[Python-modules-team] Bug#977487: pyvows: please make the build reproducible
Source: pyvows Version: 3.0.0-2 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: buildpath X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi, Whilst working on the Reproducible Builds effort [0] we noticed that pyvows could not be built reproducibly. This is because it did not generate the manpage correctly — it contained a traceback with the error (which included the absolute build path). Patch attached that sets PYTHONPATH correctly. [0] https://reproducible-builds.org/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#885326: flask-peewee: please make the build reproducible
Chris Lamb wrote: > [..] Gentle ping on this? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#885326: flask-peewee: please make the build reproducible
Chris Lamb wrote: > Would you consider applying this patch and uploading? Friendly ping on this? Seems like there hasn't been any update on this bug in 991 days now (!). Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#838713: python-xlib: please make the build reproducible
Chris Lamb wrote: > [..] Gentle ping on this? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#944782: python-sybil: please make the build reproducible
Chris Lamb wrote: > Would you consider applying this patch and uploading? Friendly ping on this? Seems like there hasn't been any update on this bug in 287 days now (!). Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#943674: flask: please make the build reproducible
Chris Lamb wrote: > Would you consider applying this patch and uploading? Friendly ping on this? Seems like there hasn't been any update on this bug in 305 days now (!). Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#969367: python-django: CVE-2020-24583 CVE-2020-24584
Package: python-django Version: 1:1.10.7-2+deb9u9 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for python-django. CVE-2020-24583 CVE-2020-24584 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-24583 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24583 [1] https://security-tracker.debian.org/tracker/CVE-2020-24584 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24584 [2] https://www.djangoproject.com/weblog/2020/sep/01/security-releases/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#965362: numpydoc: please make the build reproducible
Source: numpydoc Version: 1.1.0-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi, Whilst working on the Reproducible Builds effort [0] we noticed that numpydoc could not be built reproducibly. This is because it includes a junit-results.xml and .coverage file from the test run. (The latter file should have been detected by the package-contains-python-coverage-file Lintian tag FYI.) Patch attached. [0] https://reproducible-builds.org/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk ` a/debian/rules 2020-07-20 11:14:23.254979286 +0100 --- b/debian/rules 2020-07-20 11:20:45.409510366 +0100 @@ -12,3 +12,8 @@ %: dh $@ --with python3 --buildsystem=pybuild + +override_dh_auto_install: + dh_auto_install + find debian -name .coverage -delete + find debian -name junit-results.xml -delete ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Hi Sébastien, > They look fine, please upload to security-master. Done. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Chris Lamb wrote: > The full debdiffs are attached. Can you especially check the > versioning scheme and distribution fields for me? I often get this > wrong and end up confusing myself. Really appreciated. They are now attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-diff --git a/debian/changelog b/debian/changelog index a84d1b261..f18eaf3ed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +python-django (1:1.10.7-2+deb9u9) stretch-security; urgency=high + + * CVE-2020-13254: Potential a data leakage via malformed memcached keys. + +In cases where a memcached backend does not perform key validation, passing +malformed cache keys could result in a key collision, and potential data +leakage. In order to avoid this vulnerability, key validation is added to +the memcached cache backends. + + * CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. + +Query parameters to the admin ForeignKeyRawIdWidget were not properly URL +encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures +query parameters are correctly URL encoded. + + -- Chris Lamb Sat, 13 Jun 2020 15:47:14 +0100 + python-django (1:1.10.7-2+deb9u8) stretch-security; urgency=high * CVE-2020-7471: Prevent a Potential SQL injection via StringAgg(delimiter). diff --git a/debian/patches/0027-CVE-2020-13254.patch b/debian/patches/0027-CVE-2020-13254.patch new file mode 100644 index 0..e2e03f982 --- /dev/null +++ b/debian/patches/0027-CVE-2020-13254.patch @@ -0,0 +1,177 @@ +From: Chris Lamb +Date: Sat, 13 Jun 2020 15:31:18 +0100 +Subject: CVE-2020-13254 + +--- + django/core/cache/__init__.py | 4 ++-- + django/core/cache/backends/base.py | 33 + + django/core/cache/backends/memcached.py | 24 ++-- + 3 files changed, 45 insertions(+), 16 deletions(-) + +diff --git a/django/core/cache/__init__.py b/django/core/cache/__init__.py +index 26897ff..dc377a9 100644 +--- a/django/core/cache/__init__.py b/django/core/cache/__init__.py +@@ -17,13 +17,13 @@ from threading import local + from django.conf import settings + from django.core import signals + from django.core.cache.backends.base import ( +-BaseCache, CacheKeyWarning, InvalidCacheBackendError, ++BaseCache, CacheKeyWarning, InvalidCacheBackendError, InvalidCacheKey, + ) + from django.utils.module_loading import import_string + + __all__ = [ + 'cache', 'DEFAULT_CACHE_ALIAS', 'InvalidCacheBackendError', +-'CacheKeyWarning', 'BaseCache', ++'CacheKeyWarning', 'BaseCache', 'InvalidCacheKey', + ] + + DEFAULT_CACHE_ALIAS = 'default' +diff --git a/django/core/cache/backends/base.py b/django/core/cache/backends/base.py +index a07a34e..688ffb8 100644 +--- a/django/core/cache/backends/base.py b/django/core/cache/backends/base.py +@@ -24,6 +24,10 @@ DEFAULT_TIMEOUT = object() + MEMCACHE_MAX_KEY_LENGTH = 250 + + ++class InvalidCacheKey(ValueError): ++pass ++ ++ + def default_key_func(key, key_prefix, version): + """ + Default function to generate keys. +@@ -233,18 +237,8 @@ class BaseCache(object): + backend. This encourages (but does not force) writing backend-portable + cache code. + """ +-if len(key) > MEMCACHE_MAX_KEY_LENGTH: +-warnings.warn( +-'Cache key will cause errors if used with memcached: %r ' +-'(longer than %s)' % (key, MEMCACHE_MAX_KEY_LENGTH), CacheKeyWarning +-) +-for char in key: +-if ord(char) < 33 or ord(char) == 127: +-warnings.warn( +-'Cache key contains characters that will cause errors if ' +-'used with memcached: %r' % key, CacheKeyWarning +-) +-break ++for warning in memcache_key_warnings(key): ++warnings.warn(warning, CacheKeyWarning) + + def incr_version(self, key, delta=1, version=None): + """Adds delta to the cache version for the supplied key. Returns the +@@ -270,3 +264,18 @@ class BaseCache(object): + def close(self, **kwargs): + """Close the cache connection""" + pass ++ ++ ++def memcache_key_warnings(key): ++if len(key) > MEMCACHE_MAX_KEY_LENGTH: ++yield ( ++'Cache key will cause errors if used with memcached: %r ' ++'(longer than %s)' % (key, MEMCACHE_MAX_KEY_LENGTH) ++) ++for char in key: ++if ord(char) < 33 or ord(char) == 127: ++yield ( ++'Cache key contains characters that will cause errors if ' ++'used with memcached: %r' % key, ++) ++break +diff --git a/django/core/cache/backends/memcached.py b/django/core/cache/backends/memcached.py
[Python-modules-team] Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Chris Lamb wrote: > I will wait a few days to see what upstream says. I will also have to > re-release for jessie LTS, alas. Okay, this is now fixed in the following versions (without and with the regression fix): DistributionUpload with regressionUpload with regression fixed jessie 1.7.11-1+deb8u9 1.7.11-1+deb8u10 stretch n/a 1:1.10.7-2+deb9u9 (pending) buster n/a 1:1.11.29-1~deb10u1 (pending) unstable2:2.2.13-12:2.2.13-2 experimental2:3.0.7-1 2:3.0.7-2 The two pending uploads (ie. needing your approval) to upload are: python-django (1:1.10.7-2+deb9u9) stretch-security; urgency=high * CVE-2020-13254: Potential a data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. * CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters to the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded. -- Chris Lamb Sat, 13 Jun 2020 15:47:14 +0100 and python-django (1:1.11.29-1~deb10u1) buster-security; urgency=high * New upstream security release (postponed from March 2020): - CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle Note that Django 1.11.x left upstream's extended security support on April 1st 2020. For more information, please see: https://www.djangoproject.com/download/ * This upload also fixes the following security issues: - CVE-2020-13254: Potential a data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. - CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters to the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded. -- Chris Lamb Sun, 14 Jun 2020 12:15:26 +0100 The full debdiffs are attached. Can you especially check the versioning scheme and distribution fields for me? I often get this wrong and end up confusing myself. Really appreciated. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Hi Sébastien, > > Security team, would you like an update for stretch and/or buster to > > address these issues? It's fixed in sid, experimental as well as > > jessie LTS. Bullseye is just pending migration time AFAICT. […] > yes, that'd be fine. Is there any chance you could also piggyback the > fix for CVE-2020-9402 (marked "postponed") on top of the ones for > CVE-2020-13254 and CVE-2020-13596? Sure. For buster, I recommend we take the latest security upstream stable release to fix CVE-2020-9402, but for stretch we will need to backport all three. However, I just independently discovered a regression in the latest change for CVE-2020-13254: https://code.djangoproject.com/ticket/31654#comment:14 I will wait a few days to see what upstream says. I will also have to re-release for jessie LTS, alas. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Hi, > python-django: CVE-2020-13254 CVE-2020-13596 Security team, would you like an update for stretch and/or buster to address these issues? It's fixed in sid, experimental as well as jessie LTS. Bullseye is just pending migration time AFAICT. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Package: python-django Version: 1.7.11-1+deb8u3 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for python-django. CVE-2020-13254[0]: | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before | 3.0.7. In cases where a memcached backend does not perform key | validation, passing malformed cache keys could result in a key | collision, and potential data leakage. CVE-2020-13596[1]: | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before | 3.0.7. Query parameters generated by the Django admin | ForeignKeyRawIdWidget were not properly URL encoded, leading to a | possibility of an XSS attack. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13254 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13254 [1] https://security-tracker.debian.org/tracker/CVE-2020-13596 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13596 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961242: python-django-crispy-forms: Not compatible with Django 3.x
Source: python-django-crispy-forms Version: 1.7.2-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Control: affects -1 django-filter Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. For more information, see: http://bugs.debian.org/960890 Please use the above bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. Whilst python-django-crispy-forms itself builds from source, it causes other packages (eg. django-filter) to FTBFS. Here is the FTBFS from django-filter: […] -- Traceback (most recent call last): File "/home/lamby/temp/cdt.20200517001459.aCZ5FBFbhk.ags.lamby-debian-experimental.python3-django-filters/django-filter-2.1.0/tests/test_views.py", line 56, in test_view_with_model_no_filterset self.assertContains(response, b) File "/usr/lib/python3/dist-packages/django/test/testcases.py", line 454, in assertContains self.assertTrue(real_count != 0, msg_prefix + "Couldn't find %s in response" % text_repr) AssertionError: False is not true : Couldn't find 'Enders Game' in response == FAIL: test_view (tests.test_views.GenericFunctionalViewTests) -- Traceback (most recent call last): File "/home/lamby/temp/cdt.20200517001459.aCZ5FBFbhk.ags.lamby-debian-experimental.python3-django-filters/django-filter-2.1.0/tests/test_views.py", line 146, in test_view self.assertContains(response, b) File "/usr/lib/python3/dist-packages/django/test/testcases.py", line 454, in assertContains self.assertTrue(real_count != 0, msg_prefix + "Couldn't find %s in response" % text_repr) AssertionError: False is not true : Couldn't find 'Enders Game' in response -- Ran 487 tests in 0.688s FAILED (failures=5, errors=1, skipped=14, expected failures=3) Destroying test database for alias 'default'... System check identified no issues (0 silenced). E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 ./runtests.py dh_auto_test: error: pybuild --test -i python{version} -p 3.8 --system=custom "--test-args={interpreter} ./runtests.py" returned exit code 13 make[1]: *** [debian/rules:21: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517001459.aCZ5FBFbhk.ags.lamby-debian-experimental.python3-django-filters/django-filter-2.1.0' make: *** [debian/rules:7: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- django-filter.2.1.0-1.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961239: python-django-registration: Not compatible with Django 3.x
Source: python-django-registration Version: 2.2-3 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Control: affects -1 mini-buildd Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. For more information, see: http://bugs.debian.org/960890 Please use the above bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. Whilst python-django-registration itself builds from source, it causes other packages (eg. mini-buildd) to FTBFS. Here is the FTBFS from mini-buildd: […] File "/home/lamby/temp/cdt.20200517004829.Xc0msV8pPb.ags.lamby-debian-experimental.python3-mini-buildd/mini-buildd-1.1.31/src/mini_buildd/django_settings.py", line 168, in pseudo_configure django.setup() File "/usr/lib/python3/dist-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) File "/usr/lib/python3/dist-packages/django/apps/registry.py", line 114, in populate app_config.import_models() File "/usr/lib/python3/dist-packages/django/apps/config.py", line 211, in import_models self.models_module = import_module(models_module_name) File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 671, in _load_unlocked File "", line 783, in exec_module File "", line 219, in _call_with_frames_removed File "/usr/lib/python3/dist-packages/registration/models.py", line 23, in from django.utils.encoding import python_2_unicode_compatible ImportError: cannot import name 'python_2_unicode_compatible' from 'django.utils.encoding' (/usr/lib/python3/dist-packages/django/utils/encoding.py) make[1]: *** [debian/rules:21: override_dh_auto_build] Error 2 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517004829.Xc0msV8pPb.ags.lamby-debian-experimental.python3-mini-buildd/mini-buildd-1.1.31' make: *** [debian/rules:4: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- mini-buildd.1.1.31.experimental.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961177: django-simple-captcha: Not compatible with Django 3.x
Source: django-simple-captcha Version: 0.5.6-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Control: affects -1 plinth Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. For more information, see: http://bugs.debian.org/960890 Please use the above bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. Whilst django-simple-captcha itself builds from source, it causes other packages (eg. plinth) to FTBFS. Here is the FTBFS from plinth: […] raise ex[1].with_traceback(ex[2]) File "/usr/lib/python3/dist-packages/pluggy/callers.py", line 187, in _multicall res = hook_impl.function(*args) File "/usr/lib/python3/dist-packages/pytest_django/plugin.py", line 335, in pytest_load_initial_conftests _setup_django() File "/usr/lib/python3/dist-packages/pytest_django/plugin.py", line 223, in _setup_django django.setup() File "/usr/lib/python3/dist-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) File "/usr/lib/python3/dist-packages/django/apps/registry.py", line 114, in populate app_config.import_models() File "/usr/lib/python3/dist-packages/django/apps/config.py", line 211, in import_models self.models_module = import_module(models_module_name) File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 671, in _load_unlocked File "", line 783, in exec_module File "", line 219, in _call_with_frames_removed File "/usr/lib/python3/dist-packages/captcha/models.py", line 4, in from django.utils.encoding import python_2_unicode_compatible ImportError: cannot import name 'python_2_unicode_compatible' from 'django.utils.encoding' (/usr/lib/python3/dist-packages/django/utils/encoding.py) E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 setup.py test dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.8 returned exit code 13 make[1]: *** [debian/rules:15: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200516235112.uZ6Wnbr4DL.ags.lamby-debian-experimental.freedombox/plinth-20.8' make: *** [debian/rules:7: binary] Error 2 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- plinth.20.8.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961175: django-haystack: Not compatible with Django 3.x
Source: django-haystack Version: 2.8.1-3 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Control: affects -1 celery-haystack hyperkitty Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. For more information, see: http://bugs.debian.org/960890 Please use the above bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. Whilst django-haystack itself builds from source, it causes other packages (eg. celery-haystack and hyperkitty) to FTBFS. Here is the FTBFS from celery-haystack: […] management.execute_from_command_line() File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 401, in execute_from_command_line utility.execute() File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 377, in execute django.setup() File "/usr/lib/python3/dist-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) File "/usr/lib/python3/dist-packages/django/apps/registry.py", line 91, in populate app_config = AppConfig.create(entry) File "/usr/lib/python3/dist-packages/django/apps/config.py", line 90, in create module = import_module(entry) File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 671, in _load_unlocked File "", line 783, in exec_module File "", line 219, in _call_with_frames_removed File "/usr/lib/python3/dist-packages/haystack/__init__.py", line 11, in from haystack.utils import loading File "/usr/lib/python3/dist-packages/haystack/utils/__init__.py", line 9, in from django.utils import six ImportError: cannot import name 'six' from 'django.utils' (/usr/lib/python3/dist-packages/django/utils/__init__.py) E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: PYTHONPATH=. HAYSTACK=v2 python3 /usr/bin/django-admin test --settings=celery_haystack.test_settings dh_auto_test: error: pybuild --test -i python{version} -p 3.8 returned exit code 13 make[1]: *** [debian/rules:12: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517000807.BbMTSL1dzK.ags.lamby-debian-experimental.python3-django-celery-haystack/celery-haystack-0.10' make: *** [debian/rules:9: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- celery-haystack.0.10-4.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961171: djangorestframework: FTBFS with Django 3.x
Source: djangorestframework Version: 3.10.2-1 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, djangorestframework fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] === short test summary info FAILED tests/test_relations.py::TestHyperlinkedRelatedField::test_hyperlinked_related_lookup_does_not_exist FAILED tests/test_relations.py::TestHyperlinkedRelatedField::test_hyperlinked_related_lookup_exists FAILED tests/test_relations.py::TestHyperlinkedRelatedField::test_hyperlinked_related_lookup_url_encoded_exists FAILED tests/test_relations.py::TestHyperlinkedRelatedField::test_hyperlinked_related_queryset_type_error FAILED tests/test_relations.py::TestHyperlinkedRelatedField::test_hyperlinked_related_queryset_value_error = 5 failed, 1325 passed, warnings in 7.46 seconds = E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 /home/lamby/temp/cdt.20200517003318.3S5eajbRWG.ags.lamby-debian-experimental.python3-djangorestframework/djangorestframework-3.10.2/runtests.py --nolint dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.8 returned exit code 13 make[1]: *** [debian/rules:43: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517003318.3S5eajbRWG.ags.lamby-debian-experimental.python3-djangorestframework/djangorestframework-3.10.2' make: *** [debian/rules:8: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- djangorestframework.3.10.2-1.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961170: python-django-tagging: FTBFS with Django 3.x
Source: python-django-tagging Version: 1:0.4.5-3 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, python-django-tagging fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] done ——— Running tests with python3.8 ——— Traceback (most recent call last): File "/usr/bin/django-admin", line 5, in management.execute_from_command_line() File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 401, in execute_from_command_line utility.execute() File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 377, in execute django.setup() File "/usr/lib/python3/dist-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) File "/usr/lib/python3/dist-packages/django/apps/registry.py", line 114, in populate app_config.import_models() File "/usr/lib/python3/dist-packages/django/apps/config.py", line 211, in import_models self.models_module = import_module(models_module_name) File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 671, in _load_unlocked File "", line 783, in exec_module File "", line 219, in _call_with_frames_removed File "/home/lamby/temp/cdt.20200517004013.fXft1ZZRIE.ags.lamby-debian-experimental.python3-django-tagging/python-django-tagging-0.4.5/tagging/models.py", line 7, in from django.utils.encoding import python_2_unicode_compatible ImportError: cannot import name 'python_2_unicode_compatible' from 'django.utils.encoding' (/usr/lib/python3/dist-packages/django/utils/encoding.py) make[1]: *** [debian/rules:11: override_dh_auto_test] Error 1 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517004013.fXft1ZZRIE.ags.lamby-debian-experimental.python3-django-tagging/python-django-tagging-0.4.5' make: *** [debian/rules:6: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- python-django-tagging.1:0.4.5-3.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961167: python-django-imagekit: FTBFS with Django 3.x
Source: python-django-imagekit Version: 4.0.2-3 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, python-django-imagekit fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] File "/usr/lib/python3/dist-packages/django/db/models/sql/compiler.py", line 1390, in execute_sql for sql, params in self.as_sql(): File "/usr/lib/python3/dist-packages/django/db/models/sql/compiler.py", line 1333, in as_sql value_rows = [ File "/usr/lib/python3/dist-packages/django/db/models/sql/compiler.py", line 1334, in [self.prepare_value(field, self.pre_save_val(field, obj)) for field in fields] File "/usr/lib/python3/dist-packages/django/db/models/sql/compiler.py", line 1334, in [self.prepare_value(field, self.pre_save_val(field, obj)) for field in fields] File "/usr/lib/python3/dist-packages/django/db/models/sql/compiler.py", line 1285, in pre_save_val return field.pre_save(obj, add=True) File "/usr/lib/python3/dist-packages/django/db/models/fields/files.py", line 288, in pre_save file.save(file.name, file.file, save=False) File "/usr/lib/python3/dist-packages/django/db/models/fields/files.py", line 87, in save self.name = self.storage.save(name, content, max_length=self.field.max_length) File "/usr/lib/python3/dist-packages/django/core/files/storage.py", line 51, in save name = self.get_available_name(name, max_length=max_length) File "/usr/lib/python3/dist-packages/django/core/files/storage.py", line 93, in get_available_name raise SuspiciousFileOperation( django.core.exceptions.SuspiciousFileOperation: Storage can not find an available filename for "/home/lamby/temp/cdt.20200517002106.mF5dDFrQ5J.ags.lamby-debian-experimental.python3-django-imagekit/python-django-imagekit-4.0.2/tests/media/reference_ejJn4Ty.png". Please make sure that the corresponding file field allows sufficient "max_length". -- Ran 37 tests in 0.232s FAILED (errors=2) Destroying test database for alias 'default'... nosetests tests -s --cover-tests --cover-html --cover-package=imagekit --cover-html-dir=/home/lamby/temp/cdt.20200517002106.mF5dDFrQ5J.ags.lamby-debian-experimental.python3-django-imagekit/python-django-imagekit-4.0.2/tests/cover --verbosity=1 E: pybuild pybuild:352: test: plugin distutils failed with: exit code=2: python3.8 setup.py test dh_auto_test: error: pybuild --test -i python{version} -p 3.8 returned exit code 13 make: *** [debian/rules:9: binary] Error 25 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- python-django-imagekit.4.0.2-3.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961166: python-django-extensions: FTBFS with Django 3.x
Source: python-django-extensions Version: 2.2.1-1 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, python-django-extensions fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] django.setup() File "/usr/lib/python3/dist-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) File "/usr/lib/python3/dist-packages/django/apps/registry.py", line 122, in populate app_config.ready() File "/usr/lib/python3/dist-packages/django/contrib/admin/apps.py", line 24, in ready self.module.autodiscover() File "/usr/lib/python3/dist-packages/django/contrib/admin/__init__.py", line 26, in autodiscover autodiscover_modules('admin', register_to=site) File "/usr/lib/python3/dist-packages/django/utils/module_loading.py", line 47, in autodiscover_modules import_module('%s.%s' % (app_config.name, module_to_search)) File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 671, in _load_unlocked File "", line 783, in exec_module File "", line 219, in _call_with_frames_removed File "/home/lamby/temp/cdt.20200517001318.QUh0NKOOtV.ags.lamby-debian-experimental.python3-django-extensions/python-django-extensions-2.2.1/django_extensions/admin/__init__.py", line 21, in from django_extensions.admin.widgets import ForeignKeySearchInput File "/home/lamby/temp/cdt.20200517001318.QUh0NKOOtV.ags.lamby-debian-experimental.python3-django-extensions/python-django-extensions-2.2.1/django_extensions/admin/widgets.py", line 7, in from django.contrib.admin.templatetags.admin_static import static ModuleNotFoundError: No module named 'django.contrib.admin.templatetags.admin_static' E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 -m pytest --ds=tests.testapp.settings --cov=django_extensions django_extensions dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.8 --system=custom "--test-args={interpreter} -m pytest --ds=tests.testapp.settings --cov=django_extensions django_extensions" returned exit code 13 make[1]: *** [debian/rules:12: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517001318.QUh0NKOOtV.ags.lamby-debian-experimental.python3-django-extensions/python-django-extensions-2.2.1' make: *** [debian/rules:6: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- python-django-extensions.2.2.1-1.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961168: python-django-mptt: FTBFS with Django 3.x
Source: python-django-mptt Version: 0.10.0-1 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, python-django-mptt fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] ** File "/home/lamby/temp/cdt.20200517002530.a3OpEH3j9P.ags.lamby-debian-experimental.python3-django-mptt/python-django-mptt-0.10.0/tests/myapp/doctests.txt", line 1139, in doctests.txt Failed example: print_tree_details(OrderedInsertion.objects.all()) Expected: 6 - 1 0 1 6 5 6 1 1 2 3 4 6 1 1 4 5 2 - 2 0 1 2 3 - 3 0 1 4 1 3 3 1 2 3 Got: 2 - 1 0 1 2 3 - 2 0 1 6 4 6 2 1 2 3 5 6 2 1 4 5 6 - 3 0 1 2 1 3 3 0 3 4 ** 1 items had failures: 4 of 547 in doctests.txt ***Test Failed*** 4 failures. E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 /usr/bin/django-admin test --settings=settings --verbosity 2 --traceback myapp dh_auto_test: error: pybuild --test -i python{version} -p 3.8 --system=custom "--test-args={interpreter} /usr/bin/django-admin test --settings=settings --verbosity 2 --traceback myapp" returned exit code 13 make[1]: *** [debian/rules:13: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517002530.a3OpEH3j9P.ags.lamby-debian-experimental.python3-django-mptt/python-django-mptt-0.10.0' make: *** [debian/rules:6: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- python-django-mptt.0.10.0-1.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961169: python-django-navtag: FTBFS with Django 3.x
