I just uploaded a merge with 1:1.11-1 from experimental to the same PPA: https://launchpad.net/~nacc/+archive/ubuntu/lp1605278
Note that I chose 1.11 rather than the 1.10 in unstable because 1.11 is an LTS with support for a lot longer, which means (possibly) we don't need to merge again for 18.04 (or it will be a trivial upstream minor bump within the 1.11 series). ** Description changed: - Please merge python-django 1:1.9.8-1 (main) from Debian unstable (main) + Please merge python-django 1:1.11-1 (main) from Debian experimental + (main) - Explanation of the Ubuntu delta and why it can be dropped: - * SECURITY UPDATE: XSS in admin's add/change related popup - - debian/patches/CVE-2016-6186.patch: change to text in - django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js, - django/views/debug.py, added to tests in tests/admin_views/admin.py, - tests/admin_views/models.py, tests/admin_views/tests.py. - - CVE-2016-6186 - * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from - upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.) - LP: #1528710 - * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from - upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.) - LP: #1528710 - * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - - debian/patches/CVE-2016-2512-regression.patch: updated to final - upstream fix. - - CVE-2016-2512 - * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - - debian/patches/CVE-2016-2512-regression.patch: force url to unicode - in django/utils/http.py, added test to - tests/utils_tests/test_http.py. - - CVE-2016-2512 - * SECURITY UPDATE: malicious redirect and possible XSS attack via - user-supplied redirect URLs containing basic auth - - debian/patches/CVE-2016-2512.patch: prevent spoofing in - django/utils/http.py, added test to tests/utils_tests/test_http.py. - - CVE-2016-2512 - * SECURITY UPDATE: user enumeration through timing difference on password - hasher work factor upgrade - - debian/patches/CVE-2016-2513.patch: fix timing in - django/contrib/auth/hashers.py, added note to - docs/topics/auth/passwords.txt, added tests to - tests/auth_tests/test_hashers.py. - - CVE-2016-2513 - * Merge from Debian unstable. Remaining changes: + python-django (1:1.11-1ubuntu1) artful; urgency=medium + + * Merge from Debian unstable (LP: #1605278). Remaining changes: - debian/patches/pymysql-replacement.patch: Use pymysql as drop in replacement for MySQLdb. - debian/control: Drop python-mysqldb in favor of python-pymysql. - * Dropped changes: - - debian/patches/99_skip_tests_due_python35.diff: no longer required, - python 3.5 is now officially supported in 1.8.6+. + * Drop: + - SECURITY UPDATE: malicious redirect and possible XSS attack via + user-supplied redirect URLs containing basic auth + + debian/patches/CVE-2016-2512.patch: prevent spoofing in + django/utils/http.py, added test to tests/utils_tests/test_http.py. + + CVE-2016-2512 + - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251) + + debian/patches/CVE-2016-2512-regression.patch: force url to unicode + in django/utils/http.py, added test to + tests/utils_tests/test_http.py. + + CVE-2016-2512 + - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251) + + debian/patches/CVE-2016-2512-regression.patch: updated to final + upstream fix. + + CVE-2016-2512 + [ Fixed upstream ] + - SECURITY UPDATE: user enumeration through timing difference on password + hasher work factor upgrade + + debian/patches/CVE-2016-2513.patch: fix timing in + django/contrib/auth/hashers.py, added note to + docs/topics/auth/passwords.txt, added tests to + tests/auth_tests/test_hashers.py. + + CVE-2016-2513 + [ Fixed upstream ] + - Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from + upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.) + LP #1528710 + [ Fixed upstream ] + - Backport upstream fix for ipv6-formatted ipv4 addresses (LP #1611923) + [ Fixed upstream ] + - SECURITY UPDATE: XSS in admin's add/change related popup + + debian/patches/CVE-2016-6186.patch: change to text in + django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js, + django/views/debug.py, added to tests in tests/admin_views/admin.py, + tests/admin_views/models.py, tests/admin_views/tests.py. + + CVE-2016-6186 + [ Fixed upstream ] + - SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics + + debian/patches/CVE-2016-7401.patch: simplify cookie parsing in + django/http/cookie.py, add tests to tests/httpwrappers/tests.py, + tests/requests/tests.py. + + CVE-2016-7401 + [ Fixed upstream ] + - SECURITY UPDATE: user with hardcoded password created when running + tests on Oracle + + debian/patches/CVE-2016-9013.patch: remove hardcoded password in + django/db/backends/oracle/creation.py, added note to + docs/ref/settings.txt. + + CVE-2016-9013 + [ Fixed upstream ] + - SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True + + debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in + django/http/request.py, updated docs/ref/settings.txt, added test to + tests/requests/tests.py. + + CVE-2016-9014 + [ Fixed upstream ] - All of that was applied in the new Debian version except for the - pymysql replacement. - - Changelog entries since current yakkety version 1.8.7-1ubuntu6: - - python-django (1:1.9.8-1) unstable; urgency=high - - * New upstream security release: - https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ - - CVE-2016-6186: XSS in admin's add/change related popup - - -- Luke Faraone <lfara...@debian.org> Tue, 19 Jul 2016 14:15:24 +0000 - - python-django (1:1.9.7-2) unstable; urgency=medium - - * Re-upload 1.9.7 to unstable with epoch. - - -- Chris Lamb <la...