openSUSE-SU-2023:0077-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2023:0077-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2023:0077-1
Related
Published
2023-03-20T15:09:03Z
Modified
2023-03-20T15:09:03Z
Summary
Security update for python-Django
Details

This update for python-Django fixes the following issues:

  • CVE-2023-24580: Prevent DOS in file uploads. (boo#1208082)

update to 1.11.15

  • CVE-2018-14574: Fixed Open redirect possibility in CommonMiddleware (boo#1102680)
  • Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+
  • Fixed a regression in Django 1.10 that could result in large memory usage when making edits using ModelAdmin.list_editable
  • Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection() crashed due to mismatching columns
  • Fixed crashes in django.contrib.admindocs when a view is a callable object, such as django.contrib.syndication.views.Feed
  • Fixed a regression in Django 1.11.8 where altering a field with a unique constraint may drop and rebuild more foreign keys than necessary
  • Fixed a regression in Django 1.11.8 where combining two annotated values_list() querysets with union(), difference(), or intersection() crashed due to mismatching columns
  • Fixed a regression in Django 1.11 where an empty choice could be initially selected for the SelectMultiple and CheckboxSelectMultiple widgets

    • Update to 1.11.11
  • Fixes CVE-2018-7536, CVE-2018-7537

    • Update to 1.11.10 LTS
  • Fixes CVE-2018-6188 boo#1077714, CVE-2017-7234, CVE-2017-7233, CVE-2017-12794

    • Change Requires: python-Pillow to python-imaging for compatibility with SLE-12 which provides PIL instead of Pillow.

    • Update to 1.9.9

    Bugfixes

  • Fixed invalid HTML in template postmortem on the debug page (#26938).
  • Fixed some GIS database function crashes on MySQL 5.7 (#26657).
    • Update to 1.9.8 Fix XSS in admin’s add/change related popup (boo#988420) Unsafe usage of JavaScript’s Element.innerHTML could result in XSS in the admin’s add/change related popup. Element.textContent is now used to prevent execution of the data. The debug view also used innerHTML. Although a security issue wasn’t identified there, out of an abundance of caution it’s also updated to use textContent. Bugfixes
  • Fixed missing varchar/textpatternops index on CharField and TextField respectively when using AddField on PostgreSQL (#26889).
  • Fixed makemessages crash on Python 2 with non-ASCII file names (#26897).
    • Update to 1.9.7 Bugfixes
  • Removed the need for the request context processor on the admin login page to fix a regression in 1.9 (#26558).
  • Fixed translation of password validators’ help_text in forms (#26544).
  • Fixed a regression causing the cached template loader to crash when using lazy template names (#26603).
  • Fixed on_commit callbacks execution order when callbacks make transactions (#26627).
  • Fixed HStoreField to raise a ValidationError instead of crashing on non-dictionary JSON input (#26672).
  • Fixed dbshell crash on PostgreSQL with an empty database name (#26698).
  • Fixed a regression in queries on a OneToOneField that has tofield and primarykey=True (#26667).

    • Update to 1.9.6 Bugfixes
  • Added support for relative path redirects to the test client and to SimpleTestCase.assertRedirects() because Django 1.9 no longer converts redirects to absolute URIs (#26428).
  • Fixed TimeField microseconds round-tripping on MySQL and SQLite (#26498).
  • Prevented makemigrations from generating infinite migrations for a model field that references a functools.partial (#26475).
  • Fixed a regression where SessionBase.pop() returned None rather than raising a KeyError for nonexistent values (#26520).
  • Fixed a regression causing the cached template loader to crash when using template names starting with a dash (#26536).
  • Restored conversion of an empty string to null when saving values of GenericIPAddressField on SQLite and MySQL (#26557).
  • Fixed a makemessages regression where temporary .py extensions were leaked in source file paths (#26341).

    • Update to 1.9.5

    • Update to 1.9.2 Security issue

  • User with 'change' but not 'add' permission can create objects for ModelAdmin's with save_as=True Backwards incompatible change
  • .py-tpl files rewritten in project/app templates Bugfixes
  • Fixed a regression in ConditionalGetMiddleware causing If-None-Match checks to always return HTTP 200 (#26024).
  • Fixed a regression that caused the 'user-tools' items to display on the admin's logout page (#26035).
  • Fixed a crash in the translations system when the current language has no translations (#26046).
  • Fixed a regression that caused the incorrect day to be selected when opening the admin calendar widget for timezones from GMT+0100 to GMT+1200 (#24980).
  • Fixed a regression in the admin's edit related model popup that caused an escaped value to be displayed in the select dropdown of the parent window (#25997).
  • Fixed a regression in 1.8.8 causing incorrect index handling in migrations on PostgreSQL when adding dbindex=True or unique=True to a CharField or TextField that already had the other specified, or when removing one of them from a field that had both, or when adding unique=True to a field already listed in uniquetogether (#26034).
  • Fixed a regression where defining a relation on an abstract model's field using a string model name without an app_label no longer resolved that reference to the abstract model's app if using that model in another application (#25858).
  • Fixed a crash when destroying an existing test database on MySQL or PostgreSQL (#26096).
  • Fixed CSRF cookie check on POST requests when USEXFORWARDED_PORT=True (#26094).
  • Fixed a QuerySet.order_by() crash when ordering by a relational field of a ManyToManyField through model (#26092).
  • Fixed a regression that caused an exception when making database queries on SQLite with more than 2000 parameters when DEBUG is True on distributions that increase the SQLITEMAXVARIABLE_NUMBER compile-time limit to over 2000, such as Debian (#26063).
  • Fixed a crash when using a reverse OneToOneField in ModelAdmin.readonly_fields (#26060).
  • Fixed a crash when calling the migrate command in a test case with the availableapps attribute pointing to an application with migrations disabled using the MIGRATIONMODULES setting (#26135).
  • Restored the ability for testing and debugging tools to determine the template from which a node came from, even during template inheritance or inclusion. Prior to Django 1.9, debugging tools could access the template origin from the node via Node.token.source[0]. This was an undocumented, private API. The origin is now available directly on each node using the Node.origin attribute (#25848).
  • Fixed a regression in Django 1.8.5 that broke copying a SimpleLazyObject with copy.copy() (#26122).
  • Always included geometry_field in the GeoJSON serializer output regardless of the fields parameter (#26138).
  • Fixed the contrib.gis map widgets when using USETHOUSANDSEPARATOR=True (#20415).
  • Made invalid forms display the initial of values of their disabled fields (#26129).

    • Update to 1.9.1 Bugfixes
  • Fixed BaseCache.getorset() with the DummyCache backend (#25840).
  • Fixed a regression in FormMixin causing forms to be validated twice (#25548, #26018).
  • Fixed a system check crash with nested ArrayFields (#25867).
  • Fixed a state bug when migrating a SeparateDatabaseAndState operation backwards (#25896).
  • Fixed a regression in CommonMiddleware causing If-None-Match checks to always return HTTP 200 (#25900).
  • Fixed missing varchar/textpatternops index on CharField and TextField respectively when using AlterField on PostgreSQL (#25412).
  • Fixed admin’s delete confirmation page’s summary counts of related objects (#25883).
  • Added from future import unicode_literals to the default apps.py created by startapp on Python 2 (#25909). Add this line to your own apps.py files created using Django 1.9 if you want your migrations to work on both Python 2 and Python 3.
  • Prevented QuerySet.delete() from crashing on MySQL when querying across relations.
  • Fixed evaluation of zero-length slices of QuerySet.values() (#25894).
  • ...
  • https://docs.djangoproject.com/en/1.9/releases/1.9.1/

    • update to 1.9
  • https://docs.djangoproject.com/en/1.9/releases/1.9/
  • Performing actions after a transaction commit
  • Password validation
  • Permission mixins for class-based views
  • New styling for 'contrib.admin'
  • Running tests in parallel

    • update to 1.8.6:
  • https://docs.djangoproject.com/en/1.8/releases/1.8.5/
  • https://docs.djangoproject.com/en/1.8/releases/1.8.6/

    • add missing Requires for python-setuptools (boo#952198) /usr/bin/django-admin needs the pkg_resources framework from python-setuptools to run properly.

    • update to 1.8.4 (CVE-2015-5963):

  • https://docs.djangoproject.com/en/1.8/releases/1.8.4/

    • add keyring and verify source signature

    • update to 1.8.3:

  • https://docs.djangoproject.com/en/1.8/releases/1.8.3/ Various bugfixes/security fixes (CVE-2015-5145, boo#937524)

    • update to 1.8.2 (CVE-2015-3982):
  • https://docs.djangoproject.com/en/1.8/releases/1.8.2/
  • https://docs.djangoproject.com/en/1.8/releases/1.8.1/

    • Update to Django 1.8
  • 'Long-Term Support' (LTS) release New features:
  • Model._meta API
  • Multiple template engines
  • Security enhancements
  • New PostgreSQL specific functionality
  • New data types
  • Query Expressions, Conditional Expressions, and Database Functions
  • TestCase data setup Backwards incompatible changes:
  • Related object operations are run in a transaction
  • Assigning unsaved objects to relations raises an error
  • Management commands that only accept positional arguments
  • Custom test management command arguments through test runner
  • Model check ensures auto-generated column names are within limits specified by database
  • Query relation lookups now check object types
  • select_related() now checks given fields
  • Default EmailField.max_length increased to 254
  • (DROP) Support for PostgreSQL versions older than 9.0
  • (DROP) Support for MySQL versions older than 5.5
  • (DROP) Support for Oracle versions older than 11.1
  • Specific privileges used instead of roles for tests on Oracle
  • ...

    • Update to Django 1.7.7: Security issues:
  • Denial-of-service possibility with strip_tags()
  • Mitigated possible XSS attack via user-supplied redirect URLs Bugfixes:
  • Fixed renaming of classes in migrations where renaming a subclass would cause incorrect state to be recorded for objects that referenced the superclass (#24354).
  • Stopped writing migration files in dry run mode when merging migration conflicts. When makemigrations --merge is called with verbosity=3 the migration file is written to stdout (:ticket: 24427).

    • Update to Djano 1.7.6: Bugfixes
  • Mitigated an XSS attack via properties in 'ModelAdmin.readonly_fields'
  • Fixed crash when coercing 'ManyRelatedManager' to a string (#24352).
  • Fixed a bug that prevented migrations from adding a foreign key constraint when converting an existing field to a foreign key (#24447).

    • Update to Django 1.7.5: Bugfixes
  • Reverted a fix that prevented a migration crash when unapplying contrib.contenttypes's or contrib.auth's first migration (#24075) due to severe impact on the test performance (#24251) and problems in multi-database setups (#24298).
  • Fixed a regression that prevented custom fields inheriting from ManyToManyField from being recognized in migrations (#24236).
  • Fixed crash in contrib.sites migrations when a default database isn't used (#24332).
  • Added the ability to set the isolation level on PostgreSQL with psycopg2 >= 2.4.2 (#24318). It was advertised as a new feature in Django 1.6 but it didn't work in practice.
  • Formats for the Azerbaijani locale (az) have been added.

    • Update to Django 1.7.4: Bugfixes
  • Fixed a migration crash when unapplying contrib.contenttypes’s or contrib.auth’s first migration (:ticket:24075).
  • Made the migration's RenameModel operation rename ManyToManyField tables (:ticket:24135).
  • Fixed a migration crash on MySQL when migrating from a OneToOneField to a ForeignKey (:ticket:24163).
  • Prevented the static.serve view from producing ResourceWarning\s in certain circumstances (security fix regression, :ticket:24193).
  • Fixed schema check for ManyToManyField to look for internal type instead of checking class instance, so you can write custom m2m-like fields with the same behavior. (:ticket:24104).

    • Update to Django 1.7.3: Security fixes:
  • WSGI header spoofing via underscore/dash conflation.
  • Mitigated possible XSS attack via user-supplied redirect URLs.
  • Denial-of-service attack against django.views.static.serve.
  • Database denial-of-service with ModelMultipleChoiceField. Bug fixes:
  • The default iteration count for the PBKDF2 password hasher has been increased by 25%. This part of the normal major release process was inadvertently omitted in 1.7. This backwards compatible change will not affect users who have subclassed django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default value.
  • Fixed a crash in the CSRF middleware when handling non-ASCII referer header (#23815).
  • Fixed a crash in the django.contrib.auth.redirecttologin view when passing a reverse_lazy() result on Python 3 (#24097).
  • Added correct formats for Greek (el) (#23967).
  • Fixed a migration crash when unapplying a migration where multiple operations interact with the same model (#24110).

    • South has been merged in main Django; provide and obsolete it

    • Update to Django 1.7.2:

  • Fixed migration’s renaming of auto-created many-to-many tables when changing Meta.db_table (#23630).
  • Fixed a migration crash when adding an explicit id field to a model on SQLite (#23702).
  • Added a warning for duplicate models when a module is reloaded. Previously a RuntimeError was raised every time two models clashed in the app registry. (#23621).
  • Prevented flush from loading initial data for migrated apps (#23699).
  • Fixed a makemessages regression in 1.7.1 when STATIC_ROOT has the default None value (#23717).
  • Added GeoDjango compatibility with mysqlclient database driver.
  • Fixed MySQL 5.6+ crash with GeometryFields in migrations (#23719).
  • Fixed a migration crash when removing a field that is referenced in AlterIndexTogether or AlterUniqueTogether (#23614).
  • Updated the first day of the week in the Ukrainian locale to Monday.
  • Added support for transactional spatial metadata initialization on SpatiaLite 4.1+ (#23152).
  • Fixed a migration crash that prevented changing a nullable field with a default to non-nullable with the same default (#23738).
  • Fixed a migration crash when adding GeometryFields with blank=True on PostGIS (#23731).
  • Allowed usage of DateTimeField() as Transform.output_field (#23420).
  • Fixed a migration serializing bug involving float('nan') and float('inf') (#23770).
  • Fixed a regression where custom form fields having a queryset attribute but no limitchoicesto could not be used in a ModelForm (#23795).
  • Fixed a custom field type validation error with MySQL backend when db_type returned None (#23761).
  • Fixed a migration crash when a field is renamed that is part of an index_together (#23859).
  • Fixed squashmigrations to respect the --no-optimize parameter (#23799).
  • Made RenameModel reversible (#22248)
  • Avoided unnecessary rollbacks of migrations from other apps when migrating backwards (#23410).
  • Fixed a rare query error when using deeply nested subqueries (#23605).
  • Fixed a crash in migrations when deleting a field that is part of a index/unique_together constraint (#23794).
  • Fixed django.core.files.File.repr() when the file’s name contains Unicode characters (#23888).
  • Added missing context to the admin’s delete_selected view that prevented custom site header, etc. from appearing (#23898).
  • Fixed a regression with dynamically generated inlines and allowed field references in the admin (#23754).
  • Fixed an infinite loop bug for certain cyclic migration dependencies, and made the error message for cyclic dependencies much more helpful.
  • Added missing index_together handling for SQLite (#23880).
  • Fixed a crash when RunSQL SQL content was collected by the schema editor, typically when using sqlmigrate (#23909).
  • Fixed a regression in contrib.admin add/change views which caused some ModelAdmin methods to receive the incorrect obj value (#23934).
  • Fixed runserver crash when socket error message contained Unicode characters (#23946).
  • Fixed serialization of type when adding a deconstruct() method (#23950).
  • Prevented the SessionAuthenticationMiddleware from setting a 'Vary: Cookie' header on all responses (#23939).
  • Fixed a crash when adding blank=True to TextField() on MySQL (#23920).
  • Fixed index creation by the migration infrastructure, particularly when dealing with PostgreSQL specific {text|varchar}patternops indexes (#23954).
  • Fixed bug in makemigrations that created broken migration files when dealing with multiple table inheritance and inheriting from more than one model (#23956).
  • Fixed a crash when a MultiValueField has invalid data (#23674).
  • Fixed a crash in the admin when using “Save as new” and also deleting a related inline (#23857).
  • Always converted relatedname to text (unicode), since that is required on Python 3 for interpolation. Removed conversion of relatedname to text in migration deconstruction (#23455 and #23982).
  • Enlarged the sizes of tablespaces which are created by default for testing on Oracle (the main tablespace was increased from 200M to 300M and the temporary tablespace from 100M to 150M). This was required to accommodate growth in Django’s own test suite (#23969).
  • Fixed timesince filter translations in Korean (#23989).
  • Fixed the SQLite SchemaEditor to properly add defaults in the absence of a user specified default. For example, a CharField with blank=True didn’t set existing rows to an empty string which resulted in a crash when adding the NOT NULL constraint (#23987).
  • makemigrations no longer prompts for a default value when adding TextField() or CharField() without a default (#23405).
  • Fixed a migration crash when adding orderwithrespect_to to a table with existing rows (#23983).
  • Restored the pre_migrate signal if all apps have migrations (#23975).
  • Made admin system checks run for custom AdminSites (#23497).
  • Ensured the app registry is fully populated when unpickling models. When an external script (like a queueing infrastructure) reloads pickled models, it could crash with an AppRegistryNotReady exception (#24007).
  • Added quoting to field indexes in the SQL generated by migrations to prevent a crash when the index name requires it (##24015).
  • Added datetime.time support to migrations questioner (#23998).
  • Fixed admindocs crash on apps installed as eggs (#23525).
  • Changed migrations autodetector to generate an AlterModelOptions operation instead of DeleteModel and CreateModel operations when changing Meta.managed. This prevents data loss when changing managed from False to True and vice versa (#24037).
  • Enabled the sqlsequencereset command on apps with migrations (#24054).
  • Added tablespace SQL to apps with migrations (#24051).
  • Corrected contrib.sites default site creation in a multiple database setup (#24000).
  • Restored support for objects that aren’t str or bytes in markforescaping() on Python 3.
  • Supported strings escaped by third-party libraries with the html convention in the template engine (#23831).
  • Prevented extraneous DROP DEFAULT SQL in migrations (#23581).
  • Restored the ability to use more than five levels of subqueries (#23758).
  • Fixed crash when ValidationError is initialized with a ValidationError that is initialized with a dictionary (#24008).
  • Prevented a crash on apps without migrations when running migrate --list (#23366).

    • Update to Django 1.7.1
  • Allowed related many-to-many fields to be referenced in the admin (#23604).
  • Added a more helpful error message if you try to migrate an app without first creating the contenttypes table (#22411).
  • Modified migrations dependency algorithm to avoid possible infinite recursion.
  • Fixed a UnicodeDecodeError when the flush error message contained Unicode characters (#22882).
  • Reinstated missing CHECK SQL clauses which were omitted on some backends when not using migrations (#23416).
  • Fixed serialization of type objects in migrations (#22951).
  • Allowed inline and hidden references to admin fields (#23431).
  • The @deconstructible decorator now fails with a ValueError if the decorated object cannot automatically be imported (#23418).
  • Fixed a typo in an inlineformset_factory() error message that caused a crash (#23451).
  • Restored the ability to use ABSOLUTEURLOVERRIDES with the 'auth.User' model (#11775). As a side effect, the setting now adds a getabsoluteurl() method to any model that appears in ABSOLUTEURLOVERRIDES but doesn’t define getabsoluteurl().
  • Avoided masking some ImportError exceptions during application loading (#22920).
  • Empty indextogether or uniquetogether model options no longer results in infinite migrations (#23452).
  • Fixed crash in contrib.sitemaps if lastmod returned a date rather than a datetime (#23403).
  • Allowed migrations to work with app_labels that have the same last part (e.g. django.contrib.auth and vendor.auth) (#23483).
  • Restored the ability to deepcopy F objects (#23492).
  • Formats for Welsh (cy) and several Chinese locales (zhCN, zhHans, zhHant and zhTW) have been added. Formats for Macedonian have been fixed (trailing dot removed, #23532).
  • Added quoting of constraint names in the SQL generated by migrations to prevent crash with uppercase characters in the name (#23065).
  • Fixed renaming of models with a self-referential many-to-many field (ManyToManyField('self')) (#23503).
  • Added the getextra(), getmaxnum(), and getmin_num() hooks to GenericInlineModelAdmin (#23539).
  • Made migrations.RunSQL no longer require percent sign escaping. This is now consistent with cursor.execute() (#23426).
  • Made the SERIALIZE entry in the TEST dictionary usable (#23421).
  • Fixed bug in migrations that prevented foreign key constraints to unmanaged models with a custom primary key (#23415).
  • Added SchemaEditor for MySQL GIS backend so that spatial indexes will be created for apps with migrations (#23538).
  • Added SchemaEditor for Oracle GIS backend so that spatial metadata and indexes will be created for apps with migrations (#23537).
  • Coerced the related_name model field option to unicode during migration generation to generate migrations that work with both Python 2 and 3 (#23455).
  • Fixed MigrationWriter to handle builtin types without imports (#23560).
  • Fixed deepcopy on ErrorList (#23594).
  • Made the admindocs view to browse view details check if the view specified in the URL exists in the URLconf. Previously it was possible to import arbitrary packages from the Python path. This was not considered a security issue because admindocs is only accessible to staff users (#23601).
  • Fixed UnicodeDecodeError crash in AdminEmailHandler with non-ASCII characters in the request (#23593).
  • Fixed missing getorcreate and updateorcreate on related managers causing IntegrityError (#23611).
  • Made urlsafebase64decode() return the proper type (byte string) on Python 3 (#23333).
  • makemigrations can now serialize timezone-aware values (#23365).
  • Added a prompt to the migrations questioner when removing the null constraint from a field to prevent an IntegrityError on existing NULL rows (#23609).
  • Fixed generic relations in ModelAdmin.list_filter (#23616).
  • Restored RFC compliance for the SMTP backend on Python 3 (#23063).
  • Fixed a crash while parsing cookies containing invalid content (#23638).
  • The system check framework now raises error models.E020 when the class method Model.check() is unreachable (#23615).
  • Made the Oracle test database creation drop the test user in the event of an unclean exit of a previous test run (#23649).
  • Fixed makemigrations to detect changes to Meta.db_table (#23629).
  • Fixed a regression when feeding the Django test client with an empty data string (#21740).
  • Fixed a regression in makemessages where static files were unexpectedly ignored (#23583).

    • Update to Django 1.7
  • A new built-in database migration system. Notes on upgrading from South (a popular third*party application providing migration functionality) are also available.
  • A refactored concept of Django applications. Django applications are no longer tied to the existence of a models files, and can now specify both configuration data and code to be executed as Django starts up.
  • Improvements to the model Field API to support migrations and, in the future, to enable easy addition of composite-key support to Django's ORM.
  • Improvements for custom Manager and QuerySet classes, allowing reverse relationship traversal to specify the Manager to use, and creation of a Manager from a custom QuerySet class.
  • An extensible system check framework which can assist developers in detecting and diagnosing errors. Please refer to the release notes for all details and migration instructions: https://docs.djangoproject.com/en/1.7/releases/1.7/

    • Added python-setuptools as a BuildRequires.
    • Fixed Source URL from Django Project site.
    • Reordered sources.
    • Fixed deduplication to avoid wrong mtimes in pyc files.

    • Rename rpmlintrc to %{name}-rpmlintrc. Follow the packaging guidelines.

    • Update to version 1.6.5, sercurity and important changes:

  • Unexpected code execution using reverse()
  • Caching of anonymous pages could reveal CSRF token
  • MySQL typecasting
  • selectforupdate() requires a transaction
  • Issue: Caches may incorrectly be allowed to store and serve private data
  • Issue: Malformed redirect URLs from user input not correctly validated

    • Fix update-alternatives

    • Update to version 1.6.2:

  • Prevented the base geometry object of a prepared geometry to be garbage collected, which could lead to crash Django (#21662).
  • Fixed a crash when executing the changepassword command when the user object representation contained non-ASCII characters (#21627).
  • The collectstatic command will raise an error rather than default to using the current working directory if STATIC_ROOT is not set. Combined with the --clear option, the previous behavior could wipe anything below the current working directory (#21581).
  • Fixed mail encoding on Python 3.3.3+ (#21093).
  • Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False, the connection wasn’t in autocommit mode but Django pretended it was.
  • Fixed a regression in multiple-table inheritance exclude() queries (#21787).
  • Added missing items to django.utils.timezone.all (#21880).
  • Fixed a field misalignment issue with select_related() and model inheritance (#21413).
  • Fixed join promotion for negated AND conditions (#21748).
  • Oracle database introspection now works with boolean and float fields (#19884).
  • Fixed an issue where lazy objects weren’t actually marked as safe when passed through mark_safe() and could end up being double-escaped (#21882).

    • Update to version 1.6.1:
  • Most bug fixes are minor; you can find a complete list in the Django 1.6.1 release notes.

    • Update-alternatives also for bash-completion

    • Only ghost /etc/alternatives on 12.3 or newer

    • Require python-Pillow for image-related functionality

    • Package was renamed from python-django
    • Drop Django-1.2-completion-only-for-bash.patch: Useless

    • Update to version 1.6:

  • Please read the release notes https://docs.djangoproject.com/en/1.6/releases/1.6

    • Removed Patch2 as it is no needed anymore: Django-1.4-CSRFCOOKIEHTTPONLY-support.patch

    • Update to version 1.5.4:

  • Fixed denial-of-service via large passwords
    • Changes from version 1.5.3:
  • Fixed directory traversal with ssi template tag

    • Update to 1.5.2:
  • Security release, please check release notes for details: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued

    • Update to 1.5.1:
    • Memory leak fix, please read release announcement at https://www.djangoproject.com/weblog/2013/mar/28/django-151.

    • Update to 1.5:

  • Please read the release notes https://docs.djangoproject.com/en/1.5/releases/1.5

    • Update to 1.4.3:
  • Security release:
    • Host header poisoning
    • Redirect poisoning
  • Please check release notes for details: https://www.djangoproject.com/weblog/2012/dec/10/security

    • Add a symlink from /usr/bin/django-admin.py to /usr/bin/django-admin

    • Update to 1.4.2:

  • Security release:
    • Host header poisoning
  • Please check release notes for details: https://www.djangoproject.com/weblog/2012/oct/17/security

    • Update to 1.4.1:
  • Security release:
    • Cross-site scripting in authentication views
    • Denial-of-service in image validation
    • Denial-of-service via getimagedimensions()
  • Please check release notes for details: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued

    • Add patch to support CSRFCOOKIEHTTPONLY config

    • Update to 1.4:

  • Please read the release notes https://docs.djangoproject.com/en/dev/releases/1.4

    • Removed Patch2, it was merged on upstream,

    • Set license to SDPX style (BSD-3-Clause)

    • Package AUTHORS, LICENE and README files
    • No CFLAGS for noarch package
    • Drop runtime dependency on gettext-tools

    • Update to 1.3.1 to fix security issues, please read https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued.

    • Fix build on SLES_9.

    • Update to 1.3 final;

    • Refresh patch empty-ip-2.diff.

    • Update to 1.3-rc1;

    • Regenerated spec file with py2pack;
    • No more need to fix wrong line endings;
    • Refresh patch empty-ip-2.diff with -p0.

    • Spec file cleanup:

  • Removed empty lines, package authors from description
  • Cleanup duplicates
  • Corrected wrong file endings
  • Added zero-length rpmlint filter

    • Added AUTHORS, LICENSE and doc files

    • Update to 1.2.5:

  • This is a security update that fix:

    • Flaw in CSRF handling;
    • Potential XSS in file field rendering.

    • Update to 1.2.4:

  • Information leakage in Django administrative interface;
  • Denial-of-service attack in password-reset mechanism.

    • This is a mandatory security update.

    • Update to 1.2.3:

  • The patch applied for the security issue covered in Django 1.2.2 caused issues with non-ASCII responses using CSRF tokens. This has been remedied;
  • The patch also caused issues with some forms, most notably the user-editing forms in the Django administrative interface. This has been remedied.
  • The packaging manifest did not contain the full list of required files. This has been remedied.

    • Update to 1.2.2.
    • This is a ciritical security update fixing a default XSS bug!

    • Added patch to fix upstream bug 5622: Empty ipaddress raises an error

    • Update to 1.2.1.

    • Update to 1.2.

    • Update to 1.2-rc-1.

    • Spec file cleaned with spec-cleaner;

    • Minor manual adjusts on spec file.

    • Moved autocomplete file path from /etc/profile.d to /etc/bash_completion.d. Then it works with konsole too.

    • Update to 1.2-beta-1;

    • Using -q option on prep section of spec file;
    • Using INSTALLED_FILES instead of declaring files;
    • Removed dummy changelog section of spec file;
    • Update completion bash patch.

    • Update to 1.1.1 due to security issue described at http://www.djangoproject.com/weblog/2009/oct/09/security/

    • Removed old tarball file (Django-1.1.tar.bz2).

    • Fix python version check.

    • Don't require python-sqlite2 for python >= 2.6.

    • Build as noarch on factory.

    • don't run bash completion on shells other than bash. Avoiding error messages produced at login when using other shells.

    • Added bash auto-complete to openSUSE.

    • update to version 1.1

    • add python-django-rpmlintrc to quiet rpmlint complaints about -lang

    • add python-xml to the Requires (./manage.py syncdb crashes otherwise)

    • update to version 1.0

    • Fix build on SLES9

    • update to version 1.0 final

    • update to version 0.96.2

    • The way simplejson is included in this package is not useful to other packages. Removed from provides

    • verion 0.96.1 fixes D.o.S attack in the i18n module

    • update to version 0.96 see http://www.djangoproject.com/documentation/releasenotes0.96 for details

      • this package provides python-simplejson too.
References

Affected packages

SUSE:Package Hub 12 SP1 / python-Django

Package

Name
python-Django
Purl
pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.15-2.1

Ecosystem specific

{
    "binaries": [
        {
            "python-Django": "1.11.15-2.1"
        }
    ]
}