Apply patch from Steve Langasek to dynamically build the UTF-8 locale required by the test-suite instead of build-depending on locales-all. Closes: #630421 * Use "dh --with sphinxdoc" to clean up the Sphinx generated documentation and avoid the embedded-javascript-library lintian warning. Build-Depends on python-sphinx >= 1.0.7+dfsg-1 for this and also add ${sphinxdoc:Depends} to python-django-doc Depends field. * Cleanup build-dependencies now that even oldstable has python 2.5. * Switch to dh_python2 as python helper tool. Drop legacy files debian/pyversions and debian/pycompat. * New patch 02_disable-sources-in-sphinxdoc.diff to not generate the _sources directory that we used to remove manually within the rules file. But must be kept disabled until #641710 is fixed. * Properly support DEB_BUILD_OPTIONS=nocheck despite the override of dh_auto_test.	Raphaël Hertzog	1.3.1-1	12 years ago
34	* 09_test_view_decorator_sleep.diff increases the sleep time... * 09_test_view_decorator_sleep.diff increases the sleep time to reduce race condition effects on build machines. https://code.djangoproject.com/ticket/16686 (LP: #829487) * Remove build-dep on locales-all which isn't in the Ubuntu archive.	Barry Warsaw	1.3-2ubuntu1	12 years ago
33	* Team upload. * Team upload. [ Chris Lamb ] * Don't remove "backup~" test file - upstream did ship it; we were just removing it with dh_clean. [ Piotr Ożarowski ] * Fix builds with non-default Python versions installed * Bump Standards-Version to 3.9.2 (no changes needed)	Piotr Ożarowski	1.3-2	12 years ago
32	* Merge from Debian for security fixes (LP: #719031). Remain... * Merge from Debian for security fixes (LP: #719031). Remaining changes: - debian/control: don't Build-Depends on locales-all, which doesn't exist in natty * Drop the following patches, now included upstream: - debian/patches/07_security_admin_infoleak.diff - debian/patches/08_security_pasword_reset_dos.diff	Jamie Strandboge	1.2.5-1ubuntu1	13 years ago
31	* SECURITY UPDATE: information leak in admin interface * SECURITY UPDATE: information leak in admin interface - debian/patches/07_security_admin_infoleak.diff: validate querystring lookup arguments either specify only fields on the model being viewed, or cross relations which have been explicitly whitelisted. - CVE-2010-XXXX * SECURITY UPDATE: - debian/patches/08_security_pasword_reset_dos.diff: adjust base36_to_int() function in django.utils.http will now validate the length of its input; on input longer than 13 digits (sufficient to base36-encode any 64-bit integer), it will now raise ValueError. Additionally, the default URL patterns for django.contrib.auth will now enforce a maximum length on the relevant parameters. - CVE-2010-XXXX	Jamie Strandboge	1.2.3-1ubuntu0.2.11.04.1	13 years ago
30	* SECURITY UPDATE: XSS in CSRF protections. New upstream rel... * SECURITY UPDATE: XSS in CSRF protections. New upstream release - CVE-2010-3082 * debian/patches/01_disable_url_verify_regression_tests.diff: - updated to disable another test that fails without internet connection - patch based on work by Kai Kasurinen and Krzysztof Klimonda * debian/control: don't Build-Depends on locales-all, which doesn't exist in maverick	Jamie Strandboge	1.2.3-1ubuntu0.1	13 years ago
29	New upstream bugfix release. New upstream bugfix release.	Chris Lamb	1.2.1-1	13 years ago
28	New upstream stable release. New upstream stable release.	Chris Lamb	1.2-1	13 years ago
27	Fix django test client cookie handling. Fix django test client cookie handling.	James Westby	1.1.1-2ubuntu1	14 years ago

Older »