@debian.org> Sun, 26 Jun 2016 09:58:19 +0200 - - python-django (1.10~beta1-1) unstable; urgency=medium - - [ Chris Lamb ] - * New upstream beta release. - * Drop fix-25761-add-traceback-attribute.patch; applied upstream. - - [ Raphaël Hertzog ] - * Remove obsolete /etc/bash_completion.d/django_bash_completion on upgrade. - Closes: #801744 - - -- Chris Lamb <la...@debian.org> Sat, 25 Jun 2016 19:17:49 +0200 - - python-django (1.9.7-1) unstable; urgency=medium - - [ Raphaël Hertzog ] - * New upstream bugfix release. - * Bump python-sphinx build dependency to >= 1.3. Closes: #824108 - * Drop build dependency on locales. C.UTF-8 that we currently use is part of - libc-bin. - - [ Chris Lamb ] - * Remove duplicated "of of" in python-django's README.Debian. - - -- Raphaël Hertzog <hert...@debian.org> Tue, 14 Jun 2016 00:05:22 - +0200 - - python-django (1.9.6-1) unstable; urgency=medium - - * New upstream bugfix release. - - -- Chris Lamb <la...@debian.org> Sat, 07 May 2016 07:01:17 +0100 - - python-django (1.9.5-2) unstable; urgency=medium - - * Drop the dir_to_symlink transition that was only really needed - for upgrades between versions 1.9~rc2 and 1.9.4. Closes: #821789 - - -- Raphaël Hertzog <hert...@debian.org> Wed, 20 Apr 2016 17:47:05 - +0200 - - python-django (1.9.5-1) unstable; urgency=medium - - * New upstream bugfix release: - https://docs.djangoproject.com/en/1.9/releases/1.9.5/ - * Fix the DEP-8 test suite (django-admin --with python3 failing - because ./manage.py does not have a good shebang). - * Update Standards-Version to 3.9.8. - * Add some lintian overrides. - * Tweak Vcs-Browser to use https. - * Drop obsolete parts of the copyright file. - - -- Raphaël Hertzog <hert...@debian.org> Wed, 06 Apr 2016 18:05:42 - +0200 - - python-django (1.9.4-1) unstable; urgency=high - - [ Luke Faraone ] - * New upstream security release: - https://www.djangoproject.com/weblog/2016/mar/01/security-releases/ - - CVE-2016-2512: Malicious redirect and possible XSS via user-supplied - redirect URLs containing basic auth - - CVE-2016-2513: User enumeration through timing difference on password - hasher work factor upgrade - Closes: #816434 - - [ Raphaël Hertzog ] - * Fix rules file to no longer mess with *_templates directories. They no - longer contain invalid .py files but only *-tpl template files that are - instantiated at runtime. - - -- Luke Faraone <lfara...@debian.org> Mon, 07 Mar 2016 17:09:54 +0000 - - python-django (1.9.2-1) unstable; urgency=medium - - * New upstream security release fixing: - - CVE-2016-2048: User with "change" but not "add" permission can create - objects for ModelAdmin objects with save_as=True - Closes: #813448 - - -- Raphaël Hertzog <hert...@debian.org> Tue, 02 Feb 2016 09:06:46 - +0100 - - python-django (1.9.1-1) unstable; urgency=medium - - * New upstream release. - - -- Chris Lamb <la...@debian.org> Mon, 04 Jan 2016 17:51:40 +0000 - - python-django (1.9-2) unstable; urgency=medium - - [ Chris Lamb ] - * Use dpkg-maintscript-helper's dir_to_symlink to correctly replace the - app_template and project_template symlinks added in 1.9~rc2-2. - (Closes: #807683) - - [ Raphaël Hertzog ] - * Add some DEP-8 tests testing "django-admin" and running the test suite - against the installed package. In both cases, we do it with python2 and - python3. - * Add python-tblib and python3-tblib to Build-Depends for the benefit of - the parallel testing feature of the test suite. - * Add "set -e" in the command line running the tests with all supported - versions so that it actually fails as soon as one version is failing - (and thus disallow later successes to shadow earlier failures). - - -- Raphaël Hertzog <hert...@debian.org> Wed, 30 Dec 2015 16:44:04 - +0100 - - python-django (1.9-1) unstable; urgency=medium - - * Upload to unstable - * Adjust uversionmangle in debian/watch to mangle "1.9rc2" scheme - (previously only "1.9-rc-2" would have matched). - - -- Chris Lamb <la...@debian.org> Thu, 03 Dec 2015 16:48:30 +0200 - - python-django (1.9~rc2-2) experimental; urgency=medium - - * Move {app,project}_template to python-django-common to prevent - byte-compilation (via pycompile) on installation, causing failure. They are - not valid Python files until variables have been interpolated. - - -- Chris Lamb <la...@debian.org> Thu, 26 Nov 2015 14:53:11 +0200 - - python-django (1.9~rc2-1) experimental; urgency=medium - - * New upstream release candidate. - * Add myself to Uploaders. - - -- Chris Lamb <la...@debian.org> Thu, 26 Nov 2015 10:14:15 +0200 - - python-django (1.8.7-2) unstable; urgency=high - - * Rely on C.UTF-8 to run the tests instead of building our locale ourselves. - * Add debian/patches/fix-25761-add-traceback-attribute.patch: - new patch to ensure exceptions registered in __cause__ attributes - have a __traceback__ attribute. Closes: #802677 - * Extend lintian overrides to cover more false positives of - source-is-missing. - * Cleanup debian/copyright for dropped/renamed files. - * Run tests for all supported Python versions. - - -- Raphaël Hertzog <hert...@debian.org> Wed, 25 Nov 2015 16:16:10 - +0100 + -- Nishanth Aravamudan <nish.aravamu...@canonical.com> Fri, 05 May + 2017 09:41:07 -0700 ** Changed in: python-django (Ubuntu Zesty) Assignee: Nish Aravamudan (nacc) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-django in Ubuntu. https://bugs.launchpad.net/bugs/1605278 Title: Merge python-django 1:1.11-1 from Debian unstable To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs