Accepted python-django 2:3.2.7-3 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Sep 2021 17:49:23 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.7-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 946937 947549 953102 968577 969367 983090 986447 988053 988136 989394 991098
Changes:
python-django (2:3.2.7-3) unstable; urgency=medium
.
* Actually upload 3.2 branch to unstable...
.
python-django (2:3.2.7-2) experimental; urgency=medium
.
* Upload 3.2 branch to unstable.
.
python-django (2:3.2.7-1) experimental; urgency=medium
.
* New upstream bugfix release.
.
python-django (2:3.2.6-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.6/>
* Bump Standards-Version to 4.5.1.
.
python-django (2:3.2.5-2) experimental; urgency=medium
.
* Don't symlink /usr/bin/django-admin to "django-admin.py"; ship the script
generated by the entry_points system instead, otherwise we introduce a
confusing "django-admin.py" deprecation message when using "django-admin".
(Closes: #991098)
.
python-django (2:3.2.5-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2021-35042: Potential SQL injection via unsanitized
QuerySet.order_by() input.
.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation, the strict column reference validation was
restored for the duration of the deprecation period. This regression
appeared in Django version 3.1 as a side effect of fixing another bug
(#31426).
.
For more information, please see:
<https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
.
python-django (2:3.2.4-1) experimental; urgency=medium
.
* New upstream security release. (Closes: #989394)
.
- CVE-2021-33203: Potential directory traversal via admindocs
.
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
.
This issue has low severity, according to the Django security
policy.
.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
.
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
.
This issue has medium severity, according to the Django security
policy.
.
* Bump Standards-Version to 4.5.1.
.
python-django (2:3.2.3-1) experimental; urgency=medium
.
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.3/>
.
python-django (2:3.2.2-1) experimental; urgency=medium
.
* New upstream security release:
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+. (Closes: #988136)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/06/security-releases/>
.
python-django (2:3.2.1-1) experimental; urgency=medium
.
* New upstream security release:
- CVE-2021-31542: Potential directory-traversal via uploaded files.
(Closes: #988053)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/04/security-releases/>
* Refresh patches.
.
python-django (2:3.2-1) experimental; urgency=medium
.
* New upstream major release:
.
- Full release notes: <https://docs.djangoproject.com/en/3.2/releases/3.2/>
- CVE-2021-28658: The MultiPartParser class allowed directory-traversal
via uploaded files via maliciously crafted filenames. (Closes: #986447)
.
python-django (2:3.2~rc1-1) experimental; urgency=medium
.
* New upstream release candidate.
<https://www.djangoproject.com/weblog/2021/mar/18/django-32-rc1/#s-id5>
* Refresh patches.
.
python-django (2:3.2~beta1-1) experimental; urgency=medium
.
* New upstream beta release.
<https://www.djangoproject.com/weblog/2021/feb/19/django-32-beta-1-released/>
* Apply wrap-and-sort -sa.
.
python-django (2:3.2~alpha1-2) experimental; urgency=medium
.
* Apply security fix from upstream:
.
- CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a
query parameter separator by default. (Closes: #983090)
.
<https://www.djangoproject.com/weblog/2021/feb/19/security-releases/>
.
python-django (2:3.2~alpha1-1) experimental; urgency=medium
.
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2021/jan/19/django-32-alpha-1-released/>
* Refresh patches.
* Drop no-upstream-changelog overrides; removed from Lintian.
.
python-django (2:3.1.5-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.1/releases/3.1.5/>
.
python-django (2:3.1.4-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.1/releases/3.1.4/>
* Bump Standards-Version to 4.5.1.
.
python-django (2:3.1.3-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/stable/releases/3.1.3/>
.
python-django (2:3.1.2-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2020/oct/01/django-bugfix-release-312/>
* Update Maintainer field with new Debian Python Team contact address.
* Update Vcs-* fields with new Debian Python Team Salsa layout.
.
python-django (2:3.1.1-1) experimental; urgency=medium
.
* New upstream security release to address CVE-2020-24583, CVE-2020-24584.
(Closes: #969367)
<https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>
.
python-django (2:3.1-2) experimental; urgency=medium
.
* Set the PYTHONPATH in the autopkgtests in the same way that we do in
debian/rules. (Closes: #968577)
.
python-django (2:3.1-1) experimental; urgency=medium
.
* New upstream release.
<https://docs.djangoproject.com/en/3.1/releases/3.1/>
.
python-django (2:3.1~rc1-1) experimental; urgency=medium
.
* New upstream release candidate release.
<https://www.djangoproject.com/weblog/2020/jul/20/django-31-release-candidate-1-released/>
.
python-django (2:3.1~beta1-1) experimental; urgency=medium
.
* New upstream beta release.
<https://www.djangoproject.com/weblog/2020/jun/15/django-31-beta-1-released/>
* Refresh patches.
.
python-django (2:3.0.7-2) experimental; urgency=medium
.
* Fix a regression in the handling of CVE-2020-13596.
* Refresh patches.
