This bug was fixed in the package python-django - 2:3.2.9-2
---------------
python-django (2:3.2.9-2) unstable; urgency=medium
* Team upload.
* Fix __in lookup crash when combining with filtered aggregates.
Fix for: https://code.djangoproject.com/ticket/32690
This issue affects src:lava, where work is being done towards Django 3.2
compatibility.
Upstream patch from:
https://github.com/django/django/commit/136ff592ad8aa8b7fa1e61435e5501cc98ce8573
* Add Breaks: on lava-server << 2021.11 (Closes: #996931)
* Add Breaks: on python-django-pyscss << 2.0.2-10 (Closes: #983618)
-- Antonio Terceiro <[email protected]> Wed, 10 Nov 2021 11:22:48
-0300
python-django (2:3.2.9-1) unstable; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.9/>
-- Chris Lamb <[email protected]> Mon, 01 Nov 2021 16:13:55 +0000
python-django (2:3.2.8-1) unstable; urgency=medium
* New upstream bugfix release.
* Drop a patch applied upstream.
* Bump Standards-Version to 4.6.0.
-- Chris Lamb <[email protected]> Tue, 05 Oct 2021 09:34:57 +0100
python-django (2:3.2.7-4) unstable; urgency=medium
* Skip a test that is fixed upstream (with a number of overlapping
patches).
-- Chris Lamb <[email protected]> Mon, 13 Sep 2021 09:03:27 +0100
python-django (2:3.2.7-3) unstable; urgency=medium
* Actually upload 3.2 branch to unstable...
-- Chris Lamb <[email protected]> Thu, 09 Sep 2021 17:49:23 +0100
python-django (2:3.2.7-2) experimental; urgency=medium
* Upload 3.2 branch to unstable.
-- Chris Lamb <[email protected]> Thu, 09 Sep 2021 15:51:11 +0100
python-django (2:3.2.7-1) experimental; urgency=medium
* New upstream bugfix release.
-- Chris Lamb <[email protected]> Wed, 01 Sep 2021 10:46:07 +0100
python-django (2:3.2.6-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.6/>
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <[email protected]> Mon, 02 Aug 2021 09:16:21 +0100
python-django (2:3.2.5-2) experimental; urgency=medium
* Don't symlink /usr/bin/django-admin to "django-admin.py"; ship the script
generated by the entry_points system instead, otherwise we introduce a
confusing "django-admin.py" deprecation message when using "django-admin".
(Closes: #991098)
-- Chris Lamb <[email protected]> Thu, 15 Jul 2021 13:54:57 +0100
python-django (2:3.2.5-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-35042: Potential SQL injection via unsanitized
QuerySet.order_by() input.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation, the strict column reference validation was
restored for the duration of the deprecation period. This regression
appeared in Django version 3.1 as a side effect of fixing another bug
(#31426).
For more information, please see:
<https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
-- Chris Lamb <[email protected]> Thu, 01 Jul 2021 10:56:07 +0100
python-django (2:3.2.4-1) experimental; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
This issue has medium severity, according to the Django security
policy.
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <[email protected]> Wed, 02 Jun 2021 16:08:13 +0100
python-django (2:3.2.3-1) experimental; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.3/>
-- Chris Lamb <[email protected]> Thu, 13 May 2021 10:25:49 +0100
python-django (2:3.2.2-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+. (Closes: #988136)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/06/security-releases/>
-- Chris Lamb <[email protected]> Thu, 06 May 2021 13:04:03 +0100
python-django (2:3.2.1-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-31542: Potential directory-traversal via uploaded files.
(Closes: #988053)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/04/security-releases/>
* Refresh patches.
-- Chris Lamb <[email protected]> Tue, 04 May 2021 12:59:07 +0100
python-django (2:3.2-1) experimental; urgency=medium
* New upstream major release:
- Full release notes: <https://docs.djangoproject.com/en/3.2/releases/3.2/>
- CVE-2021-28658: The MultiPartParser class allowed directory-traversal
via uploaded files via maliciously crafted filenames. (Closes: #986447)
-- Chris Lamb <[email protected]> Tue, 06 Apr 2021 11:38:48 +0100
python-django (2:3.2~rc1-1) experimental; urgency=medium
* New upstream release candidate.
<https://www.djangoproject.com/weblog/2021/mar/18/django-32-rc1/#s-id5>
* Refresh patches.
-- Chris Lamb <[email protected]> Fri, 19 Mar 2021 09:56:40 +0000
python-django (2:3.2~beta1-1) experimental; urgency=medium
* New upstream beta release.
<https://www.djangoproject.com/weblog/2021/feb/19/django-32-beta-1-released/>
* Apply wrap-and-sort -sa.
-- Chris Lamb <[email protected]> Fri, 19 Feb 2021 16:13:21 +0000
python-django (2:3.2~alpha1-2) experimental; urgency=medium
* Apply security fix from upstream:
- CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a
query parameter separator by default. (Closes: #983090)
<https://www.djangoproject.com/weblog/2021/feb/19/security-
releases/>
-- Chris Lamb <[email protected]> Fri, 19 Feb 2021 09:28:42 +0000
python-django (2:3.2~alpha1-1) experimental; urgency=medium
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2021/jan/19/django-32-alpha-1-released/>
* Refresh patches.
* Drop no-upstream-changelog overrides; removed from Lintian.
-- Chris Lamb <[email protected]> Wed, 20 Jan 2021 09:27:49 +0000
python-django (2:3.1.5-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.1/releases/3.1.5/>
-- Chris Lamb <[email protected]> Mon, 04 Jan 2021 12:45:20 +0000
python-django (2:3.1.4-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.1/releases/3.1.4/>
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <[email protected]> Tue, 01 Dec 2020 11:25:32 +0000
python-django (2:3.1.3-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/stable/releases/3.1.3/>
-- Chris Lamb <[email protected]> Tue, 03 Nov 2020 11:59:29 +0000
python-django (2:3.1.2-1) experimental; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2020/oct/01/django-bugfix-release-312/>
* Update Maintainer field with new Debian Python Team contact address.
* Update Vcs-* fields with new Debian Python Team Salsa layout.
-- Chris Lamb <[email protected]> Thu, 01 Oct 2020 10:06:16 +0100
python-django (2:3.1.1-1) experimental; urgency=medium
* New upstream security release to address CVE-2020-24583, CVE-2020-24584.
(Closes: #969367)
<https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>
-- Chris Lamb <[email protected]> Tue, 01 Sep 2020 12:32:23 +0100
python-django (2:3.1-2) experimental; urgency=medium
* Set the PYTHONPATH in the autopkgtests in the same way that we do in
debian/rules. (Closes: #968577)
-- Chris Lamb <[email protected]> Mon, 17 Aug 2020 23:11:30 +0100
python-django (2:3.1-1) experimental; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.1/releases/3.1/>
-- Chris Lamb <[email protected]> Tue, 04 Aug 2020 10:11:43 +0100
python-django (2:3.1~rc1-1) experimental; urgency=medium
* New upstream release candidate release.
<https://www.djangoproject.com/weblog/2020/jul/20/django-31-release-candidate-1-released/>
-- Chris Lamb <[email protected]> Mon, 20 Jul 2020 11:43:40 +0100
python-django (2:3.1~beta1-1) experimental; urgency=medium
* New upstream beta release.
<https://www.djangoproject.com/weblog/2020/jun/15/django-31-beta-1-released/>
* Refresh patches.
-- Chris Lamb <[email protected]> Mon, 15 Jun 2020 11:30:39 +0100
python-django (2:3.0.7-2) experimental; urgency=medium
* Fix a regression in the handling of CVE-2020-13596.
* Refresh patches.
-- Chris Lamb <[email protected]> Sat, 13 Jun 2020 15:15:34 +0100
python-django (2:3.0.7-1) experimental; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2020/jun/03/security-releases/>
-- Chris Lamb <[email protected]> Wed, 03 Jun 2020 21:16:00 +0100
python-django (2:3.0.6-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.0/releases/3.0.6/>
-- Chris Lamb <[email protected]> Mon, 04 May 2020 19:33:25 +0100
python-django (2:3.0.5-1) experimental; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.0/releases/3.0.5/>
* Refresh all patches.
-- Chris Lamb <[email protected]> Wed, 01 Apr 2020 10:35:42 +0100
python-django (2:3.0.4-1) experimental; urgency=medium
* New upstream security release. (Closes: #953102)
<https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>
* Bump Standards-Version to 4.5.0.
* Refresh
debian/patches/0004-Use-locally-installed-documentation-sources.patch.
-- Chris Lamb <[email protected]> Wed, 04 Mar 2020 08:22:30 -0800
python-django (2:3.0.2-1) experimental; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2020/jan/02/django-bugfix-release-302/>
* Add python3-selenium to test-dependencies and to a runtime "Suggests".
(Closes: #947549)
-- Chris Lamb <[email protected]> Thu, 02 Jan 2020 10:52:39 +0000
python-django (2:3.0.1-1) experimental; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>
(Closes: #946937)
-- Chris Lamb <[email protected]> Mon, 30 Dec 2019 10:44:01 +0000
python-django (2:3.0-1) experimental; urgency=medium
* New upstream release.
<https://www.djangoproject.com/weblog/2019/dec/02/django-3-released/>
-- Chris Lamb <[email protected]> Mon, 02 Dec 2019 12:24:50 +0000
python-django (2:3.0~rc1-1) experimental; urgency=medium
* New upstream release candidate release.
<https://www.djangoproject.com/weblog/2019/nov/18/django-30-release-candidate-1-released/>
-- Chris Lamb <[email protected]> Mon, 18 Nov 2019 11:25:38 -0500
python-django (2:3.0~beta1-1) experimental; urgency=medium
* New upstream beta release.
<https://www.djangoproject.com/weblog/2019/oct/14/django-30-beta-1-released/>
* Bump Standards-Version to 4.4.1.
* wrap-and-sort -sa.
-- Chris Lamb <[email protected]> Mon, 14 Oct 2019 11:11:10 -0700
python-django (2:3.0~alpha1-1) experimental; urgency=medium
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2019/sep/10/django-30-alpha-1-released/>
* Refresh all patches.
* Add asgiref to build and runtime dependencies.
* Update debian/copyright.
-- Chris Lamb <[email protected]> Tue, 10 Sep 2019 11:22:45 +0100
** Changed in: python-django (Ubuntu)
Status: In Progress => Fix Released
** Bug watch added: Django Bug Tracker #32690
http://code.djangoproject.com/ticket/32690
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13596
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24583
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24584
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-23336
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-28658
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-31542
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-32052
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33203
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33571
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-35042
** Changed in: python-django (Ubuntu)
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946890
Title:
Merge python-django from Debian unstable for 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1946890/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
