** Description changed: - Scheduled-For: 22.12 - Upstream: tbd + Upstream: 3.2.8 Debian: 2:3.2.8-1 2:4.0~alpha1-1 Ubuntu: 2:2.2.24-1ubuntu1 - Debian new has 2:4.0~alpha1-1 - ### New Debian Changes ### python-django (2:3.2.8-1) unstable; urgency=medium - * New upstream bugfix release. - * Drop a patch applied upstream. - * Bump Standards-Version to 4.6.0. + * New upstream bugfix release. + * Drop a patch applied upstream. + * Bump Standards-Version to 4.6.0. - -- Chris Lamb <la...@debian.org> Tue, 05 Oct 2021 09:34:57 +0100 + -- Chris Lamb <la...@debian.org> Tue, 05 Oct 2021 09:34:57 +0100 python-django (2:3.2.7-4) unstable; urgency=medium - * Skip a test that is fixed upstream (with a number of overlapping + * Skip a test that is fixed upstream (with a number of overlapping patches). - -- Chris Lamb <la...@debian.org> Mon, 13 Sep 2021 09:03:27 +0100 + -- Chris Lamb <la...@debian.org> Mon, 13 Sep 2021 09:03:27 +0100 python-django (2:3.2.7-3) unstable; urgency=medium - * Actually upload 3.2 branch to unstable... + * Actually upload 3.2 branch to unstable... - -- Chris Lamb <la...@debian.org> Thu, 09 Sep 2021 17:49:23 +0100 + -- Chris Lamb <la...@debian.org> Thu, 09 Sep 2021 17:49:23 +0100 python-django (2:3.2.7-2) experimental; urgency=medium - * Upload 3.2 branch to unstable. + * Upload 3.2 branch to unstable. - -- Chris Lamb <la...@debian.org> Thu, 09 Sep 2021 15:51:11 +0100 + -- Chris Lamb <la...@debian.org> Thu, 09 Sep 2021 15:51:11 +0100 python-django (2:3.2.7-1) experimental; urgency=medium - * New upstream bugfix release. + * New upstream bugfix release. - -- Chris Lamb <la...@debian.org> Wed, 01 Sep 2021 10:46:07 +0100 + -- Chris Lamb <la...@debian.org> Wed, 01 Sep 2021 10:46:07 +0100 python-django (2:3.2.6-1) experimental; urgency=medium - * New upstream bugfix release. - <https://docs.djangoproject.com/en/3.2/releases/3.2.6/> - * Bump Standards-Version to 4.5.1. + * New upstream bugfix release. + <https://docs.djangoproject.com/en/3.2/releases/3.2.6/> + * Bump Standards-Version to 4.5.1. - -- Chris Lamb <la...@debian.org> Mon, 02 Aug 2021 09:16:21 +0100 + -- Chris Lamb <la...@debian.org> Mon, 02 Aug 2021 09:16:21 +0100 python-django (2:3.2.5-2) experimental; urgency=medium - * Don't symlink /usr/bin/django-admin to 'django-admin.py'; ship the script - generated by the entry_points system instead, otherwise we introduce a - confusing 'django-admin.py' deprecation message when using 'django-admin'. - (Closes: #991098) + * Don't symlink /usr/bin/django-admin to 'django-admin.py'; ship the script + generated by the entry_points system instead, otherwise we introduce a + confusing 'django-admin.py' deprecation message when using 'django-admin'. + (Closes: #991098) - -- Chris Lamb <la...@debian.org> Thu, 15 Jul 2021 13:54:57 +0100 + -- Chris Lamb <la...@debian.org> Thu, 15 Jul 2021 13:54:57 +0100 python-django (2:3.2.5-1) experimental; urgency=medium - * New upstream security release: + * New upstream security release: - - CVE-2021-35042: Potential SQL injection via unsanitized - QuerySet.order_by() input. + - CVE-2021-35042: Potential SQL injection via unsanitized + QuerySet.order_by() input. - Unsanitized user input passed to QuerySet.order_by() could bypass - intended column reference validation in path marked for deprecation - resulting in a potential SQL injection even if a deprecation warning is - emitted. As a mitigation, the strict column reference validation was - restored for the duration of the deprecation period. This regression - appeared in Django version 3.1 as a side effect of fixing another bug - (#31426). + Unsanitized user input passed to QuerySet.order_by() could bypass + intended column reference validation in path marked for deprecation + resulting in a potential SQL injection even if a deprecation warning is + emitted. As a mitigation, the strict column reference validation was + restored for the duration of the deprecation period. This regression + appeared in Django version 3.1 as a side effect of fixing another bug + (#31426). - For more information, please see: - <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/> + For more information, please see: + <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/> - -- Chris Lamb <la...@debian.org> Thu, 01 Jul 2021 10:56:07 +0100 + -- Chris Lamb <la...@debian.org> Thu, 01 Jul 2021 10:56:07 +0100 python-django (2:3.2.4-1) experimental; urgency=medium - * New upstream security release. (Closes: #989394) + * New upstream security release. (Closes: #989394) - - CVE-2021-33203: Potential directory traversal via admindocs + - CVE-2021-33203: Potential directory traversal via admindocs - Staff members could use the admindocs TemplateDetailView view to - check the existence of arbitrary files. Additionally, if (and only - if) the default admindocs templates have been customized by the - developers to also expose the file contents, then not only the - existence but also the file contents would have been exposed. + Staff members could use the admindocs TemplateDetailView view to + check the existence of arbitrary