[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
** Changed in: python-django (Ubuntu Artful) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-django in Ubuntu. https://bugs.launchpad.net/bugs/1605278 Title: Merge python-django 1:1.11-1 from Debian unstable To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
err, *Just uploaded! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-django in Ubuntu. https://bugs.launchpad.net/bugs/1605278 Title: Merge python-django 1:1.11-1 from Debian unstable To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
@robcreswell, thanks! Just upload django-compat 1.0.14-0ubuntu1 to artful-proposed, which should allow python-django 1.11 to migrate. ** No longer affects: django-compat (Ubuntu Zesty) ** Changed in: django-compat (Ubuntu Artful) Status: New => Fix Committed ** Changed in: django-compat (Ubuntu Artful) Assignee: (unassigned) => Nish Aravamudan (nacc) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-django in Ubuntu. https://bugs.launchpad.net/bugs/1605278 Title: Merge python-django 1:1.11-1 from Debian unstable To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
** Also affects: django-compat (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-django in Ubuntu. https://bugs.launchpad.net/bugs/1605278 Title: Merge python-django 1:1.11-1 from Debian unstable To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
@danilo, that's done now, right? I'm going to be unblocking (hopefully) python-django from a-p today, by uupdating' django-compat to be 1.11 ... compatible :) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-django in Ubuntu. https://bugs.launchpad.net/bugs/1605278 Title: Merge python-django 1:1.11-1 from Debian unstable To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
Just an FYI that 1:1.11.2-2ubuntu1 is in artful-proposed. ** Changed in: python-django (Ubuntu Artful) Status: In Progress => Fix Committed ** Changed in: python-django (Ubuntu Artful) Assignee: Nish Aravamudan (nacc) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-django in Ubuntu. https://bugs.launchpad.net/bugs/1605278 Title: Merge python-django 1:1.11-1 from Debian unstable To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
MAAS have acked that I can proceed with the upload and they will deal with the fallout. I need to sync with the OpenStack team on testing with the 1.11 release. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-django in Ubuntu. https://bugs.launchpad.net/bugs/1605278 Title: Merge python-django 1:1.11-1 from Debian unstable To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
I just uploaded a merge with 1:1.11-1 from experimental to the same PPA: https://launchpad.net/~nacc/+archive/ubuntu/lp1605278 Note that I chose 1.11 rather than the 1.10 in unstable because 1.11 is an LTS with support for a lot longer, which means (possibly) we don't need to merge again for 18.04 (or it will be a trivial upstream minor bump within the 1.11 series). ** Description changed: - Please merge python-django 1:1.9.8-1 (main) from Debian unstable (main) + Please merge python-django 1:1.11-1 (main) from Debian experimental + (main) - Explanation of the Ubuntu delta and why it can be dropped: - * SECURITY UPDATE: XSS in admin's add/change related popup - - debian/patches/CVE-2016-6186.patch: change to text in - django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js, - django/views/debug.py, added to tests in tests/admin_views/admin.py, - tests/admin_views/models.py, tests/admin_views/tests.py. - - CVE-2016-6186 - * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from - upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.) - LP: #1528710 - * Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from - upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.) - LP: #1528710 - * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - - debian/patches/CVE-2016-2512-regression.patch: updated to final - upstream fix. - - CVE-2016-2512 - * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - - debian/patches/CVE-2016-2512-regression.patch: force url to unicode - in django/utils/http.py, added test to - tests/utils_tests/test_http.py. - - CVE-2016-2512 - * SECURITY UPDATE: malicious redirect and possible XSS attack via - user-supplied redirect URLs containing basic auth - - debian/patches/CVE-2016-2512.patch: prevent spoofing in - django/utils/http.py, added test to tests/utils_tests/test_http.py. - - CVE-2016-2512 - * SECURITY UPDATE: user enumeration through timing difference on password - hasher work factor upgrade - - debian/patches/CVE-2016-2513.patch: fix timing in - django/contrib/auth/hashers.py, added note to - docs/topics/auth/passwords.txt, added tests to - tests/auth_tests/test_hashers.py. - - CVE-2016-2513 - * Merge from Debian unstable. Remaining changes: + python-django (1:1.11-1ubuntu1) artful; urgency=medium + + * Merge from Debian unstable (LP: #1605278). Remaining changes: - debian/patches/pymysql-replacement.patch: Use pymysql as drop in replacement for MySQLdb. - debian/control: Drop python-mysqldb in favor of python-pymysql. - * Dropped changes: - - debian/patches/99_skip_tests_due_python35.diff: no longer required, - python 3.5 is now officially supported in 1.8.6+. + * Drop: + - SECURITY UPDATE: malicious redirect and possible XSS attack via + user-supplied redirect URLs containing basic auth + + debian/patches/CVE-2016-2512.patch: prevent spoofing in + django/utils/http.py, added test to tests/utils_tests/test_http.py. + + CVE-2016-2512 + - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251) + + debian/patches/CVE-2016-2512-regression.patch: force url to unicode + in django/utils/http.py, added test to + tests/utils_tests/test_http.py. + + CVE-2016-2512 + - SECURITY REGRESSION: is_safe_url() with non-unicode url (LP #1553251) + + debian/patches/CVE-2016-2512-regression.patch: updated to final + upstream fix. + + CVE-2016-2512 + [ Fixed upstream ] + - SECURITY UPDATE: user enumeration through timing difference on password + hasher work factor upgrade + + debian/patches/CVE-2016-2513.patch: fix timing in + django/contrib/auth/hashers.py, added note to + docs/topics/auth/passwords.txt, added tests to + tests/auth_tests/test_hashers.py. + + CVE-2016-2513 + [ Fixed upstream ] + - Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204 from + upstream (1.8.10) to allow dashes in TLDs again (in the URL validator.) + LP #1528710 + [ Fixed upstream ] + - Backport upstream fix for ipv6-formatted ipv4 addresses (LP #1611923) + [ Fixed upstream ] + - SECURITY UPDATE: XSS in admin's add/change related popup + + debian/patches/CVE-2016-6186.patch: change to text in + django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js, + django/views/debug.py, added to tests in tests/admin_views/admin.py, + tests/admin_views/models.py, tests/admin_views/tests.py. + + CVE-2016-6186 + [ Fixed upstream ] + - SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics + + debian/patches/CVE-2016-7401.patch: simplify cookie parsing in +
[Bug 1605278] Re: Merge python-django 1:1.11-1 from Debian unstable
** Summary changed: - Merge python-django 1:1.10.3 from Debian unstable + Merge python-django 1:1.11-1 from Debian unstable -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-django in Ubuntu. https://bugs.launchpad.net/bugs/1605278 Title: Merge python-django 1:1.11-1 from Debian unstable To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1605278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