Source: python-django-navtag Version: 2.1.3-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, python-django-navtag fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] dh_auto_test -- --system=custom --test-args="{interpreter} /usr/bin/django-admin test django_navtag.tests" I: pybuild base:217: python3.8 /usr/bin/django-admin test django_navtag.tests E == ERROR: django_navtag.tests.test_navtag (unittest.loader._FailedTest) -- ImportError: Failed to import test module: django_navtag.tests.test_navtag Traceback (most recent call last): File "/usr/lib/python3.8/unittest/loader.py", line 436, in _find_test_path module = self._get_module_from_name(name) File "/usr/lib/python3.8/unittest/loader.py", line 377, in _get_module_from_name __import__(name) File "/home/lamby/temp/cdt.20200517002556.DquEm9jhp8.ags.lamby-debian-experimental.python3-django-navtag/python-django-navtag-2.1.3/django_navtag/tests/test_navtag.py", line 5, in from django_navtag.templatetags.navtag import NavNode File "/home/lamby/temp/cdt.20200517002556.DquEm9jhp8.ags.lamby-debian-experimental.python3-django-navtag/python-django-navtag-2.1.3/django_navtag/templatetags/navtag.py", line 2, in from django.utils import six, safestring ImportError: cannot import name 'six' from 'django.utils' (/usr/lib/python3/dist-packages/django/utils/__init__.py) -- Ran 1 test in 0.000s FAILED (errors=1) System check identified no issues (0 silenced). E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 /usr/bin/django-admin test django_navtag.tests dh_auto_test: error: pybuild --test -i python{version} -p 3.8 --system=custom "--test-args={interpreter} /usr/bin/django-admin test django_navtag.tests" returned exit code 13 make[1]: *** [debian/rules:12: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517002556.DquEm9jhp8.ags.lamby-debian-experimental.python3-django-navtag/python-django-navtag-2.1.3' make: *** [debian/rules:9: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- python-django-navtag.2.1.3-2.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961165: libthumbor: FTBFS with Django 3.x
Source: libthumbor Version: 1.3.3-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, libthumbor fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] pieces.append(str(getattr(self, piece)())) File "/usr/lib/python3/dist-packages/django/utils/dateformat.py", line 287, in r return self.format('D, j M Y H:i:s O') File "/usr/lib/python3/dist-packages/django/utils/dateformat.py", line 38, in format pieces.append(str(getattr(self, piece)())) File "/usr/lib/python3/dist-packages/django/utils/functional.py", line 124, in __text_cast return func(*self.__args, **self.__kw) File "/usr/lib/python3/dist-packages/django/utils/translation/__init__.py", line 92, in gettext return _trans.gettext(message) File "/usr/lib/python3/dist-packages/django/utils/translation/trans_real.py", line 354, in gettext _default = _default or translation(settings.LANGUAGE_CODE) File "/usr/lib/python3/dist-packages/django/utils/translation/trans_real.py", line 267, in translation _translations[language] = DjangoTranslation(language) File "/usr/lib/python3/dist-packages/django/utils/translation/trans_real.py", line 154, in __init__ self._add_installed_apps_translations() File "/usr/lib/python3/dist-packages/django/utils/translation/trans_real.py", line 195, in _add_installed_apps_translations raise AppRegistryNotReady( django.core.exceptions.AppRegistryNotReady: The translation infrastructure cannot be initialized before the apps registry is ready. Check that you don't make non-lazy gettext calls at import time. >> begin captured logging << django.db.backends: DEBUG: (0.000) SAVEPOINT "s139755412752192_x10"; args=None - >> end captured logging << - -- Ran 79 tests in 0.283s FAILED (errors=10) E: pybuild pybuild:352: test: plugin distutils failed with: exit code=1: cd /home/lamby/temp/cdt.20200517004702.Bpm1EcYkwZ.ags.lamby-debian-experimental.python3-libthumbor/libthumbor-1.3.3/.pybuild/cpython3_3.8_libthumbor/build; python3.8 -m nose -v tests dh_auto_test: error: pybuild --test -i python{version} -p 3.8 returned exit code 13 make: *** [debian/rules:6: build] Error 25 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- libthumbor.1.3.3-2.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961164: django-oauth-toolkit: FTBFS with Django 3.x
Source: django-oauth-toolkit Version: 1.3.2-1 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, django-oauth-toolkit fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] File "/usr/lib/python3/dist-packages/django/template/defaulttags.py", line 1023, in find_libraryraise TemplateSyntaxError(django.template.exceptions.TemplateSyntaxError: 'staticfiles' is not a registered tag library. Must be one of: admin_list admin_modify admin_urls cache i18n l10n log static tz […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- django-oauth-toolkit.1.3.2-1.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961163: django-modeltranslation: FTBFS with Django 3.x
Source: django-modeltranslation Version: 0.13.3-0.1 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, django-modeltranslation fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] debian/rules override_dh_auto_test make[1]: Entering directory '/home/lamby/temp/cdt.20200517002452.CQB2y6IUfr.ags.lamby-debian-experimental.python3-django-modeltranslation/django-modeltranslation-0.13.3' PYBUILD_SYSTEM=custom \ PYBUILD_TEST_ARGS="{interpreter} ./runtests.py" \ dh_auto_test I: pybuild base:217: python3.8 ./runtests.py Traceback (most recent call last): File "./runtests.py", line 62, in runtests(*args) File "./runtests.py", line 50, in runtests django.setup() File "/usr/lib/python3/dist-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) File "/usr/lib/python3/dist-packages/django/apps/registry.py", line 122, in populate app_config.ready() File "/home/lamby/temp/cdt.20200517002452.CQB2y6IUfr.ags.lamby-debian-experimental.python3-django-modeltranslation/django-modeltranslation-0.13.3/modeltranslation/apps.py", line 11, in ready handle_translation_registrations() File "/home/lamby/temp/cdt.20200517002452.CQB2y6IUfr.ags.lamby-debian-experimental.python3-django-modeltranslation/django-modeltranslation-0.13.3/modeltranslation/models.py", line 75, in handle_translation_registrations autodiscover() File "/home/lamby/temp/cdt.20200517002452.CQB2y6IUfr.ags.lamby-debian-experimental.python3-django-modeltranslation/django-modeltranslation-0.13.3/modeltranslation/models.py", line 14, in autodiscover from modeltranslation.translator import translator File "/home/lamby/temp/cdt.20200517002452.CQB2y6IUfr.ags.lamby-debian-experimental.python3-django-modeltranslation/django-modeltranslation-0.13.3/modeltranslation/translator.py", line 5, in from django.utils.six import with_metaclass ModuleNotFoundError: No module named 'django.utils.six' E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 ./runtests.py dh_auto_test: error: pybuild --test -i python{version} -p 3.8 returned exit code 13 make[1]: *** [debian/rules:13: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517002452.CQB2y6IUfr.ags.lamby-debian-experimental.python3-django-modeltranslation/django-modeltranslation-0.13.3' make: *** [debian/rules:6: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- django-modeltranslation.0.13.3-0.1.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961162: django-fsm: FTBFS with Django 3.x
Source: django-fsm Version: 2.6.1-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, django-fsm fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] Traceback (most recent call last): File "tests/manage.py", line 14, in execute_from_command_line(sys.argv) File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 401, in execute_from_command_line utility.execute() File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 377, in execute django.setup() File "/usr/lib/python3/dist-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) File "/usr/lib/python3/dist-packages/django/apps/registry.py", line 91, in populate app_config = AppConfig.create(entry) File "/usr/lib/python3/dist-packages/django/apps/config.py", line 90, in create module = import_module(entry) File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 671, in _load_unlocked File "", line 783, in exec_module File "", line 219, in _call_with_frames_removed File "/home/lamby/temp/cdt.20200517001623.iiYoFCQhhs.ags.lamby-debian-experimental.python3-django-fsm/django-fsm-2.6.1/django_fsm/__init__.py", line 11, in from django.utils.functional import curry ImportError: cannot import name 'curry' from 'django.utils.functional' (/usr/lib/python3/dist-packages/django/utils/functional.py) E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 tests/manage.py dh_auto_test: error: pybuild --test -i python{version} -p 3.8 returned exit code 13 make[1]: *** [debian/rules:13: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517001623.iiYoFCQhhs.ags.lamby-debian-experimental.python3-django-fsm/django-fsm-2.6.1' make: *** [debian/rules:10: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- django-fsm.2.6.1-2.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961160: django-model-utils: FTBFS with Django 3.x
Source: django-model-utils Version: 3.1.1-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, django-model-utils fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] res = hook_impl.function(*args) File "/usr/lib/python3/dist-packages/pytest_django/plugin.py", line 335, in pytest_load_initial_conftests _setup_django() File "/usr/lib/python3/dist-packages/pytest_django/plugin.py", line 223, in _setup_django django.setup() File "/usr/lib/python3/dist-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) File "/usr/lib/python3/dist-packages/django/apps/registry.py", line 114, in populate app_config.import_models() File "/usr/lib/python3/dist-packages/django/apps/config.py", line 211, in import_models self.models_module = import_module(models_module_name) File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 671, in _load_unlocked File "", line 783, in exec_module File "", line 219, in _call_with_frames_removed File "/home/lamby/temp/cdt.20200517002516.AVX64zAwRd.ags.lamby-debian-experimental.python3-django-model-utils/django-model-utils-3.1.1/model_utils/models.py", line 13, in from model_utils.managers import QueryManager, SoftDeletableManager File "/home/lamby/temp/cdt.20200517002516.AVX64zAwRd.ags.lamby-debian-experimental.python3-django-model-utils/django-model-utils-3.1.1/model_utils/managers.py", line 14, in from django.utils.six import string_types ModuleNotFoundError: No module named 'django.utils.six' E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 -m pytest -k 'not deferred' dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.8 --system=custom "--test-args={interpreter} -m pytest -k 'not deferred'" returned exit code 13 make[1]: *** [debian/rules:12: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517002516.AVX64zAwRd.ags.lamby-debian-experimental.python3-django-model-utils/django-model-utils-3.1.1' make: *** [debian/rules:7: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- django-model-utils.3.1.1-2.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#941072: kivy: please make the build reproducible
Hi Scott, > Looks like the attached patch is empty. Trying again... Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- --- a/debian/patches/reproducible-build.patch 1970-01-01 01:00:00.0 +0100 --- b/debian/patches/reproducible-build.patch 2020-05-19 22:15:44.568617176 +0100 @@ -0,0 +1,26 @@ +Description: Make the build reproducible +Author: Chris Lamb +Last-Update: 2020-05-19 + +--- kivy-1.10.1.orig/setup.py kivy-1.10.1/setup.py +@@ -17,6 +17,7 @@ from os import walk, environ + from distutils.version import LooseVersion + from distutils.sysconfig import get_python_inc + from collections import OrderedDict ++import time + from time import sleep + from subprocess import check_output, CalledProcessError + from datetime import datetime +@@ -46,7 +47,10 @@ def get_description(): + + def get_version(filename='kivy/version.py'): + VERSION = kivy.__version__ +-DATE = datetime.utcnow().strftime('%Y%m%d') ++DATE = time.strftime( ++"%Y%m%d", ++time.gmtime(int(os.environ.get('SOURCE_DATE_EPOCH', time.time( ++) + try: + GIT_REVISION = check_output( + ['git', 'rev-parse', 'HEAD'] --- a/debian/patches/series 1970-01-01 01:00:00.0 +0100 --- b/debian/patches/series 2020-05-19 22:15:37.368528337 +0100 @@ -0,0 +1 @@ +reproducible-build.patch ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961078: python-django-jsonfield: FTBFS with Django 3.x
Source: python-django-jsonfield Version: 1.1.0-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, python-django-jsonfield fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] dh_auto_test -- --system=custom --test-args="{interpreter} debian/run_tests.py" I: pybuild base:217: python3.8 debian/run_tests.py Traceback (most recent call last): File "debian/run_tests.py", line 23, in django.setup() File "/usr/lib/python3/dist-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) File "/usr/lib/python3/dist-packages/django/apps/registry.py", line 91, in populate app_config = AppConfig.create(entry) File "/usr/lib/python3/dist-packages/django/apps/config.py", line 90, in create module = import_module(entry) File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 671, in _load_unlocked File "", line 783, in exec_module File "", line 219, in _call_with_frames_removed File "/home/lamby/temp/cdt.20200517002210.n7i3i8p1o1.ags.lamby-debian-experimental.python3-django-jsonfield/python-django-jsonfield-1.1.0/jsonfield/__init__.py", line 3, in from .fields import JSONField File "/home/lamby/temp/cdt.20200517002210.n7i3i8p1o1.ags.lamby-debian-experimental.python3-django-jsonfield/python-django-jsonfield-1.1.0/jsonfield/fields.py", line 10, in from django.utils import six ImportError: cannot import name 'six' from 'django.utils' (/usr/lib/python3/dist-packages/django/utils/__init__.py) E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 debian/run_tests.py dh_auto_test: error: pybuild --test -i python{version} -p 3.8 --system=custom "--test-args={interpreter} debian/run_tests.py" returned exit code 13 make[1]: *** [debian/rules:10: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517002210.n7i3i8p1o1.ags.lamby-debian-experimental.python3-django-jsonfield/python-django-jsonfield-1.1.0' make: *** [debian/rules:6: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- python-django-jsonfield.1.1.0-2.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961079: python-django-contact-form: FTBFS with Django 3.x
Source: python-django-contact-form Version: 1.4.2-3 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, python-django-contact-form fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] == ERROR: contact_form.tests.test_forms (unittest.loader._FailedTest) -- ImportError: Failed to import test module: contact_form.tests.test_forms Traceback (most recent call last): File "/usr/lib/python3.8/unittest/loader.py", line 436, in _find_test_path module = self._get_module_from_name(name) File "/usr/lib/python3.8/unittest/loader.py", line 377, in _get_module_from_name __import__(name) File "/home/lamby/temp/cdt.20200517000949.P3c9Eukd7z.ags.lamby-debian-experimental.python3-django-contact-form/python-django-contact-form-1.4.2/contact_form/tests/test_forms.py", line 7, in from django.utils.six import text_type ModuleNotFoundError: No module named 'django.utils.six' […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- python-django-contact-form.1.4.2-3.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961072: django-pipeline: FTBFS with Django 3.x
Source: django-pipeline Version: 1.6.14-3 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, django-pipeline fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] File "/home/lamby/temp/cdt.20200517002930.qfTgNFYgSV.ags.lamby-debian-experimental.python3-django-pipeline/django-pipeline-1.6.14/tests/tests/__init__.py", line 10, in from .test_collector import * File "/home/lamby/temp/cdt.20200517002930.qfTgNFYgSV.ags.lamby-debian-experimental.python3-django-pipeline/django-pipeline-1.6.14/tests/tests/test_collector.py", line 9, in from pipeline.collector import default_collector File "/home/lamby/temp/cdt.20200517002930.qfTgNFYgSV.ags.lamby-debian-experimental.python3-django-pipeline/django-pipeline-1.6.14/pipeline/collector.py", line 10, in from django.utils import six ImportError: cannot import name 'six' from 'django.utils' (/usr/lib/python3/dist-packages/django/utils/__init__.py) make[1]: *** [debian/rules:25: override_dh_auto_test] Error 1 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- django-pipeline.1.6.14-3.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961069: python-django-csp: FTBFS with Django 3.x
Source: python-django-csp Version: 3.5-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, python-django-csp fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] from csp.middleware import CSPMiddleware csp/middleware.py:8: in from django.utils.six.moves import http_client ModuleNotFoundError: No module named 'django.utils.six' […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- python-django-csp.3.5-2.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961068: django-cors-headers: FTBFS with Django 3.x
Source: django-cors-headers Version: 2.2.0-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, django-cors-headers fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] File "/home/lamby/temp/cdt.20200517001005.hCPuKuLGMF.ags.lamby-debian-experimental.python3-django-cors-headers/django-cors-headers-2.2.0/corsheaders/__init__.py", line 1, in from .checks import check_settings # noqa: F401 File "/home/lamby/temp/cdt.20200517001005.hCPuKuLGMF.ags.lamby-debian-experimental.python3-django-cors-headers/django-cors-headers-2.2.0/corsheaders/checks.py", line 8, in from django.utils import six ImportError: cannot import name 'six' from 'django.utils' (/usr/lib/python3/dist-packages/django/utils/__init__.py) E: pybuild pybuild:352: test: plugin custom failed with: exit code=1: python3.8 /home/lamby/temp/cdt.20200517001005.hCPuKuLGMF.ags.lamby-debian-experimental.python3-django-cors-headers/django-cors-headers-2.2.0/runtests.py dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.8 returned exit code 13 make[1]: *** [debian/rules:8: override_dh_auto_test] Error 25 make[1]: Leaving directory '/home/lamby/temp/cdt.20200517001005.hCPuKuLGMF.ags.lamby-debian-experimental.python3-django-cors-headers/django-cors-headers-2.2.0' make: *** [debian/rules:5: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- django-cors-headers.2.2.0-2.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961066: django-simple-captcha: FTBFS with Django 3.x
Source: django-simple-captcha Version: 0.5.6-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, django-simple-captcha fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] File "/home/lamby/temp/cdt.20200517000701.TQD1OjvFwP.ags.lamby-debian-experimental.python3-django-captcha/django-simple-captcha-0.5.6/captcha/models.py", line 4, in from django.utils.encoding import python_2_unicode_compatible ImportError: cannot import name 'python_2_unicode_compatible' from 'django.utils.encoding' (/usr/lib/python3/dist-packages/django/utils/encoding.py) […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- django-simple-captcha.0.5.6-2.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961067: django-cas-server: FTBFS with Django 3.x
Source: django-cas-server Version: 1.1.0-1 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. Unfortunately, django-cas-server fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please use this bug report for queries or questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] File "/home/lamby/temp/cdt.20200517000724.7gVoqaidEn.ags.lamby-debian-experimental.python3-django-cas-server/django-cas-server-1.1.0/cas_server/models.py", line 20, in from django.utils.encoding import python_2_unicode_compatible ImportError: cannot import name 'python_2_unicode_compatible' from 'django.utils.encoding' (/usr/lib/python3/dist-packages/django/utils/encoding.py) […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- django-cas-server.1.1.0-1.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#961065: sorl-thumbnail: FTBFS with Django 3.x
Source: sorl-thumbnail Version: 12.5.0-2 Severity: normal User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Tags: fbtfs Dear maintainer, The version of Django experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version and 114 of these build & pass their testsuite successfully. However, sorl-thumbnail fails to build. Please see: http://bugs.debian.org/960890 ... for more information. Please do use this bug report for all queries/questions regarding Django 3.x that are not specific to this particular package in order to reduce duplicated work across all of the bugs. […] File "«builddir»/sorl-thumbnail-12.5.0/sorl/thumbnail/models.py", line 2, in from django.utils.encoding import python_2_unicode_compatible ImportError: cannot import name 'python_2_unicode_compatible' from 'django.utils.encoding' (/usr/lib/python3/dist-packages/django/utils/encoding.py) […] The full build log is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- sorl-thumbnail.12.5.0-2.unstable.amd64.log.txt.gz Description: Binary data ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#960890: python-django: New upstream 3.x release
Hi Raphael, > > This is a bug to track the progress of uploading Django 3.x to > > unstable. > > Hum, this is a long term goal right? Because the next LTS in 3.x > is 3.2 and upstream has not yet released 3.1 and we will get 3.2 > only in 2021 AFAIK. Yes, this is a long-term goal. However, it would be nice to be able for people to elect to install 3.x from experimental, as well as to get started on the various small updates on the many leaf packages. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#960890: python-django: New upstream 3.x release
Package: python-django Version: 2:2.2.12-1 Severity: wishlist User: python-modules-t...@lists.alioth.debian.org Usertags: django-3.x Hi, This is a bug to track the progress of uploading Django 3.x to unstable. There are number of breaking changes (mostly removing deprecated features) so this cannot simply be uploaded as it will break too many packages. The version in experimental is currently 3.0.6-1. I have built the 153 reverse-dependencies in unstable against this version 114 of these build pass their testsuite successfully. However the following packages fail. My next step is to investigate and file bugs against them if relevant. I intend to usertag them so that they will appear here: https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=django-3.x;users=python-modules-t...@lists.alioth.debian.org I cannot blindly file these bugs as some of them might FTBFS in any case. Worst, some of them are due to other packages — eg. src:celery- haystack and src:hyperkitty FTBFS due to haystack. I will try and catch most of these, but I am only human so please do reassign and mark them as "affects". § Brian May django-filter Debian Mailman Team hyperkitty Debian OpenStack horizon ironic-ui manila-ui mistral-dashboard murano-dashboard octavia-dashboard python-django-pyscss sahara-dashboard senlin-dashboard trove-dashboard zaqar-ui Debian Python Modules Team celery-haystack django-auth-ldap django-cas-server django-cors-headers django-dirtyfields django-fsm django-model-utils django-modeltranslation django-oauth-toolkit django-pipeline django-simple-captcha djangorestframework libthumbor python-django-contact-form python-django-csp python-django-extensions python-django-imagekit python-django-jsonfield python-django-modelcluster python-django-mptt python-django-navtag python-django-storages python-django-tagging sorl-thumbnail FreedomBox packaging team plinth Michal Čihař django-taggit Stephan Sürken mini-buildd § Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#958848: [Pkg-privacy-maintainers] Bug#958848: pytest (build-)depends on pypy-funcsigs which the maintainer would like to get rid of.
Hi Peter, > vanguards on the other hand is an application which I assume relies on > pytest for it's testsuite. > > So I guess the question is whether it is worth keeping this pile of > pypy modules around to support the testsuite of one application? I believe the following patch to src:vanguards can be used to use the Python 3.x testsuite instead: --- a/debian/control +++ b/debian/control @@ -8,8 +8,9 @@ Build-Depends: debhelper (>= 11), dh-python, pypy, pypy-setuptools, + python3-pytest , + python3-stem , pypy-stem (>= 1.6.0-3.1), - pypy-pytest, pypy-ipaddress Standards-Version: 4.1.5 Vcs-Browser: https://salsa.debian.org/pkg-privacy-team/vanguards --- a/debian/rules +++ b/debian/rules @@ -5,3 +5,6 @@ override_dh_installsystemd: dh_installsystemd --no-enable --no-start + +override_dh_auto_test: + dh_auto_test -- --system=custom --test-args='cd {build_dir}; python3 -m pytest $(CURDIR)/tests' … but I'm not sure the "python3" in the dh_auto_test line is right. "{interpreter}" there is replaced with pypy). This also assumes that running PyPy at runtime will have identical behaviour as Python 3.x. Enjoy... Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken
Chris Lamb wrote: > I will take charge of fixing this in jessie with the utmost urgency. I have just uploaded 14.0.2-3+deb8u2 and DLA-2145-2 will be announced after sending this email. Thank you again for raising this issue. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken
Hi all, > Please, can you […] revert this patch and re-publish the working (but > security flawed) 14.0.2-3 twisted version ? I will take charge of fixing this in jessie with the utmost urgency. Thank you for raising this issue. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#952555: azure-uamqp-python: please make the build reproducible
Hi Luca, > I've set reproducible=+fixfilepath as suggested on > https://reproducible-builds.org/docs/build-path/ and it seems to fix > the issue. I'll upload shortly. Neat. Not at all a request that you revert this but there is some irony in that the note on tests.reproducible-builds.org says: If/when this is accepted, this issue should be fixed for all packages and you should not need to fix it specifically in your package. (I am not sure of the next action with respect to getting this all the way into the Debian toolchain, but just an entirely-general comment that it would be a shame that individual maintainers need to add/test the introduction of +fixfilepath everywhere.) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#950138: pikepdf: please make the build reproducible
forwarded 950138 https://github.com/pikepdf/pikepdf/pull/76 thanks I've forwarded this upstream here: https://github.com/pikepdf/pikepdf/pull/76 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#950138: pikepdf: please make the build reproducible
Source: pikepdf Version: 1.10.0+dfsg-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness filesystem X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi, Whilst working on the Reproducible Builds effort [0] we noticed that pikepdf could not be built reproducibly. This was due to two reasons: a) The documentation included tutorial/walthrough like output like so: … where the 0x7F04BAC72B90 part is non-determinstic and thus varies between builds. b) The .cpp input files were compiled/linked in an order that was determined by their layout on the filesystem which is, at least in UNIX systems, non-deterministic. Patch attached that addresses both these issues. [0] https://reproducible-builds.org/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- --- a/debian/patches/reproducible-build.patch 1970-01-01 01:00:00.0 +0100 --- b/debian/patches/reproducible-build.patch 2020-01-29 11:33:20.626556034 +0100 @@ -0,0 +1,37 @@ +Description: Make the build reproducible +Author: Chris Lamb +Last-Update: 2020-01-29 + +--- pikepdf-1.10.0+dfsg.orig/docs/topics/images.rst pikepdf-1.10.0+dfsg/docs/topics/images.rst +@@ -36,7 +36,7 @@ dictionaries. + + In [1]: pdfimage = PdfImage(rawimage) + +-In [1]: pdfimage ++In [1]: type(pdfimage) + + In Jupyter (or IPython with a suitable backend) the image will be + displayed. +@@ -84,7 +84,7 @@ You can also retrieve the image as a Pil + + .. ipython:: + +-In [1]: pdfimage.as_pil_image() ++In [1]: type(pdfimage.as_pil_image()) + + Another way to view the image is using Pillow's ``Image.show()`` method. + +--- pikepdf-1.10.0+dfsg.orig/setup.py pikepdf-1.10.0+dfsg/setup.py +@@ -42,8 +42,8 @@ if 'bsd' in sys.platform: + ext_modules = [ + Extension( + 'pikepdf._qpdf', +-glob('src/qpdf/*.cpp'), +-depends=glob('src/qpdf/*.h'), ++sorted(glob('src/qpdf/*.cpp')), ++depends=sorted(glob('src/qpdf/*.h')), + include_dirs=[ + # Path to pybind11 headers + get_pybind_include(), --- a/debian/patches/series 2020-01-29 11:09:31.619837542 +0100 --- b/debian/patches/series 2020-01-29 11:19:45.147172680 +0100 @@ -3,3 +3,4 @@ disable-test_docinfo_problems.patch drop-pybind11-from-setup.py.patch disable-test_icc_extract.patch +reproducible-build.patch ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#948279: python-gmusicapi: please make the build reproducible