files. Additionally, if (and only + if) the default admindocs templates have been customized by the + developers to also expose the file contents, then not only the + existence but also the file contents would have been exposed. - As a mitigation, path sanitation is now applied and only files - within the template root directories can be loaded. + As a mitigation, path sanitation is now applied and only files + within the template root directories can be loaded. - This issue has low severity, according to the Django security - policy. + This issue has low severity, according to the Django security + policy. - Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from - the CodeQL Python team for the report. + Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from + the CodeQL Python team for the report. - - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks - since validators accepted leading zeros in IPv4 addresses + - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks + since validators accepted leading zeros in IPv4 addresses - URLValidator, validate_ipv4_address(), and - validate_ipv46_address() didn't prohibit leading zeros in octal - literals. If you used such values you could suffer from - indeterminate SSRF, RFI, and LFI attacks. + URLValidator, validate_ipv4_address(), and + validate_ipv46_address() didn't prohibit leading zeros in octal + literals. If you used such values you could suffer from + indeterminate SSRF, RFI, and LFI attacks. - validate_ipv4_address() and validate_ipv46_address() validators - were not affected on Python 3.9.5+. - + validate_ipv4_address() and validate_ipv46_address() validators + were not affected on Python 3.9.5+. ### Old Ubuntu Delta ### python-django (2:2.2.24-1ubuntu1) impish; urgency=medium - * d/p/test_subparser_regression.patch: Fix test regression (LP: + * d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993) - -- Athos Ribeiro <athos.ribe...@canonical.com> Mon, 04 Oct 2021 + -- Athos Ribeiro <athos.ribe...@canonical.com> Mon, 04 Oct 2021 10:56:57 -0300
** Description changed: Upstream: 3.2.8 Debian: 2:3.2.8-1 2:4.0~alpha1-1 Ubuntu: 2:2.2.24-1ubuntu1 - Debian new has 2:4.0~alpha1-1 + Debian experimental has 2:4.0~alpha1-1 ### New Debian Changes ### python-django (2:3.2.8-1) unstable; urgency=medium * New upstream bugfix release. * Drop a patch applied upstream. * Bump Standards-Version to 4.6.0. -- Chris Lamb <la...@debian.org> Tue, 05 Oct 2021 09:34:57 +0100 python-django (2:3.2.7-4) unstable; urgency=medium * Skip a test that is fixed upstream (with a number of overlapping patches). -- Chris Lamb <la...@debian.org> Mon, 13 Sep 2021 09:03:27 +0100 python-django (2:3.2.7-3) unstable; urgency=medium * Actually upload 3.2 branch to unstable... -- Chris Lamb <la...@debian.org> Thu, 09 Sep 2021 17:49:23 +0100 python-django (2:3.2.7-2) experimental; urgency=medium * Upload 3.2 branch to unstable. -- Chris Lamb <la...@debian.org> Thu, 09 Sep 2021 15:51:11 +0100 python-django (2:3.2.7-1) experimental; urgency=medium * New upstream bugfix release. -- Chris Lamb <la...@debian.org> Wed, 01 Sep 2021 10:46:07 +0100 python-django (2:3.2.6-1) experimental; urgency=medium * New upstream bugfix release. <https://docs.djangoproject.com/en/3.2/releases/3.2.6/> * Bump Standards-Version to 4.5.1. -- Chris Lamb <la...@debian.org> Mon, 02 Aug 2021 09:16:21 +0100 python-django (2:3.2.5-2) experimental; urgency=medium * Don't symlink /usr/bin/django-admin to 'django-admin.py'; ship the script generated by the entry_points system instead, otherwise we introduce a confusing 'django-admin.py' deprecation message when using 'django-admin'. (Closes: #991098) -- Chris Lamb <la...@debian.org> Thu, 15 Jul 2021 13:54:57 +0100 python-django (2:3.2.5-1) experimental; urgency=medium * New upstream security release: - CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input. Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted. As a mitigation, the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in Django version 3.1 as a side effect of fixing another bug (#31426). For more information, please see: <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/> -- Chris Lamb <la...@debian.org> Thu, 01 Jul 2021 10:56:07 +0100 python-django (2:3.2.4-1) experimental; urgency=medium * New upstream security release. (Closes: #989394) - CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. This issue has low severity, according to the Django security policy. Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report. - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. ### Old Ubuntu Delta ### python-django (2:2.2.24-1ubuntu1) impish; urgency=medium * d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993) -- Athos Ribeiro <athos.ribe...@canonical.com> Mon, 04 Oct 2021 10:56:57 -0300 ** Changed in: python-django (Ubuntu) Milestone: None => ubuntu-21.11 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946890 Title: Merge python-django from Debian unstable for 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1946890/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs