[Python-modules-commits] [python-django] 01/01: Merge remote-tracking branch 'origin/debian/wheezy-lfaraone' into debian/wheezy
Raphaël Hertzog
hertzog at moszumanska.debian.org
Wed Jan 28 20:58:49 UTC 2015
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch debian/wheezy
in repository python-django.
commit 3f5c481b72dac398ca22b6d44a0479f199f961c4
Merge: d87b702 b89ad8c
Author: Raphaël Hertzog <hertzog at debian.org>
Date: Wed Jan 28 21:48:59 2015 +0100
Merge remote-tracking branch 'origin/debian/wheezy-lfaraone' into debian/wheezy
Integrate the 1.4.5-1+deb7u8 upload of Luke Faraone that somehow got lost
in this branch.
Conflicts:
debian/changelog
debian/patches/series
debian/changelog | 13 +-
.../patches/02_disable-sources-in-sphinxdoc.diff | 2 +-
.../06_use_debian_geoip_database_as_default.diff | 8 +-
debian/patches/admin-data-leak-1.4.diff | 115 ++++++++++
debian/patches/cache-csrf-1.4.x.patch | 14 +-
debian/patches/drop_fix_ie_for_vary_1_4.diff | 12 +-
debian/patches/file-upload-1.4.diff | 247 +++++++++++++++++++++
debian/patches/is_safe_url-1.4.diff | 14 +-
debian/patches/is_safe_url_1_4.diff | 18 +-
debian/patches/mysql-typecast-1.4.x.diff | 30 +--
debian/patches/remote-user-1.4.diff | 88 ++++++++
debian/patches/reverse-1.4.diff | 41 ++++
debian/patches/reverse-execution-1.4.x.patch | 29 +--
debian/patches/series | 5 +-
debian/patches/ssi-tag-1.4.diff | 8 +-
15 files changed, 551 insertions(+), 93 deletions(-)
diff --cc debian/changelog
index 2c59f9d,38a8623..ab3f283
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,16 -1,13 +1,27 @@@
- python-django (1.4.5-1+deb7u8) stable-security; urgency=medium
++python-django (1.4.5-1+deb7u9) wheezy-security; urgency=high
+
+ * New upstream security release:
+ https://www.djangoproject.com/weblog/2015/jan/13/security/
+ - WSGI header spoofing via underscore/dash conflation (CVE-2015-0219)
+ - Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220)
+ - Denial-of-service attack against django.views.static.serve
+ (CVE-2015-0221)
++ Closes: #775375
+ * Also include a fix for a regression introduced by the patch for
+ CVE-2015-0221: https://code.djangoproject.com/ticket/24158
+
+ -- Raphaël Hertzog <hertzog at debian.org> Wed, 28 Jan 2015 10:24:59 +0100
+
+ python-django (1.4.5-1+deb7u8) wheezy-security; urgency=high
+
+ * New upstream security release.
- - reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
- - file upload denial of service (CVE-2014-0481)
- - RemoteUserMiddleware session hijacking (CVE-2014-0482)
++ - reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
++ - file upload denial of service (CVE-2014-0481)
++ - RemoteUserMiddleware session hijacking (CVE-2014-0482)
+ - data leakage via querystring manipulation in admin (CVE-2014-0483)
+
+ -- Luke Faraone <lfaraone at debian.org> Wed, 20 Aug 2014 01:46:17 -0700
+
python-django (1.4.5-1+deb7u7) stable-security; urgency=high
* New upstream security release.
diff --cc debian/patches/series
index 4d06f97,82f7f8a..48bd7ea
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -13,9 -13,7 +13,12 @@@ mysql-typecast-1.4.x.dif
is_safe_url_1_4.diff
drop_fix_ie_for_vary_1_4.diff
FTBFS-exception-in-servers-tests-tear-down.patch
+ admin-data-leak-1.4.diff
+ file-upload-1.4.diff
+ remote-user-1.4.diff
+ reverse-1.4.diff
+CVE-2015-0219.diff
+CVE-2015-0219-fix.diff
+CVE-2015-0220.diff
+CVE-2015-0221.diff
+CVE-2015-0221-regression-fix.diff
-
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list