yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #67010
[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
** Changed in: python-django (Ubuntu Artful)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1605278
Title:
Merge python-django 1:1.11-1 from Debian unstable
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in MAAS:
Triaged
Status in django-compat package in Ubuntu:
Fix Released
Status in python-django package in Ubuntu:
Fix Released
Status in python-django source package in Zesty:
Won't Fix
Status in django-compat source package in Artful:
Fix Released
Status in python-django source package in Artful:
Fix Released
Bug description:
Please merge python-django 1:1.11-1 (main) from Debian experimental
(main)
python-django (1:1.11-1ubuntu1) artful; urgency=medium
* Merge from Debian unstable (LP: #1605278). Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* Drop:
- SECURITY UPDATE: malicious redirect and possible XSS attack via
user-supplied redirect URLs containing basic auth
+ debian/patches/CVE-2016-2512.patch: prevent spoofing in
django/utils/http.py, added test to tests/utils_tests/test_http.py.
+ CVE-2016-2512
- SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
+ debian/patches/CVE-2016-2512-regression.patch: force url to unicode
in django/utils/http.py, added test to
tests/utils_tests/test_http.py.
+ CVE-2016-2512
- SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
+ debian/patches/CVE-2016-2512-regression.patch: updated to final
upstream fix.
+ CVE-2016-2512
[ Fixed upstream ]
- SECURITY UPDATE: user enumeration through timing difference on password
hasher work factor upgrade
+ debian/patches/CVE-2016-2513.patch: fix timing in
django/contrib/auth/hashers.py, added note to
docs/topics/auth/passwords.txt, added tests to
tests/auth_tests/test_hashers.py.
+ CVE-2016-2513
[ Fixed upstream ]
- Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from
upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
LP #1528710
[ Fixed upstream ]
- Backport upstream fix for ipv6-formatted ipv4 addresses (LP #1611923)
[ Fixed upstream ]
- SECURITY UPDATE: XSS in admin's add/change related popup
+ debian/patches/CVE-2016-6186.patch: change to text in
django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js,
django/views/debug.py, added to tests in tests/admin_views/admin.py,
tests/admin_views/models.py, tests/admin_views/tests.py.
+ CVE-2016-6186
[ Fixed upstream ]
- SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
+ debian/patches/CVE-2016-7401.patch: simplify cookie parsing in
django/http/cookie.py, add tests to tests/httpwrappers/tests.py,
tests/requests/tests.py.
+ CVE-2016-7401
[ Fixed upstream ]
- SECURITY UPDATE: user with hardcoded password created when running
tests on Oracle
+ debian/patches/CVE-2016-9013.patch: remove hardcoded password in
django/db/backends/oracle/creation.py, added note to
docs/ref/settings.txt.
+ CVE-2016-9013
[ Fixed upstream ]
- SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True
+ debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in
django/http/request.py, updated docs/ref/settings.txt, added test to
tests/requests/tests.py.
+ CVE-2016-9014
[ Fixed upstream ]
-- Nishanth Aravamudan <nish.aravamudan@xxxxxxxxxxxxx> Fri, 05 May
2017 09:41:07 -0700
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions