-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 09 Sep 2021 17:49:23 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:3.2.7-3 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 946937 947549 953102 968577 969367 983090 986447 988053 988136 989394 991098 Changes: python-django (2:3.2.7-3) unstable; urgency=medium . * Actually upload 3.2 branch to unstable... . python-django (2:3.2.7-2) experimental; urgency=medium . * Upload 3.2 branch to unstable. . python-django (2:3.2.7-1) experimental; urgency=medium . * New upstream bugfix release. . python-django (2:3.2.6-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/3.2/releases/3.2.6/> * Bump Standards-Version to 4.5.1. . python-django (2:3.2.5-2) experimental; urgency=medium . * Don't symlink /usr/bin/django-admin to "django-admin.py"; ship the script generated by the entry_points system instead, otherwise we introduce a confusing "django-admin.py" deprecation message when using "django-admin". (Closes: #991098) . python-django (2:3.2.5-1) experimental; urgency=medium . * New upstream security release: . - CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input. . Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted. As a mitigation, the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in Django version 3.1 as a side effect of fixing another bug (#31426). . For more information, please see: <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/> . python-django (2:3.2.4-1) experimental; urgency=medium . * New upstream security release. (Closes: #989394) . - CVE-2021-33203: Potential directory traversal via admindocs . Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. . As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. . This issue has low severity, according to the Django security policy. . Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report. . - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses . URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. . validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. . This issue has medium severity, according to the Django security policy. . * Bump Standards-Version to 4.5.1. . python-django (2:3.2.3-1) experimental; urgency=medium . * New upstream release. <https://docs.djangoproject.com/en/3.2/releases/3.2.3/> . python-django (2:3.2.2-1) experimental; urgency=medium . * New upstream security release: - CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+. (Closes: #988136) - Full release notes: <https://www.djangoproject.com/weblog/2021/may/06/security-releases/> . python-django (2:3.2.1-1) experimental; urgency=medium . * New upstream security release: - CVE-2021-31542: Potential directory-traversal via uploaded files. (Closes: #988053) - Full release notes: <https://www.djangoproject.com/weblog/2021/may/04/security-releases/> * Refresh patches. . python-django (2:3.2-1) experimental; urgency=medium . * New upstream major release: . - Full release notes: <https://docs.djangoproject.com/en/3.2/releases/3.2/> - CVE-2021-28658: The MultiPartParser class allowed directory-traversal via uploaded files via maliciously crafted filenames. (Closes: #986447) . python-django (2:3.2~rc1-1) experimental; urgency=medium . * New upstream release candidate. <https://www.djangoproject.com/weblog/2021/mar/18/django-32-rc1/#s-id5> * Refresh patches. . python-django (2:3.2~beta1-1) experimental; urgency=medium . * New upstream beta release. <https://www.djangoproject.com/weblog/2021/feb/19/django-32-beta-1-released/> * Apply wrap-and-sort -sa. . python-django (2:3.2~alpha1-2) experimental; urgency=medium . * Apply security fix from upstream: . - CVE-2021-23336: Prevent a web cache poisoning attack via "parameter cloaking". Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ";" as a query parameter separator by default. (Closes: #983090) . <https://www.djangoproject.com/weblog/2021/feb/19/security-releases/> . python-django (2:3.2~alpha1-1) experimental; urgency=medium . * New upstream alpha release. <https://www.djangoproject.com/weblog/2021/jan/19/django-32-alpha-1-released/> * Refresh patches. * Drop no-upstream-changelog overrides; removed from Lintian. . python-django (2:3.1.5-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/3.1/releases/3.1.5/> . python-django (2:3.1.4-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/3.1/releases/3.1.4/> * Bump Standards-Version to 4.5.1. . python-django (2:3.1.3-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/stable/releases/3.1.3/> . python-django (2:3.1.2-1) experimental; urgency=medium . * New upstream bugfix release. <https://www.djangoproject.com/weblog/2020/oct/01/django-bugfix-release-312/> * Update Maintainer field with new Debian Python Team contact address. * Update Vcs-* fields with new Debian Python Team Salsa layout. . python-django (2:3.1.1-1) experimental; urgency=medium . * New upstream security release to address CVE-2020-24583, CVE-2020-24584. (Closes: #969367) <https://www.djangoproject.com/weblog/2020/sep/01/security-releases/> . python-django (2:3.1-2) experimental; urgency=medium . * Set the PYTHONPATH in the autopkgtests in the same way that we do in debian/rules. (Closes: #968577) . python-django (2:3.1-1) experimental; urgency=medium . * New upstream release. <https://docs.djangoproject.com/en/3.1/releases/3.1/> . python-django (2:3.1~rc1-1) experimental; urgency=medium . * New upstream release candidate release. <https://www.djangoproject.com/weblog/2020/jul/20/django-31-release-candidate-1-released/> . python-django (2:3.1~beta1-1) experimental; urgency=medium . * New upstream beta release. <https://www.djangoproject.com/weblog/2020/jun/15/django-31-beta-1-released/> * Refresh patches. . python-django (2:3.0.7-2) experimental; urgency=medium . * Fix a regression in the handling of CVE-2020-13596. * Refresh patches. . python-django (2:3.0.7-1) experimental; urgency=medium . * New upstream security release. <https://www.djangoproject.com/weblog/2020/jun/03/security-releases/> . python-django (2:3.0.6-1) experimental; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/3.0/releases/3.0.6/> . python-django (2:3.0.5-1) experimental; urgency=medium . * New upstream release. <https://docs.djangoproject.com/en/3.0/releases/3.0.5/> * Refresh all patches. . python-django (2:3.0.4-1) experimental; urgency=medium . * New upstream security release. (Closes: #953102) <https://www.djangoproject.com/weblog/2020/mar/04/security-releases/> * Bump Standards-Version to 4.5.0. * Refresh debian/patches/0004-Use-locally-installed-documentation-sources.patch. . python-django (2:3.0.2-1) experimental; urgency=medium . * New upstream bugfix release. <https://www.djangoproject.com/weblog/2020/jan/02/django-bugfix-release-302/> * Add python3-selenium to test-dependencies and to a runtime "Suggests". (Closes: #947549) . python-django (2:3.0.1-1) experimental; urgency=medium . * New upstream security release. <https://www.djangoproject.com/weblog/2019/dec/18/security-releases/> (Closes: #946937) . python-django (2:3.0-1) experimental; urgency=medium . * New upstream release. <https://www.djangoproject.com/weblog/2019/dec/02/django-3-released/> . python-django (2:3.0~rc1-1) experimental; urgency=medium . * New upstream release candidate release. <https://www.djangoproject.com/weblog/2019/nov/18/django-30-release-candidate-1-released/> . python-django (2:3.0~beta1-1) experimental; urgency=medium . * New upstream beta release. <https://www.djangoproject.com/weblog/2019/oct/14/django-30-beta-1-released/> * Bump Standards-Version to 4.4.1. * wrap-and-sort -sa. . python-django (2:3.0~alpha1-1) experimental; urgency=medium . * New upstream alpha release. <https://www.djangoproject.com/weblog/2019/sep/10/django-30-alpha-1-released/> * Refresh all patches. * Add asgiref to build and runtime dependencies. * Update debian/copyright. Checksums-Sha1: 9a26a77fb93cb6f0671533abbdde0f175914034e 2802 python-django_3.2.7-3.dsc 8388d972bf186caddab8bf34d1712f03d0e13b99 28068 python-django_3.2.7-3.debian.tar.xz 0e6bcd45c73d50536a560c1f584c0bbc627463fb 7762 python-django_3.2.7-3_amd64.buildinfo Checksums-Sha256: 74396bf7ba6617bb491e6e1cc2fbed240275b98146e4b2ea311b98fff4b72516 2802 python-django_3.2.7-3.dsc 27ce2509a39280089b7bb0acbd982dac49b64cd27af7fe6bf4373b4097ad84ae 28068 python-django_3.2.7-3.debian.tar.xz d343bb872d753ec942a68a7697f8444d4ad3c1a88f919ca627c20f269f492155 7762 python-django_3.2.7-3_amd64.buildinfo Files: b1caa4ba2238b4c93ae5ab9d0e029be4 2802 python optional python-django_3.2.7-3.dsc 99d22304b996b78b59bde7b21af07590 28068 python optional python-django_3.2.7-3.debian.tar.xz 5b58f9ac31f0776ebb37dc07344a2d9b 7762 python optional python-django_3.2.7-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmE6Rm8ACgkQHpU+J9Qx Hljtjg//RJmFdcxqeAuGj7dK55RBLbbeu5r68gO1CABZjuYkZQk7kSwk82mRxcgN tN0AIfjCtSZ5QARktKZ8uWPepKE21AMKRbu4CFRPHHNnhYRp3j2ygePnNZgMz3fZ 0k41XNaCutPB1YnopNGkjDR3irEA1rxujzScDc3N3bhMeFXgmFIs0FZerO1K4rQg TF+w3dvoaXe1tZaROq6BATSFQIPL2WZg+WfLT8uHHrTh3hdOKsHKAG/UJbpNsPVs B5pk3fagGQdyWVvg0a9f6l+XfC4apfqozA7OcU+EAqNZ0JgiDPBtWo6P3p4T5ELo zOg6j+AuzUo97xYw5fOS8jCSv5qKX10SU902jLA3vBpbAc4fGDitCUBvS8hCC7wQ /d0kHTKieVs3gUONUPu5vjAJbAAhi7l48vkU8iWbVX6YVB8JnZ5be3fY78sCFLMz FJKoqa5sgebHoUXpm754+sTlsH3qk4WP6Z9kFMY36QgCfy1hmLBN3hjio+eZc8Wa ugcQ90ZPPWLa7CyDm3+bLwuQQmZjtl0hGnqCJopSf0wgiLpsJDVMKzAF28EBypsc oA2MvJ+ewmLAhCcsZW6diq/lJO98GbtVQsxAVeR5hxzZGUqH72swrN0yncKGNsO9 MHNcagBCiQ5eJWxjZaL1U+qBFoevVOxcTqadiceLV+nv5jO+ttc= =YeXV -----END PGP SIGNATURE-----