Merge python-django 1:1.11-1 from Debian unstable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Invalid
|
Wishlist
|
Unassigned | ||
OpenStack Dashboard (Horizon) |
Fix Released
|
High
|
Unassigned | ||
django-compat (Ubuntu) |
Fix Released
|
Undecided
|
Nish Aravamudan | ||
Artful |
Fix Released
|
Undecided
|
Nish Aravamudan | ||
python-django (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
Zesty |
Won't Fix
|
Wishlist
|
Unassigned | ||
Artful |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Please merge python-django 1:1.11-1 (main) from Debian experimental (main)
python-django (1:1.11-1ubuntu1) artful; urgency=medium
* Merge from Debian unstable (LP: #1605278). Remaining changes:
- debian/
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* Drop:
- SECURITY UPDATE: malicious redirect and possible XSS attack via
user-supplied redirect URLs containing basic auth
+ debian/
+ CVE-2016-2512
- SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
+ debian/
in django/
+ CVE-2016-2512
- SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251)
+ debian/
upstream fix.
+ CVE-2016-2512
[ Fixed upstream ]
- SECURITY UPDATE: user enumeration through timing difference on password
hasher work factor upgrade
+ debian/
+ CVE-2016-2513
[ Fixed upstream ]
- Backport b1afebf882db529
upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.)
LP #1528710
[ Fixed upstream ]
- Backport upstream fix for ipv6-formatted ipv4 addresses (LP #1611923)
[ Fixed upstream ]
- SECURITY UPDATE: XSS in admin's add/change related popup
+ debian/
+ CVE-2016-6186
[ Fixed upstream ]
- SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
+ debian/
+ CVE-2016-7401
[ Fixed upstream ]
- SECURITY UPDATE: user with hardcoded password created when running
tests on Oracle
+ debian/
+ CVE-2016-9013
[ Fixed upstream ]
- SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True
+ debian/
+ CVE-2016-9014
[ Fixed upstream ]
-- Nishanth Aravamudan <email address hidden> Fri, 05 May 2017 09:41:07 -0700
Changed in python-django (Ubuntu): | |
importance: | Undecided → Wishlist |
tags: | added: upgrade-software-version |
Changed in maas: | |
importance: | Undecided → Wishlist |
status: | New → Triaged |
milestone: | none → next |
Changed in python-django (Ubuntu Zesty): | |
assignee: | nobody → Nish Aravamudan (nacc) |
Changed in horizon: | |
milestone: | ocata-1 → ocata-2 |
summary: |
- Merge python-django 1:1.9.8-1 (main) from Debian unstable (main) + Merge python-django 1:1.10.3 from Debian unstable |
Changed in python-django (Ubuntu Zesty): | |
status: | New → In Progress |
Changed in horizon: | |
milestone: | ocata-2 → next |
Changed in python-django (Ubuntu Zesty): | |
status: | In Progress → Won't Fix |
summary: |
- Merge python-django 1:1.10.3 from Debian unstable + Merge python-django 1:1.11-1 from Debian unstable |
Changed in python-django (Ubuntu Zesty): | |
assignee: | Nish Aravamudan (nacc) → nobody |
Changed in python-django (Ubuntu Artful): | |
status: | Fix Committed → Fix Released |
Changed in maas: | |
milestone: | next → none |
I think it makes sense for Ubuntu 16.10 to include Django 1.10 which will be released in a few weeks.
https:/ /www.djangoproj ect.com/ download/
I'm submitting this merge proposal now because, well, I already did the work. I updated Ubuntu's pymysql patch and diff so that Django will still work with python-mysqldb for any one that wants to use that database driver instead of Ubuntu Server's preferred pymysql.