← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable

 

** Changed in: python-django (Ubuntu Artful)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1605278

Title:
  Merge python-django 1:1.11-1 from Debian unstable

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in MAAS:
  Triaged
Status in django-compat package in Ubuntu:
  Fix Released
Status in python-django package in Ubuntu:
  Fix Released
Status in python-django source package in Zesty:
  Won't Fix
Status in django-compat source package in Artful:
  Fix Released
Status in python-django source package in Artful:
  Fix Released

Bug description:
  Please merge python-django 1:1.11-1 (main) from Debian experimental
  (main)

  python-django (1:1.11-1ubuntu1) artful; urgency=medium

    * Merge from Debian unstable (LP: #1605278). Remaining changes:
      - debian/patches/pymysql-replacement.patch: Use pymysql as drop in
        replacement for MySQLdb.
      - debian/control: Drop python-mysqldb in favor of python-pymysql.
    * Drop:
      - SECURITY UPDATE: malicious redirect and possible XSS attack via
        user-supplied redirect URLs containing basic auth
        + debian/patches/CVE-2016-2512.patch: prevent spoofing in
          django/utils/http.py, added test to tests/utils_tests/test_http.py.
        + CVE-2016-2512
      - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
        + debian/patches/CVE-2016-2512-regression.patch: force url to unicode
          in django/utils/http.py, added test to
          tests/utils_tests/test_http.py.
        + CVE-2016-2512
      - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
        + debian/patches/CVE-2016-2512-regression.patch: updated to final
          upstream fix.
        + CVE-2016-2512
      [ Fixed upstream ]
      - SECURITY UPDATE: user enumeration through timing difference on password
        hasher work factor upgrade
        + debian/patches/CVE-2016-2513.patch: fix timing in
          django/contrib/auth/hashers.py, added note to
          docs/topics/auth/passwords.txt, added tests to
          tests/auth_tests/test_hashers.py.
        + CVE-2016-2513
      [ Fixed upstream ]
      - Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from
        upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
        LP #1528710
      [ Fixed upstream ]
      - Backport upstream fix for ipv6-formatted ipv4 addresses (LP #1611923)
      [ Fixed upstream ]
      - SECURITY UPDATE: XSS in admin's add/change related popup
        + debian/patches/CVE-2016-6186.patch: change to text in
          django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js,
          django/views/debug.py, added to tests in tests/admin_views/admin.py,
          tests/admin_views/models.py, tests/admin_views/tests.py.
        + CVE-2016-6186
      [ Fixed upstream ]
      - SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
        + debian/patches/CVE-2016-7401.patch: simplify cookie parsing in
          django/http/cookie.py, add tests to tests/httpwrappers/tests.py,
          tests/requests/tests.py.
        + CVE-2016-7401
      [ Fixed upstream ]
      - SECURITY UPDATE: user with hardcoded password created when running
        tests on Oracle
        + debian/patches/CVE-2016-9013.patch: remove hardcoded password in
          django/db/backends/oracle/creation.py, added note to
          docs/ref/settings.txt.
        + CVE-2016-9013
      [ Fixed upstream ]
      - SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True
        + debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in
          django/http/request.py, updated docs/ref/settings.txt, added test to
          tests/requests/tests.py.
        + CVE-2016-9014
      [ Fixed upstream ]

   -- Nishanth Aravamudan <nish.aravamudan@xxxxxxxxxxxxx>  Fri, 05 May
  2017 09:41:07 -0700

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions