Re: Wheezy update of python-django?
Brian May <bam@debian.org> writes:
> In any case I am looking at doing this now, will start off without
> git. If there is any demand I can move things across (including prior
> revisions) to git later.
Attached is my current patch. It only includes changes to
debian/*. Still needs more work. In particular, I think the
CVE-2016-2513.diff patch is needed; didn't apply it yet as one hunk
conflicts, will look into this now.
Need to double check that all the other patches really are not required.
--
Brian May <bam@debian.org>
diff -Nru python-django-1.4.5/debian/changelog python-django-1.4.22/debian/changelog
--- python-django-1.4.5/debian/changelog 2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/changelog 2016-08-01 07:59:10.000000000 +1000
@@ -1,3 +1,10 @@
+python-django (1.4.22-1) UNRELEASED; urgency=medium
+
+ * New upstream release
+ * Update wheezy to latest version in 1.4.x series.
+
+ -- Brian May <bam@debian.org> Mon, 01 Aug 2016 07:58:39 +1000
+
python-django (1.4.5-1+deb7u16) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru python-django-1.4.5/debian/patches/CVE-2016-2512.diff python-django-1.4.22/debian/patches/CVE-2016-2512.diff
--- python-django-1.4.5/debian/patches/CVE-2016-2512.diff 2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/patches/CVE-2016-2512.diff 2016-08-01 08:00:51.000000000 +1000
@@ -14,7 +14,7 @@
--- a/django/utils/http.py
+++ b/django/utils/http.py
-@@ -237,8 +237,12 @@ def is_safe_url(url, host=None):
+@@ -237,8 +237,12 @@
url = url.strip()
if not url:
return False
@@ -31,7 +31,7 @@
if url.startswith('///'):
--- a/django/contrib/auth/tests/views.py
+++ b/django/contrib/auth/tests/views.py
-@@ -312,7 +312,12 @@ class LoginTest(AuthViewsTestCase):
+@@ -312,7 +312,12 @@
'ftp://exampel.com',
'///example.com',
'//example.com',
@@ -45,7 +45,7 @@
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
'url': login_url,
-@@ -335,6 +340,7 @@ class LoginTest(AuthViewsTestCase):
+@@ -335,6 +340,7 @@
'https://testserver/',
'HTTPS://testserver/',
'//testserver/',
diff -Nru python-django-1.4.5/debian/patches/CVE-2016-2512-regression.diff python-django-1.4.22/debian/patches/CVE-2016-2512-regression.diff
--- python-django-1.4.5/debian/patches/CVE-2016-2512-regression.diff 2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/patches/CVE-2016-2512-regression.diff 2016-08-01 08:00:52.000000000 +1000
@@ -10,7 +10,7 @@
--- a/django/utils/http.py
+++ b/django/utils/http.py
-@@ -8,7 +8,7 @@ import unicodedata
+@@ -8,7 +8,7 @@
from email.utils import formatdate
from django.utils.datastructures import MultiValueDict
@@ -19,7 +19,7 @@
from django.utils.functional import allow_lazy
ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.|[^"])*)"')
-@@ -237,6 +237,10 @@ def is_safe_url(url, host=None):
+@@ -237,6 +237,10 @@
url = url.strip()
if not url:
return False
@@ -38,7 +38,7 @@
import sys
from django.utils import http
-@@ -111,3 +113,12 @@ class TestUtilsHttp(unittest.TestCase):
+@@ -111,3 +113,12 @@
'//testserver/',
'/url%20with%20spaces/'):
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
diff -Nru python-django-1.4.5/debian/patches/series python-django-1.4.22/debian/patches/series
--- python-django-1.4.5/debian/patches/series 2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/patches/series 2016-08-01 19:39:36.000000000 +1000
@@ -1,32 +1,8 @@
02_disable-sources-in-sphinxdoc.diff
03_manpage.diff
06_use_debian_geoip_database_as_default.diff
-is_safe_url-1.4.diff
uri-fix.diff
-ssi-tag-1.4.diff
-password-dos.diff
-password-2.5-compat.diff
-reverse-execution-1.4.x.patch
-cache-csrf-1.4.x.patch
-mysql-typecast-1.4.x.diff
-2601.patch
-is_safe_url_1_4.diff
-drop_fix_ie_for_vary_1_4.diff
-FTBFS-exception-in-servers-tests-tear-down.patch
-admin-data-leak-1.4.diff
-file-upload-1.4.diff
-remote-user-1.4.diff
-reverse-1.4.diff
-CVE-2015-0219.diff
-CVE-2015-0219-fix.diff
-CVE-2015-0220.diff
-CVE-2015-0221.diff
-CVE-2015-0221-regression-fix.diff
-CVE-2015-2317.diff
-session-1.4.x.diff
-newlines-1.4.x.diff
-session-store-1.4.x.diff
date-leak-1.4.x.diff
CVE-2016-2512.diff
CVE-2016-2512-regression.diff
-CVE-2016-2513.diff
+# CVE-2016-2513.diff
diff -Nru python-django-1.4.5/debian/patches/uri-fix.diff python-django-1.4.22/debian/patches/uri-fix.diff
--- python-django-1.4.5/debian/patches/uri-fix.diff 2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/patches/uri-fix.diff 2016-08-01 08:00:47.000000000 +1000
@@ -4,9 +4,9 @@
Subject: Use name that won't resolve in tests.
--- a/tests/modeltests/validation/tests.py
+++ b/tests/modeltests/validation/tests.py
-@@ -86,7 +86,7 @@
- self.assertEqual(None, mtv.full_clean()) # This will fail if there's no Internet connection
+@@ -87,7 +87,7 @@
+ @verify_exists_urls(existing_urls=())
def test_correct_https_url_but_nonexisting(self):
- mtv = ModelToValidate(number=10, name='Some Name', url_verify='https://www.example.com/')
+ mtv = ModelToValidate(number=10, name='Some Name', url_verify='https://www.example.invalid/')
Reply to: