Please merge with 1.9.7-2 from Debian unstable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-django (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
python-django (1:1.9.
* Merge from Debian unstable. Remaining changes:
- debian/
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* Drop:
- SECURITY UPDATE: malicious redirect and possible XSS attack via
user-supplied redirect URLs containing basic auth
+ debian/
+ CVE-2016-2512
[ Fixed upstream ]
- SECURITY UPDATE: user enumeration through timing difference on
password hasher work factor upgrade
+ debian/
+ CVE-2016-2513
[ Fixed upstream ]
- SECURITY REGRESSION: is_safe_url() with non-unicode url
(LP #1553251)
+ debian/
unicode in django/
+ CVE-2016-2512
[ Fixed upstream ]
- Backport b1afebf882db529
from upstream (1.8.10) to allow dashes in TLDs again (in the
URL validator.) LP #1528710
[ Fixed upstream ]
-- Nishanth Aravamudan <email address hidden> Wed, 13 Jul 2016 17:16:48 -0700
I'm marking this a duplicate of bug 1605278 since this bug is a bit incomplete. (The other bug has a .debdiff.)