Hello community,
here is the log from the commit of package python-django.2992 for
openSUSE:12.3:Update checked in at 2014-09-16 14:21:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/python-django.2992 (Old)
and /work/SRC/openSUSE:12.3:Update/.python-django.2992.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-django.2992"
Changes:
--------
New Changes file:
--- /dev/null 2014-07-24 01:57:42.080040256 +0200
+++
/work/SRC/openSUSE:12.3:Update/.python-django.2992.new/python-django.changes
2014-09-16 14:21:52.000000000 +0200
@@ -0,0 +1,292 @@
+-------------------------------------------------------------------
+Mon Sep 8 14:27:15 UTC 2014 - [email protected]
+
+- Update to version 1.4.15
+ + Prevented reverse() from generating URLs pointing to other hosts
+ to prevent phishing attacks (bnc#893087, CVE-2014-0480)
+ + Removed O(n) algorithm when uploading duplicate file names
+ to fix file upload denial of service (bnc#893088, CVE-2014-0481)
+ + Modified RemoteUserMiddleware to logout on REMOTE_USE change
+ to prevent session hijacking (bnc#893089, CVE-2014-0482)
+ + Prevented data leakage in contrib.admin via query string manipulation
+ (bnc#893090, CVE-2014-0483)
+ + Fixed: Caches may incorrectly be allowed to store and serve private data
+ (bnc#877993, CVE-2014-1418)
+ + Fixed: Malformed redirect URLs from user input not correctly validated
+ (bnc#878641, CVE-2014-3730)
+ + Fixed queries that may return unexpected results on MySQL
+ due to typecasting (bnc#874956, CVE-2014-0474)
+ + Prevented leaking the CSRF token through caching
+ (bnc#874955, CVE-2014-0473)
+ + Fixed a remote code execution vulnerabilty in URL reversing
+ (bnc#874950, CVE-2014-0472)
+
+-------------------------------------------------------------------
+Tue Sep 17 15:26:40 UTC 2013 - [email protected]
+
+- Update to version 1.4.8 (bnc#840832, bnc#840832, CVE-2013-1443):
+ + Fixed denial-of-service via large passwords
+- Changes from version 1.4.7:
+ + Fixed directory traversal with ssi template tag
+- Changes from version 1.4.6:
+ + Fixed Cross-site scripting (XSS) in admin interface
+ + Fixed Possible XSS via is_safe_url
+
+-------------------------------------------------------------------
+Mon Jul 8 21:42:07 UTC 2013 - [email protected]
+
+- Update to 1.4.5:
+ - Security release.
+ - Fix bnc#807175 / bnc#787521 / CVE-2012-4520 / CVE-2013-0305 /
+ CVE-2013-0306 and CVE-2013-1665.
+
+-------------------------------------------------------------------
+Tue Dec 11 12:27:50 UTC 2012 - [email protected]
+
+- Update to 1.4.3:
+ - Security release:
+ - Host header poisoning
+ - Redirect poisoning
+ - Please check release notes for details:
+ https://www.djangoproject.com/weblog/2012/dec/10/security
+
+-------------------------------------------------------------------
+Sat Oct 20 13:41:10 UTC 2012 - [email protected]
+
+- Add a symlink from /usr/bin/django-admin.py to /usr/bin/django-admin
+
+-------------------------------------------------------------------
+Wed Oct 17 22:51:36 UTC 2012 - [email protected]
+
+- Update to 1.4.2:
+ - Security release:
+ - Host header poisoning
+ - Please check release notes for details:
+ https://www.djangoproject.com/weblog/2012/oct/17/security
+
+-------------------------------------------------------------------
+Mon Jul 30 21:38:31 UTC 2012 - [email protected]
+
+- Update to 1.4.1:
+ - Security release:
+ - Cross-site scripting in authentication views
+ - Denial-of-service in image validation
+ - Denial-of-service via get_image_dimensions()
+ - Please check release notes for details:
+ https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued
+
+-------------------------------------------------------------------
+Tue Jun 19 11:27:33 UTC 2012 - [email protected]
+
+- Add patch to support CSRF_COOKIE_HTTPONLY config
+
+-------------------------------------------------------------------
+Fri Mar 23 18:39:40 UTC 2012 - [email protected]
+
+- Update to 1.4:
+ - Please read the release notes
+ https://docs.djangoproject.com/en/dev/releases/1.4
+- Removed Patch2, it was merged on upstream,
+
+-------------------------------------------------------------------
+Thu Nov 24 12:30:40 UTC 2011 - [email protected]
+
+- Set license to SDPX style (BSD-3-Clause)
+- Package AUTHORS, LICENE and README files
+- No CFLAGS for noarch package
+- Drop runtime dependency on gettext-tools
+
+-------------------------------------------------------------------
+Sat Sep 10 12:05:07 UTC 2011 - [email protected]
+
+- Update to 1.3.1 to fix security issues, please read
+ https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued.
+
+-------------------------------------------------------------------
+Thu Mar 31 15:09:16 UTC 2011 - [email protected]
+
+- Fix build on SLES_9.
+
+-------------------------------------------------------------------
+Wed Mar 23 11:39:53 UTC 2011 - [email protected]
+
+- Update to 1.3 final;
+- Refresh patch empty-ip-2.diff.
+
+-------------------------------------------------------------------
+Fri Mar 18 03:45:45 UTC 2011 - [email protected]
+
+- Update to 1.3-rc1;
+- Regenerated spec file with py2pack;
+- No more need to fix wrong line endings;
+- Refresh patch empty-ip-2.diff with -p0.
+
+-------------------------------------------------------------------
+Thu Mar 3 09:32:52 UTC 2011 - [email protected]
+
+- Spec file cleanup:
+ * Removed empty lines, package authors from description
+ * Cleanup duplicates
+ * Corrected wrong file endings
+ * Added zero-length rpmlint filter
+- Added AUTHORS, LICENSE and doc files
+
+-------------------------------------------------------------------
+Wed Feb 9 03:37:29 UTC 2011 - [email protected]
+
+- Update to 1.2.5:
+ - This is a security update that fix:
+ - Flaw in CSRF handling;
+ - Potential XSS in file field rendering.
+
+-------------------------------------------------------------------
+Thu Dec 23 10:20:03 UTC 2010 - [email protected]
+
+- Update to 1.2.4:
+ - Information leakage in Django administrative interface;
+ - Denial-of-service attack in password-reset mechanism.
+- This is a mandatory security update.
+
+-------------------------------------------------------------------
+Sat Sep 11 11:46:41 UTC 2010 - [email protected]
+
+- Update to 1.2.3:
+ - The patch applied for the security issue covered in Django
+ 1.2.2 caused issues with non-ASCII responses using CSRF
+ tokens. This has been remedied;
+ - The patch also caused issues with some forms, most notably
+ the user-editing forms in the Django administrative interface.
+ This has been remedied.
+ - The packaging manifest did not contain the full list of
+ required files. This has been remedied.
+
+-------------------------------------------------------------------
+Thu Sep 9 01:06:43 UTC 2010 - [email protected]
+
+- Update to 1.2.2.
+- This is a ciritical security update fixing a default XSS bug!
+
+-------------------------------------------------------------------
+Fri Jul 9 11:27:26 UTC 2010 - [email protected]
+
+- Added patch to fix upstream bug 5622: Empty ipaddress raises an error
+
+-------------------------------------------------------------------
+Mon May 17 21:14:11 UTC 2010 - [email protected]
+
+- Update to 1.2.1.
+
+-------------------------------------------------------------------
+Mon May 17 18:35:20 UTC 2010 - [email protected]
+
+- Update to 1.2.
+
+-------------------------------------------------------------------
+Thu May 6 13:46:03 UTC 2010 - [email protected]
+
+- Update to 1.2-rc-1.
+
+-------------------------------------------------------------------
+Mon Apr 5 02:21:44 UTC 2010 - [email protected]
+
+- Spec file cleaned with spec-cleaner;
+- Minor manual adjusts on spec file.
+
+-------------------------------------------------------------------
+Thu Mar 18 17:47:12 UTC 2010 - [email protected]
+
++++ 95 more lines (skipped)
++++ between /dev/null
++++ and
/work/SRC/openSUSE:12.3:Update/.python-django.2992.new/python-django.changes
New:
----
Django-1.2-completion-only-for-bash.patch
Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch
Django-1.4.15.tar.gz
python-django-rpmlintrc
python-django.changes
python-django.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-django.spec ++++++
#
# spec file for package python-django
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: python-django
Version: 1.4.15
Release: 0
Summary: A high-level Python Web framework
License: BSD-3-Clause
Group: Development/Languages/Python
Url: http://www.djangoproject.com
# https://www.djangoproject.com/download/1.4.15/tarball/
Source: Django-%{version}.tar.gz
Source1: python-django-rpmlintrc
# PATCH-FIX-UPSTREAM Django-1.2-completion-only-for-bash.patch
Patch1: Django-1.2-completion-only-for-bash.patch
# PATCH-FIX-UPSTREAM - see https://github.com/django/django/pull/150/files
Patch2: Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch
BuildRequires: python-devel
Requires: python-xml
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#Requires: gettext-tools
%if 0%{?suse_version}
%py_requires
%if 0%{?suse_version} > 1110
BuildArch: noarch
%endif
%endif
%{!?python_sitelib: %global python_sitelib %(python -c "from
distutils.sysconfig import get_python_lib; print get_python_lib()")}
%description
Django is a high-level Python Web framework that encourages rapid development
and clean, pragmatic design.
%prep
%setup -q -n Django-%{version}
%patch1
%patch2
%build
python setup.py build
%install
python setup.py install --prefix=%{_prefix} --root=%{buildroot}
install -D -m 0755 extras/django_bash_completion
%{buildroot}%{_sysconfdir}/bash_completion.d/django_bash_completion.sh
ln -s %{_bindir}/django-admin.py %{buildroot}%{_bindir}/django-admin
%files
%defattr(-,root,root,-)
%doc AUTHORS LICENSE README
%{_bindir}/django-admin*
%{python_sitelib}/*
%{_sysconfdir}/bash_completion.d/django_bash_completion.sh
%changelog
++++++ Django-1.2-completion-only-for-bash.patch ++++++
Index: extras/django_bash_completion
===================================================================
--- extras/django_bash_completion.orig
+++ extras/django_bash_completion
@@ -31,6 +31,8 @@
#
# To uninstall, just remove the line from your .bash_profile and .bashrc.
+test -z "$BASH_VERSION" && return
+
_django_completion()
{
COMPREPLY=( $( COMP_WORDS="${COMP_WORDS[*]}" \
++++++ Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch ++++++
Index: django/conf/global_settings.py
===================================================================
--- django/conf/global_settings.py.orig
+++ django/conf/global_settings.py
@@ -535,6 +535,7 @@ CSRF_COOKIE_NAME = 'csrftoken'
CSRF_COOKIE_DOMAIN = None
CSRF_COOKIE_PATH = '/'
CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_HTTPONLY = False
############
# MESSAGES #
Index: django/middleware/csrf.py
===================================================================
--- django/middleware/csrf.py.orig
+++ django/middleware/csrf.py
@@ -208,7 +208,8 @@ class CsrfViewMiddleware(object):
max_age = 60 * 60 * 24 * 7 * 52,
domain=settings.CSRF_COOKIE_DOMAIN,
path=settings.CSRF_COOKIE_PATH,
- secure=settings.CSRF_COOKIE_SECURE
+ secure=settings.CSRF_COOKIE_SECURE,
+ httponly=settings.CSRF_COOKIE_HTTPONLY
)
# Content varies with the CSRF cookie, so set the Vary header.
patch_vary_headers(response, ('Cookie',))
Index: docs/ref/contrib/csrf.txt
===================================================================
--- docs/ref/contrib/csrf.txt.orig
+++ docs/ref/contrib/csrf.txt
@@ -543,6 +543,17 @@ Whether to use a secure cookie for the C
the cookie will be marked as "secure," which means browsers may ensure that the
cookie is only sent under an HTTPS connection.
+CSRF_COOKIE_HTTPONLY
+------------------
+
+.. versionadded:: 1.5
+
+Default: ``False``
+
+Whether to use HttpOnly flag on the CSRF cookie. If this is set to
+``True``, client-side JavaScript will not to be able to access the
+session cookie.
+
CSRF_FAILURE_VIEW
-----------------
Index: docs/ref/settings.txt
===================================================================
--- docs/ref/settings.txt.orig
+++ docs/ref/settings.txt
@@ -362,6 +362,19 @@ Whether to use a secure cookie for the C
the cookie will be marked as "secure," which means browsers may ensure that the
cookie is only sent under an HTTPS connection.
+.. setting:: CSRF_COOKIE_HTTPONLY
+
+CSRF_COOKIE_HTTPONLY
+------------------
+
+.. versionadded:: 1.5
+
+Default: ``False``
+
+Whether to use HttpOnly flag on the CSRF cookie. If this is set to
+``True``, client-side JavaScript will not to be able to access the
+session cookie. See :setting:`SESSION_COOKIE_HTTPONLY`.
+
.. setting:: CSRF_FAILURE_VIEW
CSRF_FAILURE_VIEW
Index: tests/regressiontests/csrf_tests/tests.py
===================================================================
--- tests/regressiontests/csrf_tests/tests.py.orig
+++ tests/regressiontests/csrf_tests/tests.py
@@ -101,7 +101,8 @@ class CsrfViewMiddlewareTest(TestCase):
with self.settings(CSRF_COOKIE_NAME='myname',
CSRF_COOKIE_DOMAIN='.example.com',
CSRF_COOKIE_PATH='/test/',
- CSRF_COOKIE_SECURE=True):
+ CSRF_COOKIE_SECURE=True,
+ CSRF_COOKIE_HTTPONLY=True):
# token_view calls get_token() indirectly
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
@@ -110,6 +111,7 @@ class CsrfViewMiddlewareTest(TestCase):
self.assertNotEqual(csrf_cookie, False)
self.assertEqual(csrf_cookie['domain'], '.example.com')
self.assertEqual(csrf_cookie['secure'], True)
+ self.assertEqual(csrf_cookie['httponly'], True)
self.assertEqual(csrf_cookie['path'], '/test/')
self.assertTrue('Cookie' in resp2.get('Vary',''))
++++++ python-django-rpmlintrc ++++++
addFilter("file-not-in-%lang")
addFilter("zero-length")
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
