Accepted python-django 2:3.2.7-2 (source) into experimental
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Sep 2021 15:51:11 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.7-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 946937 947549 953102 968577 969367 983090 986447 988053 988136 989394 991098
Changes:
python-django (2:3.2.7-2) experimental; urgency=medium
.
* Upload 3.2 branch to unstable.
.
python-django (2:3.2.7-1) experimental; urgency=medium
.
* New upstream bugfix release.
.
python-django (2:3.2.6-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.6/>
* Bump Standards-Version to 4.5.1.
.
python-django (2:3.2.5-2) experimental; urgency=medium
.
* Don't symlink /usr/bin/django-admin to "django-admin.py"; ship the script
generated by the entry_points system instead, otherwise we introduce a
confusing "django-admin.py" deprecation message when using "django-admin".
(Closes: #991098)
.
python-django (2:3.2.5-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2021-35042: Potential SQL injection via unsanitized
QuerySet.order_by() input.
.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation, the strict column reference validation was
restored for the duration of the deprecation period. This regression
appeared in Django version 3.1 as a side effect of fixing another bug
(#31426).
.
For more information, please see:
<https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
.
python-django (2:3.2.4-1) experimental; urgency=medium
.
* New upstream security release. (Closes: #989394)
.
- CVE-2021-33203: Potential directory traversal via admindocs
.
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
.
This issue has low severity, according to the Django security
policy.
.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
.
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
.
This issue has medium severity, according to the Django security
policy.
.
* Bump Standards-Version to 4.5.1.
.
python-django (2:3.2.3-1) experimental; urgency=medium
.
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.3/>
.
python-django (2:3.2.2-1) experimental; urgency=medium
.
* New upstream security release:
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+. (Closes: #988136)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/06/security-releases/>
.
python-django (2:3.2.1-1) experimental; urgency=medium
.
* New upstream security release:
- CVE-2021-31542: Potential directory-traversal via uploaded files.
(Closes: #988053)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/04/security-releases/>
* Refresh patches.
.
python-django (2:3.2-1) experimental; urgency=medium
.
* New upstream major release:
.
- Full release notes: <https://docs.djangoproject.com/en/3.2/releases/3.2/>
- CVE-2021-28658: The MultiPartParser class allowed directory-traversal
via uploaded files via maliciously crafted filenames. (Closes: #986447)
.
python-django (2:3.2~rc1-1) experimental; urgency=medium
.
* New upstream release candidate.
<https://www.djangoproject.com/weblog/2021/mar/18/django-32-rc1/#s-id5>
* Refresh patches.
.
python-django (2:3.2~beta1-1) experimental; urgency=medium
.
* New upstream beta release.
<https://www.djangoproject.com/weblog/2021/feb/19/django-32-beta-1-released/>
* Apply wrap-and-sort -sa.
.
python-django (2:3.2~alpha1-2) experimental; urgency=medium
.
* Apply security fix from upstream:
.
- CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a
query parameter separator by default. (Closes: #983090)
.
<https://www.djangoproject.com/weblog/2021/feb/19/security-releases/>
.
python-django (2:3.2~alpha1-1) experimental; urgency=medium
.
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2021/jan/19/django-32-alpha-1-released/>
* Refresh patches.
* Drop no-upstream-changelog overrides; removed from Lintian.
.
python-django (2:3.1.5-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.1/releases/3.1.5/>
.
python-django (2:3.1.4-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.1/releases/3.1.4/>
* Bump Standards-Version to 4.5.1.
.
python-django (2:3.1.3-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/stable/releases/3.1.3/>
.
python-django (2:3.1.2-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2020/oct/01/django-bugfix-release-312/>
* Update Maintainer field with new Debian Python Team contact address.
* Update Vcs-* fields with new Debian Python Team Salsa layout.
.
python-django (2:3.1.1-1) experimental; urgency=medium
.
* New upstream security release to address CVE-2020-24583, CVE-2020-24584.
(Closes: #969367)
<https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>
.
python-django (2:3.1-2) experimental; urgency=medium
.
* Set the PYTHONPATH in the autopkgtests in the same way that we do in
debian/rules. (Closes: #968577)
.
python-django (2:3.1-1) experimental; urgency=medium
.
* New upstream release.
<https://docs.djangoproject.com/en/3.1/releases/3.1/>
.
python-django (2:3.1~rc1-1) experimental; urgency=medium
.
* New upstream release candidate release.
<https://www.djangoproject.com/weblog/2020/jul/20/django-31-release-candidate-1-released/>
.
python-django (2:3.1~beta1-1) experimental; urgency=medium
.
* New upstream beta release.
<https://www.djangoproject.com/weblog/2020/jun/15/django-31-beta-1-released/>
* Refresh patches.
.
python-django (2:3.0.7-2) experimental; urgency=medium
.
* Fix a regression in the handling of CVE-2020-13596.
* Refresh patches.
.
python-django (2:3.0.7-1) experimental; urgency=medium
.
* New upstream security release.
<https://www.djangoproject.com/weblog/2020/jun/03/security-releases/>
.
python-django (2:3.0.6-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.0/releases/3.0.6/>
.
python-django (2:3.0.5-1) experimental; urgency=medium
.
* New upstream release.
<https://docs.djangoproject.com/en/3.0/releases/3.0.5/>
* Refresh all patches.
.
python-django (2:3.0.4-1) experimental; urgency=medium
.
* New upstream security release. (Closes: #953102)
<https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>
* Bump Standards-Version to 4.5.0.
* Refresh debian/patches/0004-Use-locally-installed-documentation-sources.patch.
.
python-django (2:3.0.2-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2020/jan/02/django-bugfix-release-302/>
* Add python3-selenium to test-dependencies and to a runtime "Suggests".
(Closes: #947549)
.
python-django (2:3.0.1-1) experimental; urgency=medium
.
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>
(Closes: #946937)
.
python-django (2:3.0-1) experimental; urgency=medium
.
* New upstream release.
<https://www.djangoproject.com/weblog/2019/dec/02/django-3-released/>
.
python-django (2:3.0~rc1-1) experimental; urgency=medium
.
* New upstream release candidate release.
<https://www.djangoproject.com/weblog/2019/nov/18/django-30-release-candidate-1-released/>
.
python-django (2:3.0~beta1-1) experimental; urgency=medium
.
* New upstream beta release.
<https://www.djangoproject.com/weblog/2019/oct/14/django-30-beta-1-released/>
* Bump Standards-Version to 4.4.1.
* wrap-and-sort -sa.
.
python-django (2:3.0~alpha1-1) experimental; urgency=medium
.
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2019/sep/10/django-30-alpha-1-released/>
* Refresh all patches.
* Add asgiref to build and runtime dependencies.
* Update debian/copyright.
Checksums-Sha1:
457809343178ba355907ac6fe7ba1044dfdf6577 2802 python-django_3.2.7-2.dsc
7a45bb7539f147e308bf1c0320c5e99226cf4319 28044 python-django_3.2.7-2.debian.tar.xz
6ca89fa25230d92862eab70b0fd4de7b2527f564 7762 python-django_3.2.7-2_amd64.buildinfo
Checksums-Sha256:
4061a8fc88c5dd0d50044329293e636188414fb18ca400aec5c829bfe46c2299 2802 python-django_3.2.7-2.dsc
ae172c3a1429b7e3e4250868ef9950203650f48017736ea58a698aea89ca8447 28044 python-django_3.2.7-2.debian.tar.xz
cbb9297fff46e87db69c41d2d93032c11d0b34b4629d30c11f9c925b525f82fd 7762 python-django_3.2.7-2_amd64.buildinfo
Files:
8418b1b080a3cde8f96395cbdfc99d6b 2802 python optional python-django_3.2.7-2.dsc
3007c061a36db85bdf918f2e3b8d1ed3 28044 python optional python-django_3.2.7-2.debian.tar.xz
4482bb767f09b1f270a152a18dc97967 7762 python optional python-django_3.2.7-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmE6IJgACgkQHpU+J9Qx
Hlgm3A//WnCgACM7IIf/ZVGHnZRyw98mHx9zjORrcuqaV3x3kzOLKrBFYI2kJa73
1kCLYe0YEeOY/TY5Rd4P+Oca9ziMdXm1/xq7wgvAnGWaX4X6KIcNk81TbQ4vuhV2
4gML8CgfAPg9FuyvmV7wNSu4S9K6L7xtu8LlSRgwIds417zrqkmqGcil3EUhHXcI
qkdT6prX5e12UBVcBz8vryD3SLpOLvXqNg8yDHIq17NaIi27UhPvg0PBbDdhkQB0
1YGL//uysz/a5ISQiDFndvcOYGOoWu07I+p4BYNTa+yo9DBiu4JgYOotwc0DyqK5
bzjN5l4Kn5ICIzwFxwXpSUhyh8SZtNCQPfaGEKGQVKV+v6xaRgHVGMAVxwTrLxTP
23pYPjy/Kfu4fwhX35vCrXrsgON9909KAf4/J0Y90IGLtFq8LKI/iyyskPz4zNMX
YkNZLWj72HDTA6elZx2dHKMB+N15ckpx6EyNz59NVNnk/66WXXdlz2cH3M6jmZ1H
r7rKz5igy5jGp790/lPahe/ALzgLb7Vxmo4t5vL/U70X4Zdlf+fMUfcQCoAJLuzi
t0WAlyXgSJ8YUor5MO0xGKln5mxoB/Zit2OJgOELmO9WXsgSgCnBCqsFjVr9cVKG
dnrVcgzqiGOKjjER0WTcaetf04k2iD9wQxVxP0cT9mqFGeac+zs=
=sFUB
-----END PGP SIGNATURE-----
Reply to: