[Python-modules-commits] [python-django] 01/10: Merge branch 'debian/jessie' into debian/jessie-updates

Raphaël Hertzog hertzog at moszumanska.debian.org
Mon Jul 25 07:57:02 UTC 2016


This is an automated email from the git hooks/post-receive script.

hertzog pushed a commit to branch debian/jessie-updates
in repository python-django.

commit a6c7a9499cf0967587dec5bb99db7225beaa38fa
Merge: fbf92fb 4eee5af
Author: Raphaël Hertzog <hertzog at debian.org>
Date:   Mon Jul 25 09:13:25 2016 +0200

    Merge branch 'debian/jessie' into debian/jessie-updates

 debian/.git-dpm                                    |   2 +-
 debian/changelog                                   |  21 ++
 debian/control                                     |   1 +
 .../patches/02_disable-sources-in-sphinxdoc.diff   |   4 +-
 debian/patches/03_manpage.diff                     |   9 +-
 .../06_use_debian_geoip_database_as_default.diff   |  16 +-
 debian/patches/CVE-2016-2512-regression.diff       |  50 +++
 debian/patches/CVE-2016-2512.diff                  |  61 ++++
 debian/patches/CVE-2016-2513.diff                  | 387 +++++++++++++++++++++
 debian/patches/CVE-2016-6186.diff                  |  65 ++++
 debian/patches/series                              |   4 +
 django/contrib/auth/hashers.py                     |  77 ++--
 django/contrib/auth/tests/test_hashers.py          |  60 ++++
 django/utils/http.py                               |  13 +-
 django/views/debug.py                              |   4 +-
 docs/topics/auth/passwords.txt                     | 113 ++++++
 tests/admin_views/admin.py                         |   3 +-
 tests/admin_views/models.py                        |   4 +
 tests/utils_tests/test_http.py                     |  25 ++
 19 files changed, 875 insertions(+), 44 deletions(-)

diff --cc debian/.git-dpm
index 31bbdae,d035d29..27d87b4
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@@ -1,11 -1,11 +1,11 @@@
  # see git-dpm(1) from git-dpm package
 -NONE
 -eda2ca849c2c951862ec28a3b04deed0325ee598
 -7a41006b464c23d415485ebd4284c1957e5e47e2
 -7a41006b464c23d415485ebd4284c1957e5e47e2
 -python-django_1.7.7.orig.tar.gz
 -614cc9f8e1af6630c54300f6bdd88e7b783614c3
 -7603286
 +e4cd95fc1d5322f9bff209890b71f57ee9d36e62
- e4cd95fc1d5322f9bff209890b71f57ee9d36e62
++a471ae74d0b79b8896dc5411f40840ffa1737dc6
 +2d07f4b16101fcc8973128c4e4920b41f87175ee
 +2d07f4b16101fcc8973128c4e4920b41f87175ee
 +python-django_1.7.11.orig.tar.gz
 +f9abaf7eacec73bc1c5e6080e2778a7174ebf9d4
 +7586798
  debianTag="debian/%e%v"
  patchedTag="patched/%e%v"
  upstreamTag="upstream/%e%u"
diff --cc debian/changelog
index db546b1,2335048..c3ddbbe
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,14 -1,24 +1,35 @@@
 +python-django (1.7.11-1) jessie; urgency=medium
 +
 +  * New upstream release incorporating former security updates and
 +    multiple bugfixes. Detailed changes documented here:
 +    - https://docs.djangoproject.com/en/1.7/releases/1.7.8/
 +    - https://docs.djangoproject.com/en/1.7/releases/1.7.9/
 +    - https://docs.djangoproject.com/en/1.7/releases/1.7.10/
 +    - https://docs.djangoproject.com/en/1.7/releases/1.7.11/
 +
 + -- Raphaël Hertzog <hertzog at debian.org>  Fri, 11 Dec 2015 10:44:42 +0100
 +
+ python-django (1.7.7-1+deb8u5) jessie-security; urgency=high
+ 
+   * SECURITY UPDATE:
+     - CVE-2016-6186: XSS in admin's add/change related popup
+ 
+  -- Luke Faraone <lfaraone at debian.org>  Sat, 16 Jul 2016 16:58:24 +0000
+ 
+ python-django (1.7.7-1+deb8u4) jessie-security; urgency=high
+ 
+   * Non-maintainer upload by the Security Team.
+   * CVE-2016-2512: Prevented spoofing is_safe_url() with basic auth.
+     Malicious redirect and possible XSS attack via user-supplied redirect
+     URLs containing basic auth. (Closes: #816434)
+   * is_safe_url() crashes with a byestring URL on Python 2.
+     Fixes a regression introduced by the original fix for CVE-2016-2512.
+   * CVE-2016-2513: Fixed user enumeration timing attack during login
+     (Closes: #816434)
+   * Add Build-Depends on python-mock and python3-mock
+ 
+  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 12 Mar 2016 17:13:01 +0100
+ 
  python-django (1.7.7-1+deb8u3) jessie-security; urgency=high
  
    * SECURITY UPDATE:
diff --cc debian/patches/02_disable-sources-in-sphinxdoc.diff
index 4c9a225,0e00a13..1de2dd1
--- a/debian/patches/02_disable-sources-in-sphinxdoc.diff
+++ b/debian/patches/02_disable-sources-in-sphinxdoc.diff
@@@ -7,19 -3,13 +7,21 @@@ Subject: Disable creation of _sources d
   are not really useful in a binary package.
   .
   This is a Debian specific patch.
++
  Forwarded: not-needed
+ Author: Raphaël Hertzog <hertzog at debian.org>
  Origin: vendor
  
 +Patch-Name: 02_disable-sources-in-sphinxdoc.diff
 +---
 + docs/conf.py | 5 ++++-
 + 1 file changed, 4 insertions(+), 1 deletion(-)
 +
 +diff --git a/docs/conf.py b/docs/conf.py
 +index 6df8dd8..90e4d69 100644
  --- a/docs/conf.py
  +++ b/docs/conf.py
- @@ -200,7 +200,10 @@ html_additional_pages = {}
+ @@ -196,7 +196,10 @@ html_additional_pages = {}
   #html_split_index = False
   
   # If true, links to the reST sources are added to the pages.
diff --cc debian/patches/03_manpage.diff
index 938edd8,b44b0a2..098f767
--- a/debian/patches/03_manpage.diff
+++ b/debian/patches/03_manpage.diff
@@@ -8,16 -3,10 +8,11 @@@ Subject: Update manual page to refer t
   django-admin.py as that's the name used by the Debian package.
   .
   This is a Debian specific patch.
++
  Forwarded: not-needed
+ Author: Brett Parker <iDunno at sommitrealweird.co.uk>
  Origin: vendor
  
- Patch-Name: 03_manpage.diff
- ---
-  docs/man/django-admin.1 | 6 +++---
-  1 file changed, 3 insertions(+), 3 deletions(-)
- 
- diff --git a/docs/man/django-admin.1 b/docs/man/django-admin.1
- index c9932ac..bdb6438 100644
  --- a/docs/man/django-admin.1
  +++ b/docs/man/django-admin.1
  @@ -1,8 +1,8 @@
diff --cc debian/patches/06_use_debian_geoip_database_as_default.diff
index ebfdd84,bfe3690..2ab652a
--- a/debian/patches/06_use_debian_geoip_database_as_default.diff
+++ b/debian/patches/06_use_debian_geoip_database_as_default.diff
@@@ -7,16 -3,10 +7,11 @@@ Subject: Use Debian GeoIP database pat
   file. Avoids the need to declare them in each project.
   .
   This is a Debian specific patch.
++
  Bug-Debian: http://bugs.debian.org/645094
  Forwarded: not-needed
+ Author: Tapio Rantala <tapio.rantala at iki.fi>
  
- Patch-Name: 06_use_debian_geoip_database_as_default.diff
- ---
-  django/contrib/gis/geoip/base.py | 19 ++++++++++---------
-  1 file changed, 10 insertions(+), 9 deletions(-)
- 
- diff --git a/django/contrib/gis/geoip/base.py b/django/contrib/gis/geoip/base.py
- index 9295030..0b05f43 100644
  --- a/django/contrib/gis/geoip/base.py
  +++ b/django/contrib/gis/geoip/base.py
  @@ -67,7 +67,8 @@ class GeoIP(object):
diff --cc debian/patches/series
index c73a668,6f8416f..35c5250
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -1,3 -1,11 +1,7 @@@
  02_disable-sources-in-sphinxdoc.diff
  03_manpage.diff
  06_use_debian_geoip_database_as_default.diff
 -newlines-1.7.x.diff
 -session-1.7.x.diff
 -session-store-1.7.x.diff
 -date-leak-1.7.diff
+ CVE-2016-2512.diff
+ CVE-2016-2512-regression.diff
+ CVE-2016-2513.diff
+ CVE-2016-6186.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git



More information about the Python-modules-commits mailing list