Source: python-gmusicapi Version: 12.1.1-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: buildpath X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi, Whilst working on the Reproducible Builds effort [0] we noticed that python-gmusicapi could not be built reproducibly. This is because the documentation embedded the build user's home directory (via the XDG config directory). Patch attached. [0] https://reproducible-builds.org/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- --- a/debian/patches/0001-reproducible-build.patch 1970-01-01 01:00:00.0 +0100 --- b/debian/patches/0001-reproducible-build.patch 2020-01-06 11:17:34.809013127 + @@ -0,0 +1,44 @@ +Description: Make the build reproducible +Author: Chris Lamb +Last-Update: 2020-01-06 + +--- python-gmusicapi-12.1.1.orig/gmusicapi/clients/mobileclient.py python-gmusicapi-12.1.1/gmusicapi/clients/mobileclient.py +@@ -150,7 +150,7 @@ class Mobileclient(_OAuthClient): + + return True + +-def oauth_login(self, device_id, oauth_credentials=OAUTH_FILEPATH, locale='en_US'): ++def oauth_login(self, device_id, oauth_credentials=None, locale='en_US'): + """Authenticates the mobileclient with pre-existing OAuth credentials. + Returns ``True`` on success, ``False`` on failure. + +@@ -178,6 +178,8 @@ class Mobileclient(_OAuthClient): + used to localize certain responses. This must be a locale supported + by Android. Defaults to ``'en_US'``. + """ ++if oauth_credentials is None: ++oauth_credentials = OAUTH_FILEPATH + self._authtype = 'oauth' + session_login = partial(self._oauth_login, oauth_credentials) + return self._login(session_login, device_id, locale) +--- python-gmusicapi-12.1.1.orig/gmusicapi/clients/musicmanager.py python-gmusicapi-12.1.1/gmusicapi/clients/musicmanager.py +@@ -52,7 +52,7 @@ class Musicmanager(_OAuthClient): +validate, +verify_ssl) + +-def login(self, oauth_credentials=OAUTH_FILEPATH, ++def login(self, oauth_credentials=None, + uploader_id=None, uploader_name=None): + """Authenticates the Music Manager using OAuth. + Returns ``True`` on success, ``False`` on failure. +@@ -103,6 +103,8 @@ class Musicmanager(_OAuthClient): + have been limits on deauthorizing devices in the past, so it's smart not to register + more devices than necessary. + """ ++if oauth_credentals is None: ++oauth_credentials = OAUTH_FILEPATH + + return (self._oauth_login(oauth_credentials) and + self._perform_upauth(uploader_id, uploader_name)) --- a/debian/patches/series 1970-01-01 01:00:00.0 +0100 --- b/debian/patches/series 2020-01-06 10:57:46.725512965 + @@ -0,0 +1 @@ +0001-reproducible-build.patch ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
Re: [Python-modules-team] Bug#943509: python-django: FTBFS due to failed tests: failures=7, skipped=891, expected failures=4
Hi László, > File "/<>/tests/admin_inlines/tests.py", line 1, in > from selenium.common.exceptions import NoSuchElementException > ModuleNotFoundError: No module named 'selenium' > > Are you going to upload it fixed to Sid? Thanks for uploading sqlite. This exception was already fixed in #947549… > Happy New Year! … you too. :) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
Re: [Python-modules-team] Bug#943509: python-django: FTBFS due to failed tests: failures=7, skipped=891, expected failures=4
Hi Paul, > @python-django maintainers what does this mean for the functionality of > python-django in bullseye? Is it "only" the test that fails and can that > thus be temporarily disabled? I would be amenable to disabling the test in python-django if a response or fix in sqlite3 is not forthcoming within a few days. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#946937: python-django: CVE-2019-19844: Potential account hijack via password reset form
Package: python-django Version: 1:1.10.7-2+deb9u6 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2019-19844[0][1]: Potential account hijack via password reset form If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-19844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844 [1] https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#946011: python-django: CVE-2019-19118
Dear Salvatore, > > Security team, would you like an upload for stable? > > As far I can see this issue has been introduced around 2.1 where the > search support for view permissions and a read-only admin support was > added. […] Upon further inspection that is my reading too. I was being overly- cautious in assuming that it was vulnerable without doing any checking first, thus leading to this noise (for which I apologise). I have updated data/dla-needed.txt and data/CVE/list to match. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#946011: python-django: CVE-2019-19118
Chris Lamb wrote: > Package: python-django > Version: 1.7.11-1+deb8u7 […] > CVE-2019-19118[0]: > | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model > | editing. A Django model admin displaying inline related models, where > | the user has view-only permissions to a parent model but edit > | permissions to the inline model, would be presented with an editing > | UI, allowing POST requests, for updating the inline model. Directly > | editing the view-only parent model was not possible, but the parent > | model's save() method was called, triggering potential side effects, > | and causing pre and post-save signal handlers to be invoked. (To > | resolve this, the Django admin is adjusted to require edit permissions > | on the parent model in order for inline models to be editable.) Security team, would you like an upload for stable? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#946011: python-django: CVE-2019-19118
Package: python-django Version: 1.7.11-1+deb8u7 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2019-19118[0]: | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model | editing. A Django model admin displaying inline related models, where | the user has view-only permissions to a parent model but edit | permissions to the inline model, would be presented with an editing | UI, allowing POST requests, for updating the inline model. Directly | editing the view-only parent model was not possible, but the parent | model's save() method was called, triggering potential side effects, | and causing pre and post-save signal handlers to be invoked. (To | resolve this, the Django admin is adjusted to require edit permissions | on the parent model in order for inline models to be editable.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-19118 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19118 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#944782: python-sybil: please make the build reproducible
forwarded 944782 https://github.com/cjw296/sybil/pull/18 thanks I've forwarded this upstream here: https://github.com/cjw296/sybil/pull/18 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#944782: python-sybil: please make the build reproducible
Source: python-sybil Version: 1.2.0-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi, Whilst working on the Reproducible Builds effort [0] we noticed that python-sybil could not be built reproducibly. This is because it used the current build year in the documentation. Patch attached that uses SOURCE_DATE_EPOCH [1] instead. [0] https://reproducible-builds.org/ [1] https://reproducible-builds.org/specs/source-date-epoch/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- --- a/debian/patches/0002-Reproducible-build.patch 1970-01-01 01:00:00.0 +0100 --- b/debian/patches/0002-Reproducible-build.patch 2019-11-15 10:31:54.016310434 + @@ -0,0 +1,23 @@ +Description: Make the build reproducible +Author: Chris Lamb +Last-Update: 2019-11-15 + +--- python-sybil-1.2.0.orig/docs/conf.py python-sybil-1.2.0/docs/conf.py +@@ -1,5 +1,5 @@ + # -*- coding: utf-8 -*- +-import os, pkg_resources, datetime, sys ++import os, pkg_resources, datetime, sys, time + + on_rtd = os.environ.get('READTHEDOCS', None) == 'True' + +@@ -28,7 +28,8 @@ extensions = [ + source_suffix = '.rst' + master_doc = 'index' + project = 'sybil' +-copyright = '2017 - %s Chris Withers' % datetime.datetime.now().year ++build_date = datetime.datetime.utcfromtimestamp(int(os.environ.get('SOURCE_DATE_EPOCH', time.time( ++copyright = '2017 - %s Chris Withers' % build_date.year + version = release = pkg_resources.get_distribution(project).version + exclude_patterns = [ + 'description.rst', --- a/debian/patches/series 2019-11-15 10:29:22.334203532 + --- b/debian/patches/series 2019-11-15 10:31:52.264279198 + @@ -1 +1,2 @@ 0001-Use-local-intersphinx-files.patch +0002-Reproducible-build.patch ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#943320: python3-pluggy: missing dependency on python3-importlib-metadata
Package: python3-pluggy Version: 0.13.0-1 Severity: serious X-Debbugs-CC: rb-gene...@lists.reproducible-builds.org Hi, The python3-pluggy binary package appears to be missing a dependency on python3-importlib-metadata: I: pybuild base:217: cd /tmp/buildd/diffoscope-127/.pybuild/cpython3_3.7/build; python3.7 -m pytest -vv -r sxX -l --cov=diffoscope --cov-report=term-missing --cov-report=html Traceback (most recent call last): File "/usr/lib/python3.7/runpy.py", line 193, in _run_module_as_main "__main__", mod_spec) File "/usr/lib/python3.7/runpy.py", line 85, in _run_code exec(code, run_globals) File "/usr/lib/python3/dist-packages/pytest.py", line 8, in from _pytest.assertion import register_assert_rewrite File "/usr/lib/python3/dist-packages/_pytest/assertion/__init__.py", line 13, in from _pytest.assertion import rewrite File "/usr/lib/python3/dist-packages/_pytest/assertion/rewrite.py", line 24, in from _pytest.assertion import util File "/usr/lib/python3/dist-packages/_pytest/assertion/util.py", line 11, in import _pytest._code File "/usr/lib/python3/dist-packages/_pytest/_code/__init__.py", line 7, in from .code import Code # noqa File "/usr/lib/python3/dist-packages/_pytest/_code/code.py", line 15, in import pluggy File "/usr/lib/python3/dist-packages/pluggy/__init__.py", line 16, in from .manager import PluginManager, PluginValidationError File "/usr/lib/python3/dist-packages/pluggy/manager.py", line 11, in import importlib_metadata ModuleNotFoundError: No module named 'importlib_metadata' This appears to be a regression from 0.12.0-1 (which has this dependency). Discovered when trying to release diffoscope on behalf on the Reproducible Builds[0] effort hence the X-Debbugs-CC, but likely affects other packages. [0] https://reproducible-builds.org/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#942342: traitlets: please make the output reproducible
Chris Lamb wrote: > Patch attached. Let's try that again: --- a/traitlets/traitlets.py +++ b/traitlets/traitlets.py @@ -2366,6 +2366,10 @@ class Set(List): """ super(Set, self).__init__(trait, default_value, minlen, maxlen, **kwargs) +def make_dynamic_default(self): +# Ensure default value is sorted for a reproducible build +return sorted(super(Set, self).make_dynamic_default()) + class Tuple(Container): """An instance of a Python tuple.""" Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#942342: traitlets: please make the output reproducible
forwarded 942342 https://github.com/ipython/traitlets/pull/535 thanks I've forwarded this upstream here: https://github.com/ipython/traitlets/pull/535 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#942342: traitlets: please make the output reproducible
Source: traitlets Version: 4.3.3-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness toolchian X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi, Whilst working on the Reproducible Builds effort [0] we noticed that traitlets generates non-reproducible output which is affecting the reproducibility of other packages. For example, in nbconvert: -Default: […] {'image/jpeg', 'image/svg+xml', 'ap plication/pdf', +Default: {'image/svg+xml', 'application/pdf', (From https://tests.reproducible-builds.org/debian/rb-pkg/unstable/ amd64/nbconvert.html on 20191014) This is due to it not iterating over a Set traitlet type in a deterministic ordering when generating the "Default:" human-readable string. Patch attached. [0] https://reproducible-builds.org/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#941072: kivy: please make the build reproducible
Source: kivy Version: 1.10.1-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi, Whilst working on the Reproducible Builds effort [0] we noticed that kivy could not be built reproducibly. This is because it generated a version.py file that contains the current build date. A patch is attached that uses SOURCE_DATE_EPOCH [1]. [0] https://reproducible-builds.org/ [1] https://reproducible-builds.org/specs/source-date-epoch/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time
Hi Paul, > How is progress here? I failed to spot recent activity, but I may have > missed it. I'm not sure you've missed anything, at least from me -- I've not found it possible to prioritise time on this, alas. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Chris Lamb wrote: > > > +python-django (1:1.11.23-1~deb10u1) buster-security; urgency=high > > > > Thanks, these both look good; please upload to security-master. > > Both uploaded to security-master. There is now a 1.11.24 (ie. 1:1.11.24-1~deb10u1) upstream: https://docs.djangoproject.com/en/2.2/releases/1.11.24/ Shall I go ahead and upload or was .23 already accepted? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#937704: Bug#937704: python-django: Python2 removal in sid/bullseye
Hi Scott, > It's stilll there as cruft: […] > Once those binaries are gone we'll pick it up with the arch all decrufting. Ah, thanks for explaining. It seems a little bit of waste of Doku's energy to file unactionable bug reports. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#937704: python-django: Python2 removal in sid/bullseye
tags 937704 + moreinfo thanks Hi Matthias, > Package: src:python-django > Version: 2:2.2.4-1 This appears to be a false-positive: python-django (2:2.2.3-2) unstable; urgency=medium * Upload (Python 3.x-only) branch to unstable after the release of Debian "buster". * Update debian/gbp.conf to refer to debian/sid after merge. -- Chris Lamb Sun, 07 Jul 2019 11:59:04 -0300 [..] python-django (1:2.0~alpha1-2) experimental; urgency=medium New upstream alpha release of Django 2.0. <https://docs.djangoproject.com/en/dev/releases/2.0/> * Drop Python 2.x support: - Remove python-django and python-django-common binary packages and splitting logic. [..] -- Chris Lamb Tue, 26 Sep 2017 18:01:30 +0100 Can you point out what I'm missing here? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#935394: python3-django breaks python3-mysqldb (<<1.3.13), but only python3-mysqldb 1.3.10 is available