.
python-django (2:3.0.7-1) experimental; urgency=medium
.
* New upstream security release.
<https://www.djangoproject.com/weblog/2020/jun/03/security-releases/>
.
python-django (2:3.0.6-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.0/releases/3.0.6/>
.
python-django (2:3.0.5-1) experimental; urgency=medium
.
* New upstream release.
<https://docs.djangoproject.com/en/3.0/releases/3.0.5/>
* Refresh all patches.
.
python-django (2:3.0.4-1) experimental; urgency=medium
.
* New upstream security release. (Closes: #953102)
<https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>
* Bump Standards-Version to 4.5.0.
* Refresh debian/patches/0004-Use-locally-installed-documentation-sources.patch.
.
python-django (2:3.0.2-1) experimental; urgency=medium
.
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2020/jan/02/django-bugfix-release-302/>
* Add python3-selenium to test-dependencies and to a runtime "Suggests".
(Closes: #947549)
.
python-django (2:3.0.1-1) experimental; urgency=medium
.
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>
(Closes: #946937)
.
python-django (2:3.0-1) experimental; urgency=medium
.
* New upstream release.
<https://www.djangoproject.com/weblog/2019/dec/02/django-3-released/>
.
python-django (2:3.0~rc1-1) experimental; urgency=medium
.
* New upstream release candidate release.
<https://www.djangoproject.com/weblog/2019/nov/18/django-30-release-candidate-1-released/>
.
python-django (2:3.0~beta1-1) experimental; urgency=medium
.
* New upstream beta release.
<https://www.djangoproject.com/weblog/2019/oct/14/django-30-beta-1-released/>
* Bump Standards-Version to 4.4.1.
* wrap-and-sort -sa.
.
python-django (2:3.0~alpha1-1) experimental; urgency=medium
.
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2019/sep/10/django-30-alpha-1-released/>
* Refresh all patches.
* Add asgiref to build and runtime dependencies.
* Update debian/copyright.
Checksums-Sha1:
9a26a77fb93cb6f0671533abbdde0f175914034e 2802 python-django_3.2.7-3.dsc
8388d972bf186caddab8bf34d1712f03d0e13b99 28068 python-django_3.2.7-3.debian.tar.xz
0e6bcd45c73d50536a560c1f584c0bbc627463fb 7762 python-django_3.2.7-3_amd64.buildinfo
Checksums-Sha256:
74396bf7ba6617bb491e6e1cc2fbed240275b98146e4b2ea311b98fff4b72516 2802 python-django_3.2.7-3.dsc
27ce2509a39280089b7bb0acbd982dac49b64cd27af7fe6bf4373b4097ad84ae 28068 python-django_3.2.7-3.debian.tar.xz
d343bb872d753ec942a68a7697f8444d4ad3c1a88f919ca627c20f269f492155 7762 python-django_3.2.7-3_amd64.buildinfo
Files:
b1caa4ba2238b4c93ae5ab9d0e029be4 2802 python optional python-django_3.2.7-3.dsc
99d22304b996b78b59bde7b21af07590 28068 python optional python-django_3.2.7-3.debian.tar.xz
5b58f9ac31f0776ebb37dc07344a2d9b 7762 python optional python-django_3.2.7-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmE6Rm8ACgkQHpU+J9Qx
Hljtjg//RJmFdcxqeAuGj7dK55RBLbbeu5r68gO1CABZjuYkZQk7kSwk82mRxcgN
tN0AIfjCtSZ5QARktKZ8uWPepKE21AMKRbu4CFRPHHNnhYRp3j2ygePnNZgMz3fZ
0k41XNaCutPB1YnopNGkjDR3irEA1rxujzScDc3N3bhMeFXgmFIs0FZerO1K4rQg
TF+w3dvoaXe1tZaROq6BATSFQIPL2WZg+WfLT8uHHrTh3hdOKsHKAG/UJbpNsPVs
B5pk3fagGQdyWVvg0a9f6l+XfC4apfqozA7OcU+EAqNZ0JgiDPBtWo6P3p4T5ELo
zOg6j+AuzUo97xYw5fOS8jCSv5qKX10SU902jLA3vBpbAc4fGDitCUBvS8hCC7wQ
/d0kHTKieVs3gUONUPu5vjAJbAAhi7l48vkU8iWbVX6YVB8JnZ5be3fY78sCFLMz
FJKoqa5sgebHoUXpm754+sTlsH3qk4WP6Z9kFMY36QgCfy1hmLBN3hjio+eZc8Wa
ugcQ90ZPPWLa7CyDm3+bLwuQQmZjtl0hGnqCJopSf0wgiLpsJDVMKzAF28EBypsc
oA2MvJ+ewmLAhCcsZW6diq/lJO98GbtVQsxAVeR5hxzZGUqH72swrN0yncKGNsO9
MHNcagBCiQ5eJWxjZaL1U+qBFoevVOxcTqadiceLV+nv5jO+ttc=
=YeXV
-----END PGP SIGNATURE-----
Reply to: