-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 09 Sep 2021 15:51:11 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:3.2.7-2 Distribution: experimental Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 946937 947549 953102 968577 969367 983090 986447 988053 988136 989394 991098 Changes: python-django (2:3.2.7-2) experimental; urgency=medium . * Upload 3.2 branch to unstable. . python-django (2:3.2.7-1) experimental; urgency=medium . * New upstream bugfix release. . python-django (2:3.2.6-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/3.2/releases/3.2.6/> * Bump Standards-Version to 4.5.1. . python-django (2:3.2.5-2) experimental; urgency=medium . * Don't symlink /usr/bin/django-admin to "django-admin.py"; ship the script generated by the entry_points system instead, otherwise we introduce a confusing "django-admin.py" deprecation message when using "django-admin". (Closes: #991098) . python-django (2:3.2.5-1) experimental; urgency=medium . * New upstream security release: . - CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input. . Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted. As a mitigation, the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in Django version 3.1 as a side effect of fixing another bug (#31426). . For more information, please see: <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/> . python-django (2:3.2.4-1) experimental; urgency=medium . * New upstream security release. (Closes: #989394) . - CVE-2021-33203: Potential directory traversal via admindocs . Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. . As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. . This issue has low severity, according to the Django security policy. . Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report. . - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses . URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. . validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. . This issue has medium severity, according to the Django security policy. . * Bump Standards-Version to 4.5.1. . python-django (2:3.2.3-1) experimental; urgency=medium . * New upstream release. <https://docs.djangoproject.com/en/3.2/releases/3.2.3/> . python-django (2:3.2.2-1) experimental; urgency=medium . * New upstream security release: - CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+. (Closes: #988136) - Full release notes: <https://www.djangoproject.com/weblog/2021/may/06/security-releases/> . python-django (2:3.2.1-1) experimental; urgency=medium . * New upstream security release: - CVE-2021-31542: Potential directory-traversal via uploaded files. (Closes: #988053) - Full release notes: <https://www.djangoproject.com/weblog/2021/may/04/security-releases/> * Refresh patches. . python-django (2:3.2-1) experimental; urgency=medium . * New upstream major release: . - Full release notes: <https://docs.djangoproject.com/en/3.2/releases/3.2/> - CVE-2021-28658: The MultiPartParser class allowed directory-traversal via uploaded files via maliciously crafted filenames. (Closes: #986447) . python-django (2:3.2~rc1-1) experimental; urgency=medium . * New upstream release candidate. <https://www.djangoproject.com/weblog/2021/mar/18/django-32-rc1/#s-id5> * Refresh patches. . python-django (2:3.2~beta1-1) experimental; urgency=medium . * New upstream beta release. <https://www.djangoproject.com/weblog/2021/feb/19/django-32-beta-1-released/> * Apply wrap-and-sort -sa. . python-django (2:3.2~alpha1-2) experimental; urgency=medium . * Apply security fix from upstream: . - CVE-2021-23336: Prevent a web cache poisoning attack via "parameter cloaking". Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ";" as a query parameter separator by default. (Closes: #983090) . <https://www.djangoproject.com/weblog/2021/feb/19/security-releases/> . python-django (2:3.2~alpha1-1) experimental; urgency=medium . * New upstream alpha release. <https://www.djangoproject.com/weblog/2021/jan/19/django-32-alpha-1-released/> * Refresh patches. * Drop no-upstream-changelog overrides; removed from Lintian. . python-django (2:3.1.5-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/3.1/releases/3.1.5/> . python-django (2:3.1.4-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/3.1/releases/3.1.4/> * Bump Standards-Version to 4.5.1. . python-django (2:3.1.3-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/stable/releases/3.1.3/> . python-django (2:3.1.2-1) experimental; urgency=medium . * New upstream bugfix release. <https://www.djangoproject.com/weblog/2020/oct/01/django-bugfix-release-312/> * Update Maintainer field with new Debian Python Team contact address. * Update Vcs-* fields with new Debian Python Team Salsa layout. . python-django (2:3.1.1-1) experimental; urgency=medium . * New upstream security release to address CVE-2020-24583, CVE-2020-24584. (Closes: #969367) <https://www.djangoproject.com/weblog/2020/sep/01/security-releases/> . python-django (2:3.1-2) experimental; urgency=medium . * Set the PYTHONPATH in the autopkgtests in the same way that we do in debian/rules. (Closes: #968577) . python-django (2:3.1-1) experimental; urgency=medium . * New upstream release. <https://docs.djangoproject.com/en/3.1/releases/3.1/> . python-django (2:3.1~rc1-1) experimental; urgency=medium . * New upstream release candidate release. <https://www.djangoproject.com/weblog/2020/jul/20/django-31-release-candidate-1-released/> . python-django (2:3.1~beta1-1) experimental; urgency=medium . * New upstream beta release. <https://www.djangoproject.com/weblog/2020/jun/15/django-31-beta-1-released/> * Refresh patches. . python-django (2:3.0.7-2) experimental; urgency=medium . * Fix a regression in the handling of CVE-2020-13596. * Refresh patches. . python-django (2:3.0.7-1) experimental; urgency=medium . * New upstream security release. <https://www.djangoproject.com/weblog/2020/jun/03/security-releases/> . python-django (2:3.0.6-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/3.0/releases/3.0.6/> . python-django (2:3.0.5-1) experimental; urgency=medium . * New upstream release. <https://docs.djangoproject.com/en/3.0/releases/3.0.5/> * Refresh all patches. . python-django (2:3.0.4-1) experimental; urgency=medium . * New upstream security release. (Closes: #953102) <https://www.djangoproject.com/weblog/2020/mar/04/security-releases/> * Bump Standards-Version to 4.5.0. * Refresh debian/patches/0004-Use-locally-installed-documentation-sources.patch. . python-django (2:3.0.2-1) experimental; urgency=medium . * New upstream bugfix release. <https://www.djangoproject.com/weblog/2020/jan/02/django-bugfix-release-302/> * Add python3-selenium to test-dependencies and to a runtime "Suggests". (Closes: #947549) . python-django (2:3.0.1-1) experimental; urgency=medium . * New upstream security release. <https://www.djangoproject.com/weblog/2019/dec/18/security-releases/> (Closes: #946937) . python-django (2:3.0-1) experimental; urgency=medium . * New upstream release. <https://www.djangoproject.com/weblog/2019/dec/02/django-3-released/> . python-django (2:3.0~rc1-1) experimental; urgency=medium . * New upstream release candidate release. <https://www.djangoproject.com/weblog/2019/nov/18/django-30-release-candidate-1-released/> . python-django (2:3.0~beta1-1) experimental; urgency=medium . * New upstream beta release. <https://www.djangoproject.com/weblog/2019/oct/14/django-30-beta-1-released/> * Bump Standards-Version to 4.4.1. * wrap-and-sort -sa. . python-django (2:3.0~alpha1-1) experimental; urgency=medium . * New upstream alpha release. <https://www.djangoproject.com/weblog/2019/sep/10/django-30-alpha-1-released/> * Refresh all patches. * Add asgiref to build and runtime dependencies. * Update debian/copyright. Checksums-Sha1: 457809343178ba355907ac6fe7ba1044dfdf6577 2802 python-django_3.2.7-2.dsc 7a45bb7539f147e308bf1c0320c5e99226cf4319 28044 python-django_3.2.7-2.debian.tar.xz 6ca89fa25230d92862eab70b0fd4de7b2527f564 7762 python-django_3.2.7-2_amd64.buildinfo Checksums-Sha256: 4061a8fc88c5dd0d50044329293e636188414fb18ca400aec5c829bfe46c2299 2802 python-django_3.2.7-2.dsc ae172c3a1429b7e3e4250868ef9950203650f48017736ea58a698aea89ca8447 28044 python-django_3.2.7-2.debian.tar.xz cbb9297fff46e87db69c41d2d93032c11d0b34b4629d30c11f9c925b525f82fd 7762 python-django_3.2.7-2_amd64.buildinfo Files: 8418b1b080a3cde8f96395cbdfc99d6b 2802 python optional python-django_3.2.7-2.dsc 3007c061a36db85bdf918f2e3b8d1ed3 28044 python optional python-django_3.2.7-2.debian.tar.xz 4482bb767f09b1f270a152a18dc97967 7762 python optional python-django_3.2.7-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmE6IJgACgkQHpU+J9Qx Hlgm3A//WnCgACM7IIf/ZVGHnZRyw98mHx9zjORrcuqaV3x3kzOLKrBFYI2kJa73 1kCLYe0YEeOY/TY5Rd4P+Oca9ziMdXm1/xq7wgvAnGWaX4X6KIcNk81TbQ4vuhV2 4gML8CgfAPg9FuyvmV7wNSu4S9K6L7xtu8LlSRgwIds417zrqkmqGcil3EUhHXcI qkdT6prX5e12UBVcBz8vryD3SLpOLvXqNg8yDHIq17NaIi27UhPvg0PBbDdhkQB0 1YGL//uysz/a5ISQiDFndvcOYGOoWu07I+p4BYNTa+yo9DBiu4JgYOotwc0DyqK5 bzjN5l4Kn5ICIzwFxwXpSUhyh8SZtNCQPfaGEKGQVKV+v6xaRgHVGMAVxwTrLxTP 23pYPjy/Kfu4fwhX35vCrXrsgON9909KAf4/J0Y90IGLtFq8LKI/iyyskPz4zNMX YkNZLWj72HDTA6elZx2dHKMB+N15ckpx6EyNz59NVNnk/66WXXdlz2cH3M6jmZ1H r7rKz5igy5jGp790/lPahe/ALzgLb7Vxmo4t5vL/U70X4Zdlf+fMUfcQCoAJLuzi t0WAlyXgSJ8YUor5MO0xGKln5mxoB/Zit2OJgOELmO9WXsgSgCnBCqsFjVr9cVKG dnrVcgzqiGOKjjER0WTcaetf04k2iD9wQxVxP0cT9mqFGeac+zs= =sFUB -----END PGP SIGNATURE-----