reassign 935394 python3-mysqldb affects 935394 + python3-django thanks Hi Jakob, > python3-django is marked as Breaks: python3-mysqldb (<< 1.3.13), but the > latest and greatest version available in sid is python3-mysqldb 1.3.10. > This renders e.g. graphite-web uninstallable as that depends on both > python3-django and python3-mysqldb. The Breaks for python3-mysqldb cannot be lowered at least without also violating (and also patching out) an explicit check in the upstream code with unknown results. I bet there's some nasty and silent data- corrupting bug we might be exposing by doing that, knowing MySQL... Therefore I think the best solution would be to upload a new version of python3-mysqldb. I'm taking the liberty of reassigning (with a "reverse" affects for visibility) here in lieu of asking you to file a separate bug. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Hi Sébastien, > > +python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high > > [...] > > +python-django (1:1.11.23-1~deb10u1) buster-security; urgency=high > > Thanks, these both look good; please upload to security-master. Both uploaded to security-master. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Hi Salvatore, > Although I'm late for the game ;-). You can use both > 1:1.11.23-1~deb10u1 or 1:1.11.23-0+deb10u1. It is a matter of what you > want the oxpress. > > 1:1.11.23-1~deb10u1 ... is mainly are rebuild of 1:1.11.23-1 with > maybe some additional changes. Examples for this one are e.g. the > opnejdk packages. > > 1:1.11.23-0+deb10u1 means ... I import 1:1.11.23 on top of the > existing packaging but released for a lower suite than sid. This in > the theoretiical case there would have been a 1:1.11.23-1 in the upper > suite it is 1:1.11.23-0+deb10u1 < 1:1.11.23-1. If you want examples > for this one for instance ghostscript, mariadb, ... Thank you for the explicit explanation. I had intuited and inferred this from the previous conversation so I went with 1:1.11.23-1~deb10u1 for my most-recent [rebuild] version of the debdiff. (… although it's not a "re"-build of anything; 1.11.23 won't be in any other suite… :p) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Hi Moritz et al., > > > > > > Security team (added to CC), would you be interested in uploads for > > > > > > buster (currently 1:1.11.22-1~deb10u1) and stretch (currently > > > > > > 1:1.10.7-2+deb9u5)? > > […] > > > I just realised that there's a 1.11.23 (thanks Salvatore!), given that > > > we agreed to follow 1.11.x in buster, shouldn't we rather use that one? > > > > D'oh, that makes more sense. Okay, I can prepare a debdiff for that -- > > however, can you just confirm the version we should use? > > 1:1.11.23-1~deb10u1? > > Looks good! Updated debdiff attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-diff --git a/Django.egg-info/PKG-INFO b/Django.egg-info/PKG-INFO index 75a27527c..f6cdde7db 100644 --- a/Django.egg-info/PKG-INFO +++ b/Django.egg-info/PKG-INFO @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: Django -Version: 1.11.22 +Version: 1.11.23 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Home-page: https://www.djangoproject.com/ Author: Django Software Foundation diff --git a/Django.egg-info/SOURCES.txt b/Django.egg-info/SOURCES.txt index 4343c1389..f31a9c2f9 100644 --- a/Django.egg-info/SOURCES.txt +++ b/Django.egg-info/SOURCES.txt @@ -3550,6 +3550,7 @@ docs/releases/1.11.2.txt docs/releases/1.11.20.txt docs/releases/1.11.21.txt docs/releases/1.11.22.txt +docs/releases/1.11.23.txt docs/releases/1.11.3.txt docs/releases/1.11.4.txt docs/releases/1.11.5.txt diff --git a/PKG-INFO b/PKG-INFO index 75a27527c..f6cdde7db 100644 --- a/PKG-INFO +++ b/PKG-INFO @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: Django -Version: 1.11.22 +Version: 1.11.23 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Home-page: https://www.djangoproject.com/ Author: Django Software Foundation diff --git a/debian/changelog b/debian/changelog index b048bd0ec..cf382c3cf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,59 @@ +python-django (1:1.11.23-1~deb10u1) buster-security; urgency=high + + * New upstream security release. +<https://www.djangoproject.com/weblog/2019/aug/01/security-releases/> + +- CVE-2019-14232: Denial-of-service possibility in + django.utils.text.Truncator + + If django.utils.text.Truncator's chars() and words() methods were passed + the html=True argument, they were extremely slow to evaluate certain + inputs due to a catastrophic backtracking vulnerability in a regular + expression. The chars() and words() methods are used to implement the + truncatechars_html and truncatewords_html template filters, which were + thus vulnerable. + + The regular expressions used by Truncator have been simplified in order + to avoid potential backtracking issues. As a consequence, trailing + punctuation may now at times be included in the truncated output. + +- CVE-2019-14233: Denial-of-service possibility in strip_tags() + + Due to the behavior of the underlying HTMLParser, + django.utils.html.strip_tags() would be extremely slow to evaluate + certain inputs containing large sequences of nested incomplete HTML + entities. The strip_tags() method is used to implement the corresponding + striptags template filter, which was thus also vulnerable. + + strip_tags() now avoids recursive calls to HTMLParser when progress + removing tags, but necessarily incomplete HTML entities, stops being + made. + + Remember that absolutely NO guarantee is provided about the results of + strip_tags() being HTML safe. So NEVER mark safe the result of a + strip_tags() call without escaping it first, for example with + django.utils.html.escape(). + +- CVE-2019-14234: SQL injection possibility in key and index lookups for + JSONField/HStoreField + + Key and index lookups for django.contrib.postgres.fields.JSONField and + key lookups for django.contrib.postgres.fields.HStoreField were subject + to SQL injection, using a suitably crafted dictionary, with dictionary + expansion, as the **kwargs passed to QuerySet.filter(). + +- CVE-2019-14235: Potential memory exhaustion in + django.utils.encoding.uri_to_iri() + + If passed certain inputs, django.utils.encoding.uri_to_iri could lead to + significant memory usage due to excessive recursion when + re-percent-encoding invalid UTF-8 octet sequences. + + uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 + octet sequences. + + -- Chris Lamb Thu, 08 Aug 2019 16:00:04 +0100 + python-django (1:1.11.22-1~deb10u1) buster-security; urgency=high * No-change update for buster-security. diff --git a/django/__init__.py b/django/__init__.py index 90ca62a28..c622e303
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Hi Moritz, > > > > I mention it specifically as I'm not 100% confident this is correct > > > > and Lintian somewhat-correctly complained about a "missing" version > > > > (to wit, 1:1.11.22-1 its technically missing). […] > Got it. From my PoV Lintian should probably just waive that check > unless the target distro for the upload is "unstable". I took a different approach (to mirror similar existing logic) here: https://salsa.debian.org/lintian/lintian/commit/bcded0a16c1094ae55afdd65caca7f598e3be7fc Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Hi Moritz, > > > > Security team (added to CC), would you be interested in uploads for > > > > buster (currently 1:1.11.22-1~deb10u1) and stretch (currently > > > > 1:1.10.7-2+deb9u5)? […] > I just realised that there's a 1.11.23 (thanks Salvatore!), given that > we agreed to follow 1.11.x in buster, shouldn't we rather use that one? D'oh, that makes more sense. Okay, I can prepare a debdiff for that -- however, can you just confirm the version we should use? 1:1.11.23-1~deb10u1? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Moritz Muehlenhoff wrote: > > I mention it specifically as I'm not 100% confident this is correct > > and Lintian somewhat-correctly complained about a "missing" version > > (to wit, 1:1.11.22-1 its technically missing). > > Where does Lintian parse the data about existing releases? How does it > know that 1:1.11.22-1 is missing? debian/changelog. Lintian, as a strict rule, does not query external sources. (I should probably clarify; missing *sequential* releases.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Hi Sébastien, > > Security team (added to CC), would you be interested in uploads for > > buster (currently 1:1.11.22-1~deb10u1) and stretch (currently > > 1:1.10.7-2+deb9u5)? […] > yes, thank you. Can you email us debdiffs ? I'll then take care of the > review and DSAs. I've attached these and the testsuites (etc.) are all green on my test machines. Note that the previous changelog entry in buster was: python-django (1:1.11.22-1~deb10u1) buster-security; urgency=high * No-change update for buster-security. * Update debian/gbp.conf for new debian/buster branch. -- Chris Lamb Wed, 03 Jul 2019 15:18:13 -0300 … and that I've tentatively versioned the updated version to address these new CVEs as 1:1.11.22-1+deb10u1 (ie. with a plus, not a tilde). I mention it specifically as I'm not 100% confident this is correct and Lintian somewhat-correctly complained about a "missing" version (to wit, 1:1.11.22-1 its technically missing). Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-diff --git a/debian/changelog b/debian/changelog index fa89c8b21..47e10adb4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,59 @@ +python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high + + * Backport four security patches from upstream. (Closes: #934026) +<https://www.djangoproject.com/weblog/2019/aug/01/security-releases/> + +- CVE-2019-14232: Denial-of-service possibility in + django.utils.text.Truncator + + If django.utils.text.Truncator's chars() and words() methods were passed + the html=True argument, they were extremely slow to evaluate certain + inputs due to a catastrophic backtracking vulnerability in a regular + expression. The chars() and words() methods are used to implement the + truncatechars_html and truncatewords_html template filters, which were + thus vulnerable. + + The regular expressions used by Truncator have been simplified in order + to avoid potential backtracking issues. As a consequence, trailing + punctuation may now at times be included in the truncated output. + +- CVE-2019-14233: Denial-of-service possibility in strip_tags() + + Due to the behavior of the underlying HTMLParser, + django.utils.html.strip_tags() would be extremely slow to evaluate + certain inputs containing large sequences of nested incomplete HTML + entities. The strip_tags() method is used to implement the corresponding + striptags template filter, which was thus also vulnerable. + + strip_tags() now avoids recursive calls to HTMLParser when progress + removing tags, but necessarily incomplete HTML entities, stops being + made. + + Remember that absolutely NO guarantee is provided about the results of + strip_tags() being HTML safe. So NEVER mark safe the result of a + strip_tags() call without escaping it first, for example with + django.utils.html.escape(). + +- CVE-2019-14234: SQL injection possibility in key and index lookups for + JSONField/HStoreField + + Key and index lookups for django.contrib.postgres.fields.JSONField and + key lookups for django.contrib.postgres.fields.HStoreField were subject + to SQL injection, using a suitably crafted dictionary, with dictionary + expansion, as the **kwargs passed to QuerySet.filter(). + +- CVE-2019-14235: Potential memory exhaustion in + django.utils.encoding.uri_to_iri() + + If passed certain inputs, django.utils.encoding.uri_to_iri could lead to + significant memory usage due to excessive recursion when + re-percent-encoding invalid UTF-8 octet sequences. + + uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 + octet sequences. + + -- Chris Lamb Thu, 08 Aug 2019 10:42:49 +0100 + python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high * CVE-2019-3498: Prevent a content-spoofing vulnerability in the default diff --git a/debian/patches/0019-CVE-2019-14232.patch b/debian/patches/0019-CVE-2019-14232.patch new file mode 100644 index 0..3bccb924e --- /dev/null +++ b/debian/patches/0019-CVE-2019-14232.patch @@ -0,0 +1,89 @@ +From: Chris Lamb +Date: Thu, 8 Aug 2019 10:30:35 +0100 +Subject: CVE-2019-14232 + +Backported from +<https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d> +--- + django/utils/text.py | 4 ++-- + .../filter_tests/test_truncatewords_html.py| 4 ++-- + tests/utils_tests/test_text.py | 23 ++ + 3 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index 5e4dd3d..a69cf7a 100644 +--- a/django/utils/text.py b/django/utils/text.py +@@ -24,8 +24,8 @@ def capfirst(x): + capfirst = keep_lazy_text(capfirst) + + # Set up
[Python-modules-team] Bug#934120: python-bleach: please make the build reproducible
forwarded 934120 https://github.com/mozilla/bleach/pull/465 thanks I've forwarded this upstream here: https://github.com/mozilla/bleach/pull/465 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934120: python-bleach: please make the build reproducible
Source: python-bleach Version: 3.1.0-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi, Whilst working on the Reproducible Builds effort [0] we noticed that python-bleach could not be built reproducibly. This is because the documentation included a default arguments that was (originally) generated from a "frozenset" type which are iterated over at runtime in a nondeterministic order. Patch attached. [0] https://reproducible-builds.org/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- --- a/debian/patches/0003-reproducible_build.patch 1970-01-01 01:00:00.0 +0100 --- b/debian/patches/0003-reproducible_build.patch 2019-08-07 09:24:23.478886645 +0100 @@ -0,0 +1,15 @@ +Description: Make the build reproducible +Author: Chris Lamb +Last-Update: 2019-08-07 + +--- python-bleach-3.1.0.orig/bleach/linkifier.py python-bleach-3.1.0/bleach/linkifier.py +@@ -49,7 +49,7 @@ def build_url_re(tlds=TLDS, protocols=ht + (?:[/?][^\s\{{\}}\|\\\^\[\]`<>"]*)? + # /path/zz (excluding "unsafe" chars from RFC 1738, + # except for # and ~, which happen in practice) +-""".format('|'.join(protocols), '|'.join(tlds)), ++""".format('|'.join(sorted(protocols)), '|'.join(sorted(tlds))), + re.IGNORECASE | re.VERBOSE | re.UNICODE) + + --- a/debian/patches/series 2019-08-07 09:15:44.021885792 +0100 --- b/debian/patches/series 2019-08-07 09:24:21.370708546 +0100 @@ -1,2 +1,3 @@ 0001-remove-privacy-breach.patch 0002-no_vendored_html5lib.patch +0003-reproducible_build.patch ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
[Adding t...@security.debian.org to CC] Chris Lamb wrote: > The following vulnerabilities were published for python-django. > > CVE-2019-14232[0]: > CVE-2019-14233[1]: > CVE-2019-14234[2]: > CVE-2019-14235[3]: I have just fixed this in sid and will fix this in jessie LTS shortly. Security team (added to CC), would you be interested in uploads for buster (currently 1:1.11.22-1~deb10u1) and stretch (currently 1:1.10.7-2+deb9u5)? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Package: python-django Version: 1.7.11-1+deb8u6 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for python-django. CVE-2019-14232[0]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's | chars() and words() methods were passed the html=True argument, they | were extremely slow to evaluate certain inputs due to a catastrophic | backtracking vulnerability in a regular expression. The chars() and | words() methods are used to implement the truncatechars_html and | truncatewords_html template filters, which were thus vulnerable. CVE-2019-14233[1]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying | HTMLParser, django.utils.html.strip_tags would be extremely slow to | evaluate certain inputs containing large sequences of nested | incomplete HTML entities. CVE-2019-14234[2]: SQL injection possibility in key and index lookups for JSONField/HStoreField CVE-2019-14235[3]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, | django.utils.encoding.uri_to_iri could lead to significant memory | usage due to a recursion when repercent-encoding invalid UTF-8 octet | sequences. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14232 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232 [1] https://security-tracker.debian.org/tracker/CVE-2019-14233 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233 [2] https://security-tracker.debian.org/tracker/CVE-2019-14234 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234 [3] https://security-tracker.debian.org/tracker/CVE-2019-14235 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time
Hi Paul et al., > > Thanks again for your patience and understanding here, Paul. So, it looks like: django-compat django-hijack django-ratelimit django-testscenarios grr python-aws-xray-sdk python-carrot python-django-bootstrap-form python-oauth2client python-semantic-version … still Build-Depend or Build-Depend-Indep on python-django. (Zigo, did you neglect python-oauth2client and python-semantic-version in your mass uploads recently?) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time
Dear Paul, > I try to always assume good faith :), so it's close to what I suspected > to be the case. … and to take this a level deeper, I also assumed you would assume good faith as well. :) I guess I was being explicit as a way of clumsily segueing into my "frenzy of post-Buster release motivation" excuse. > Either the [..] best way forward is to upload a > 2:2.2.3+really1:1.11.22-1 package [..] or trust that it can wait > until the time we allow for this transition. Indeed. Unfortunately, I have an instictive gut reaction against the former so I'm afraid I will have to disappoint you once again in this area by falling back to the latter approach against your preference. > for the latter approach it's crucial to inform your reverse (test) > dependencies Do you have a convenient script that will generate a list of these? I can generate a list of regular reverse-dependencies but I fear I would be missing the test ones. Or: if someone could furnish me with such a list I will happily file the bugs in question. Thanks again for your patience and understanding here, Paul. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time
Hi Paul, > it will take time before it does, as python-django can not migrate > before reverse dependencies are fixed or removed. The latter isn't very > nice for your reverse dependencies if you didn't give them proper > heads-up. The former isn't nice for the python-django users of testing. Mmm and I see that now. As in, please be assured that I didn't override those feelings out of a lack of care or concern for the reverse dependencies and their maintainers; it merely didn't really occur to me, perhaps in a frenzy of post-Buster release motivation. What do you suggest going forward regarding this CVE, at least? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time
tags 932960 + moreinfo thanks Hi Paul, > PS: I failed to spot bugs against (some of) those packages communication > the removal, I think that would be nice for those maintainers. This might have been justifiably and fairly missed as it was dicussed quite some time, possibly years, ago. Not your fault, possibly ours… However, as Brian mentions we do really have no option but to use the 2.x branch of Django these days and, unfortunately, this means that Python 2.x support is accordingly dropped. The packages you list may thus need to be updated or removed. (I'm afraid I haven't looked into the specifics...) > Your package is trying to fix a CVE Can you elaborate? I'm a little distracted by DebConf stuff but I can't seem to grok what you mean here specifically. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#929927: Bug#931316: python-django: CVE-2019-12308: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Hi Moritz, > > Security team (added to CC), would you like an upload for stable? > > Please do, if we do a DSA, let's also include the fixes for CVE-2019-6975 > and CVE-2019-12308 which were previously postponed due to low impact, ack? Sure thing; my proposed diff is attached. It builds for me (with all tests passing) in a stretch chroot. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-diff --git a/debian/changelog b/debian/changelog index fa89c8b21..5bb1d6625 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high + + * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format. +(Closes: #922027) + * CVE-2019-12308: Prevent a XSS vulnerability in the Django admin via the +AdminURLFieldWidget. (Closes: #929927) + * CVE-2019-12781: Prevent incorrect HTTPS detection with reverse-proxies +connecting via HTTPS. (Closes: #931316) + + -- Chris Lamb Tue, 02 Jul 2019 23:07:21 -0300 + python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high * CVE-2019-3498: Prevent a content-spoofing vulnerability in the default diff --git a/debian/patches/0018-CVE-2019-6975.patch b/debian/patches/0018-CVE-2019-6975.patch new file mode 100644 index 0..39c2f864c --- /dev/null +++ b/debian/patches/0018-CVE-2019-6975.patch @@ -0,0 +1,69 @@ +From: Carlton Gibson +Date: Mon, 11 Feb 2019 11:15:45 +0100 +Subject: Fixed CVE-2019-6975 -- Fixed memory exhaustion in + utils.numberformat.format(). + +Thanks Sjoerd Job Postmus for the report and initial patch. +Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review. + +Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master. +--- + django/utils/numberformat.py | 15 ++- + tests/utils_tests/test_numberformat.py | 18 ++ + 2 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/django/utils/numberformat.py b/django/utils/numberformat.py +index 6667d82..8b4d228 100644 +--- a/django/utils/numberformat.py b/django/utils/numberformat.py +@@ -27,7 +27,20 @@ def format(number, decimal_sep, decimal_pos=None, grouping=0, thousand_sep='', + # sign + sign = '' + if isinstance(number, Decimal): +-str_number = '{:f}'.format(number) ++# Format values with more than 200 digits (an arbitrary cutoff) using ++# scientific notation to avoid high memory usage in {:f}'.format(). ++_, digits, exponent = number.as_tuple() ++if abs(exponent) + len(digits) > 200: ++number = '{:e}'.format(number) ++coefficient, exponent = number.split('e') ++# Format the coefficient. ++coefficient = format( ++coefficient, decimal_sep, decimal_pos, grouping, ++thousand_sep, force_grouping, ++) ++return '{}e{}'.format(coefficient, exponent) ++else: ++str_number = '{:f}'.format(number) + else: + str_number = six.text_type(number) + if str_number[0] == '-': +diff --git a/tests/utils_tests/test_numberformat.py b/tests/utils_tests/test_numberformat.py +index 3dd1b06..769406c 100644 +--- a/tests/utils_tests/test_numberformat.py b/tests/utils_tests/test_numberformat.py +@@ -60,6 +60,24 @@ class TestNumberFormat(TestCase): + self.assertEqual(nformat(Decimal('1234'), '.', grouping=2, thousand_sep=',', force_grouping=True), '12,34') + self.assertEqual(nformat(Decimal('-1234.33'), '.', decimal_pos=1), '-1234.3') + self.assertEqual(nformat(Decimal('0.0001'), '.', decimal_pos=8), '0.0001') ++# Very large & small numbers. ++tests = [ ++('9e', None, '9e+'), ++('9e', 3, '9.000e+'), ++('9e201', None, '9e+201'), ++('9e200', None, '9e+200'), ++('1.2345e999', 2, '1.23e+999'), ++('9e-999', None, '9e-999'), ++('1e-7', 8, '0.0010'), ++('1e-8', 8, '0.0001'), ++('1e-9', 8, '0.'), ++('1e-10', 8, '0.'), ++('1e-11', 8, '0.'), ++('1' + ('0' * 300), 3, '1.000e+300'), ++('0.{}1234'.format('0' * 299), 3, '1.234e-300'), ++] ++for value, decimal_pos, expected_value in tests: ++self.assertEqual(nformat(Decimal(value), '.', decimal_pos), expected_value) + + def test_decimal_subclass(self): + class EuroDecimal(Decimal): diff --git a/debian/patches/0019-CVE-2019-12308.patch b/debian/patches/0019-CVE-2019-12308.patch new file mode 100644 index 0..d3e73f45d --- /dev/null +++ b/debian/patches/0019-CVE-2019-12308.patch @@ -0,0 +1,77 @@ +From: Chris Lamb +Date: Tue, 2 Jul 2019 22:47:00 -0300 +Subject: CVE-2019-12308 + +Backported from https://github.com/django/django/commit/c238701859a52d584f
[Python-modules-team] Bug#931316: python-django: CVE-2019-12308: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
[Adding t...@security.debian.org, to CC] Hi Salvatore, > Control: found -1 2:2.2.1-1 > Control: found -1 1:1.10.7-2+deb9u4 > Control: found -1 1:1.10.7-1 I've uploaded fixes to experimental, unstable and to jessie LTS. Security team (added to CC), would you like an upload for stable? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#929927: python-django: CVE-2019-12308: AdminURLFieldWidget XSS
[Adding lfara...@debian.org to CC] Salvatore Bonaccorso wrote > CVE-2019-12308[0]: > AdminURLFieldWidget XSS > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-12308 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308 > [1] https://www.djangoproject.com/weblog/2019/jun/03/security-releases/ Luke, do you still plan to take this as discussed during the embargo? I might have some bandwidth the next day or so if not, but let me know. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#897489: python-whoosh: FTBFS: dh_auto_test: pybuild --test --test-pytest -i python{version} -p 3.6 returned exit code 13
Hi Ivo, > > Fixing this bug and reuploading now... :) > > Thanks for the upload. However, you included the changes from -2. Could you > revert the debhelper compat bump? Sure, it was already committed prior to the freeze IIRC. Uploaded as -4, including all the changes since the -1 in buster. (For completeness, the reason why -1 did not hit the archive is due to a pristine-tar issue; I reverted and recreated the entry on the pristine-tar branch and it regenerates correctly at build time, avoiding the REJECT when the file was "different in the archive"). Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#897489: python-whoosh: FTBFS: dh_auto_test: pybuild --test --test-pytest -i python{version} -p 3.6 returned exit code 13
[adding 897...@bugs.debian.org to CC] Hi Ivo, > > I think you are confusing me with someone else here? :) > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897489#14 > https://salsa.debian.org/python-team/modules/python-whoosh/commit/d6b04361fc0a16b836de410acd2e15a1ca225969 > > Am I missing something? No, I just have a terrible memory and/or didn't read what you wrote more carefully before replying. Fixing this bug and reuploading now... :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#897489: python-whoosh: FTBFS: dh_auto_test: pybuild --test --test-pytest -i python{version} -p 3.6 returned exit code 13
Hi Ivo, > The 2.7.4+git6-g9134ad92-2 upload you mentioned in this bug I think you are confusing me with someone else here? :) […] > Would you consider uploading a new version disabling this test for now, to fix > the FTBFS for buster? Potentially. It's not really "my" package, though; any objection from the rest of the DPMT? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#924784: python-django: FTBFS on i386: OverflowError: timestamp out of range for platform time_t
forwarded 924784 https://code.djangoproject.com/ticket/30264#ticket thanks I've forwarded this upstream here: https://code.djangoproject.com/ticket/30264#ticket Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#922027: python-django: Django security release
Hi Moritz, > > Security team, may I upload this to stretch-security? Diff attached. > > This doesn't warrant a DSA, let's postpone this until more severe comes up. Noted. Can you update data/CVE/list? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#897489: python-whoosh: FTBFS: dh_auto_test: pybuild --test --test-pytest -i python{version} -p 3.6 returned exit code 13
Chris Lamb wrote: > Locally I cannot reproduce. Ah, I can now; it's a non-determinism issue in the NFA.minimize routine itself dfa.__dict__ = {'initial': 1, 'transitions': {1: {'a': 3, 'b': 2}, 3: {'a': 1}, 2: {'b': 1}}, 'defaults': {}, 'final_states': {1}, 'outlabels': {}} good.__dict__ = {'initial': 1, 'transitions': {1: {'a': 3, 'b': 2}, 2: {'b': 1}, 3: {'a': 1}}, 'defaults': {}, 'final_states': {1}, 'outlabels': {}} The __eq__ method could potentially be patched to find them equivalent "anyway" but I'm not sure that is right at all. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#897489: python-whoosh: FTBFS: dh_auto_test: pybuild --test --test-pytest -i python{version} -p 3.6 returned exit code 13
Lucas Nussbaum wrote: > > === FAILURES > > === > > __ test_minimize_dfa > > ___ > > Traceback (most recent call last): > > File > > "/<>/python-whoosh-2.7.4+git6-g9134ad92/.pybuild/cpython3_3.6_whoosh/build/tests/test_automata.py", > > line 355, in test_minimize_dfa > > assert dfa == good > > AssertionError: assert > > == On https://tests.reproducible-builds.org/debian/rb-pkg/unstable/i386/python-whoosh.html we see: === FAILURES === test_timelimit Traceback (most recent call last): File "/build/1st/python-whoosh-2.7.4+git6-g9134ad92/.pybuild/cpython2_2.7_whoosh/build/tests/test_collector.py", line 70, in test_timelimit s.search_with_collector(sq, col) File "/usr/lib/python2.7/dist-packages/_pytest/python_api.py", line 715, in __exit__ self.excinfo.__init__(tp) File "/usr/lib/python2.7/dist-packages/_pytest/_code/code.py", line 415, in __init__ self._excinfo = tup File "whoosh/collectors.py", line 1075, in _was_signaled raise TimeLimit TimeLimit Locally I cannot reproduce. Note that I just uploaded 2.7.4+git6-g9134ad92-2 to fix a number of smaller issues, including a rather dodgy Git repo setup. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#922027: python-django: Django security release
Chris Lamb wrote: > [Adding t...@security.debian.org to CC] > > > retitle 922027 CVE-2019-6975: Memory exhaustion in > > django.utils.numberformat.format() > > severity 922027 grave > > found 922027 1:1.10.7-2+deb9u3 > > tags 922027 + security > > thanks > > Security team, may I upload this to stretch-security? Diff attached. Gentle ping on this? :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#922027: python-django: Django security release
[Adding t...@security.debian.org to CC] Chris Lamb wrote: > retitle 922027 CVE-2019-6975: Memory exhaustion in > django.utils.numberformat.format() > severity 922027 grave > found 922027 1:1.10.7-2+deb9u3 > tags 922027 + security > thanks Security team, may I upload this to stretch-security? Diff attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- diff --git a/debian/changelog b/debian/changelog index fa89c8b21..55d1fc21b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high + + * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format(). +(Closes: #922027) + + -- Chris Lamb Mon, 11 Feb 2019 15:01:30 +0100 + python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high * CVE-2019-3498: Prevent a content-spoofing vulnerability in the default diff --git a/debian/patches/0019-CVE-2019-6795.patch b/debian/patches/0019-CVE-2019-6795.patch new file mode 100644 index 0..39c2f864c --- /dev/null +++ b/debian/patches/0019-CVE-2019-6795.patch @@ -0,0 +1,69 @@ +From: Carlton Gibson +Date: Mon, 11 Feb 2019 11:15:45 +0100 +Subject: Fixed CVE-2019-6975 -- Fixed memory exhaustion in + utils.numberformat.format(). + +Thanks Sjoerd Job Postmus for the report and initial patch. +Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review. + +Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master. +--- + django/utils/numberformat.py | 15 ++- + tests/utils_tests/test_numberformat.py | 18 ++ + 2 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/django/utils/numberformat.py b/django/utils/numberformat.py +index 6667d82..8b4d228 100644 +--- a/django/utils/numberformat.py b/django/utils/numberformat.py +@@ -27,7 +27,20 @@ def format(number, decimal_sep, decimal_pos=None, grouping=0, thousand_sep='', + # sign + sign = '' + if isinstance(number, Decimal): +-str_number = '{:f}'.format(number) ++# Format values with more than 200 digits (an arbitrary cutoff) using ++# scientific notation to avoid high memory usage in {:f}'.format(). ++_, digits, exponent = number.as_tuple() ++if abs(exponent) + len(digits) > 200: ++number = '{:e}'.format(number) ++coefficient, exponent = number.split('e') ++# Format the coefficient. ++coefficient = format( ++coefficient, decimal_sep, decimal_pos, grouping, ++thousand_sep, force_grouping, ++) ++return '{}e{}'.format(coefficient, exponent) ++else: ++str_number = '{:f}'.format(number) + else: + str_number = six.text_type(number) + if str_number[0] == '-': +diff --git a/tests/utils_tests/test_numberformat.py b/tests/utils_tests/test_numberformat.py +index 3dd1b06..769406c 100644 +--- a/tests/utils_tests/test_numberformat.py b/tests/utils_tests/test_numberformat.py +@@ -60,6 +60,24 @@ class TestNumberFormat(TestCase): + self.assertEqual(nformat(Decimal('1234'), '.', grouping=2, thousand_sep=',', force_grouping=True), '12,34') + self.assertEqual(nformat(Decimal('-1234.33'), '.', decimal_pos=1), '-1234.3') + self.assertEqual(nformat(Decimal('0.0001'), '.', decimal_pos=8), '0.0001') ++# Very large & small numbers. ++tests = [ ++('9e', None, '9e+'), ++('9e', 3, '9.000e+'), ++('9e201', None, '9e+201'), ++('9e200', None, '9e+200'), ++('1.2345e999', 2, '1.23e+999'), ++('9e-999', None, '9e-999'), ++('1e-7', 8, '0.0010'), ++('1e-8', 8, '0.0001'), ++('1e-9', 8, '0.'), ++('1e-10', 8, '0.'), ++('1e-11', 8, '0.'), ++('1' + ('0' * 300), 3, '1.000e+300'), ++('0.{}1234'.format('0' * 299), 3, '1.234e-300'), ++] ++for value, decimal_pos, expected_value in tests: ++self.assertEqual(nformat(Decimal(value), '.', decimal_pos), expected_value) + + def test_decimal_subclass(self): + class EuroDecimal(Decimal): diff --git a/debian/patches/series b/debian/patches/series index 5bda383eb..ad6685673 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ fix-test-middleware-classes-headers.patch 0016-CVE-2017-12794.patch 0006-Default-to-supporting-Spatialite-4.2.patch 0017-CVE-2019-3498.patch +0018-CVE-2019-6975.patch ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#922027: python-django: Django security release
retitle 922027 CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() severity 922027 grave found 922027 1:1.10.7-2+deb9u3 tags 922027 + security thanks Hi, Noted that upstream might re-release. Will hold off for the time being: https://code.djangoproject.com/ticket/30175#comment:4 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#921513: sphinx: please make the build reproducible
forwarded 921513 https://github.com/sphinx-doc/sphinx/pull/6028 thanks I've forwarded this upstream here: https://github.com/sphinx-doc/sphinx/pull/6028 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#921513: sphinx: please make the build reproducible
Source: sphinx Version: 1.8.3-2 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: buildpath toolchain X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi, Whilst working on the Reproducible Builds effort [0], we noticed that sphinx could generate output that is not reproducible. In particular, the graphviz extension module would construct filenames based on, inter alia, the contents of the `options` dictionary. As this contained the absolute build path of the source file embedded in the `docname` variable this meant that builds of documentation were not independent of where on a filesystem they were built from. Example filenames might be: - html/_images/graphviz-9e71e0f9ba91d0842b51211b676ec4adb7e7afb8.png + html/_images/graphviz-6241bbfd7ac6bd4e2ad9af451ab0dfb8719988d2.png We fix this by limiting how much of the `docname` variable ends up in the final constructed filename; I assume there is a good reason for including the `options` dictionary in the first place, otherwise we could simply omit it. [0] https://reproducible-builds.org (Patch attached.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- diff --git a/sphinx/ext/graphviz.py b/sphinx/ext/graphviz.py index c9b1541..820a693 100644 --- a/sphinx/ext/graphviz.py +++ b/sphinx/ext/graphviz.py @@ -216,7 +216,9 @@ def render_dot(self, code, options, format, prefix='graphviz'): # type: (nodes.NodeVisitor, unicode, Dict, unicode, unicode) -> Tuple[unicode, unicode] """Render graphviz code into a PNG or PDF output file.""" graphviz_dot = options.get('graphviz_dot', self.builder.config.graphviz_dot) -hashkey = (code + str(options) + str(graphviz_dot) + +options_for_hash = options.copy() +options_for_hash = path.basename(options_for_hash.pop('docname', '')) +hashkey = (code + str(options_for_hash) + str(graphviz_dot) + str(self.builder.config.graphviz_dot_args)).encode('utf-8') fname = '%s-%s.%s' % (prefix, sha1(hashkey).hexdigest(), format) ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
Re: [Python-modules-team] Comments regarding python-css-parser_1.0.4-1_amd64.changes
Nicholas, > Alternatively, would you like to me ask upstream to document their > copyright holders? That sounds far better than trying to guess at-length at their intentions and will result in a better longer-term outcome. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#920030: ships headers in /usr/include/python3.7/
Hi, > your package ships the header file(s): FYI this will be explicitly detected and reported on in lintian 2.5.123 in the package-contains-python-header-in-incorrect- directory tag. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#918671: python-shade: Incomplete debian/copyright?
Source: python-shade Version: 1.30.0-1 Severity: serious Justication: Policy 12.5 X-Debbugs-CC: Clint Byrum , ftpmas...@debian.org Hi, I just ACCEPTed python-shade from NEW but noticed it was missing attribution in debian/copyright for at least OVH, IBM, Red Hat. This is in no way exhaustive so please check over the entire package carefully and address these on your next upload. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page
Hi Salvatore, > > Updated patch attached. > > Thanks, looks good to me. Please go ahead with the upload to > security-master. Sure thing, uploading: Successfully uploaded python-django_1.10.7-2+deb9u4.dsc to ssh.security.upload.debian.org for security-master. Successfully uploaded python-django_1.10.7.orig.tar.gz to ssh.security.upload.debian.org for security-master. Successfully uploaded python-django_1.10.7-2+deb9u4.debian.tar.xz to ssh.security.upload.debian.org for security-master. Successfully uploaded python-django-common_1.10.7-2+deb9u4_all.deb to ssh.security.upload.debian.org for security-master. Successfully uploaded python-django-doc_1.10.7-2+deb9u4_all.deb to ssh.security.upload.debian.org for security-master. Successfully uploaded python-django_1.10.7-2+deb9u4_all.deb to ssh.security.upload.debian.org for security-master. Successfully uploaded python-django_1.10.7-2+deb9u4_amd64.buildinfo to ssh.security.upload.debian.org for security-master. Successfully uploaded python3-django_1.10.7-2+deb9u4_all.deb to ssh.security.upload.debian.org for security-master. Successfully uploaded python-django_1.10.7-2+deb9u4_amd64.changes to ssh.security.upload.debian.org for security-master. > Thank you for your work on this update, No problem. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#918230: python-django: CVE-2019-3498: Content spoofing possibility in the default 404 page
Hi Salvatore, > With the 0017-CVE-2019-3498.patch patch there is something strange. > While it touches correctly the files django/views/defaults.py and the > tests, it touches and modifies files in debian/*, other patches and > series file. Thanks for your review. I went through my shell's history and unpicked what happened; whilst I had created and tested a regular patch file at debian/patches/CVE-2019-3498.patch I wanted to store everything in DPMT's Git repository and, as part of that, accidentally used git commit --whilst on the magic git-pq(1) branch and thus included all of these nonsense changes. Updated patch attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- diff --git a/debian/changelog b/debian/changelog index b1c56f7c5..fa89c8b21 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high + + * CVE-2019-3498: Prevent a content-spoofing vulnerability in the default +404 page. (Closes: #918230) + + -- Chris Lamb Sun, 06 Jan 2019 09:35:11 +0100 + python-django (1:1.10.7-2+deb9u3) stretch; urgency=medium * Default to supporting Spatialite >= 4.2. (Closes: #910240) diff --git a/debian/patches/0017-CVE-2019-3498.patch b/debian/patches/0017-CVE-2019-3498.patch new file mode 100644 index 0..588db30a8 --- /dev/null +++ b/debian/patches/0017-CVE-2019-3498.patch @@ -0,0 +1,95 @@ +From: Tom Hacohen +Date: Fri, 4 Jan 2019 02:21:55 + +Subject: Fixed #30070, + CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. + +Co-Authored-By: Tim Graham +Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master. +--- + django/views/defaults.py | 8 +--- + tests/handlers/tests.py | 12 + 2 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/django/views/defaults.py b/django/views/defaults.py +index 348837e..5ec9ac8 100644 +--- a/django/views/defaults.py b/django/views/defaults.py +@@ -2,6 +2,7 @@ from django import http + from django.template import Context, Engine, TemplateDoesNotExist, loader + from django.utils import six + from django.utils.encoding import force_text ++from django.utils.http import urlquote + from django.views.decorators.csrf import requires_csrf_token + + ERROR_404_TEMPLATE_NAME = '404.html' +@@ -21,7 +22,8 @@ def page_not_found(request, exception, template_name=ERROR_404_TEMPLATE_NAME): + Templates: :template:`404.html` + Context: + request_path +-The path of the requested URL (e.g., '/app/pages/bad_page/') ++The path of the requested URL (e.g., '/app/pages/bad_page/'). It's ++quoted to prevent a content injection attack. + exception + The message from the exception which triggered the 404 (if one was + supplied), or the exception class name +@@ -37,7 +39,7 @@ def page_not_found(request, exception, template_name=ERROR_404_TEMPLATE_NAME): + if isinstance(message, six.text_type): + exception_repr = message + context = { +-'request_path': request.path, ++'request_path': urlquote(request.path), + 'exception': exception_repr, + } + try: +@@ -50,7 +52,7 @@ def page_not_found(request, exception, template_name=ERROR_404_TEMPLATE_NAME): + raise + template = Engine().from_string( + 'Not Found' +-'The requested URL {{ request_path }} was not found on this server.') ++'The requested resource was not found on this server.') + body = template.render(Context(context)) + content_type = 'text/html' + return http.HttpResponseNotFound(body, content_type=content_type) +diff --git a/tests/handlers/tests.py b/tests/handlers/tests.py +index 9f01cb2..50a3488 100644 +--- a/tests/handlers/tests.py b/tests/handlers/tests.py +@@ -2,6 +2,7 @@ + + from __future__ import unicode_literals + ++import sys + import unittest + + from django.core.exceptions import ImproperlyConfigured +@@ -19,6 +20,8 @@ try: + except ImportError: # Python < 3.5 + HTTPStatus = None + ++PY37 = sys.version_info >= (3, 7, 0) ++ + + class HandlerTests(SimpleTestCase): + +@@ -180,16 +183,17 @@ class HandlerRequestTests(SimpleTestCase): + + def test_invalid_urls(self): + response = self.client.get('~%A9helloworld') +-self.assertContains(response, '~%A9helloworld', status_code=404) ++self.assertEqual(response.status_code, 404) ++self.assertEqual(response.context['request_path'], '/~%25A9helloworld' if PY37 else '/%7E%25A9helloworld') + + response = self.client.get('d%aao%aaw%aan%aal%aao%aaa%aad%aa/') +-self.assertContains(response, 'd%AAo%AAw%AAn%AAl%AAo%AAa%AAd%AA', status_code=404) ++self.assertEqual(response.context['request_path'], '/d%25AAo%25AAw%25AAn%25AAl%25AAo%25AAa%25AAd%25AA')