UbuntuUpdates.org

Package "python-django"

Name: python-django

Description:

High-level Python web development framework

Latest version: 1.6.11-0ubuntu1.3
Release: trusty (14.04)
Level: security
Repository: main
Homepage: http://www.djangoproject.com/

Links


Download "python-django"


Other versions of "python-django" in Trusty

Repository Area Version
base main 1.6.1-2
updates main 1.6.11-0ubuntu1.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.6.1-2ubuntu0.14 2016-03-07 20:06:36 UTC

  python-django (1.6.1-2ubuntu0.14) trusty-security; urgency=medium

  * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
    - debian/patches/CVE-2016-2512-regression.patch: updated to final
      upstream fix.
    - CVE-2016-2512

 -- Marc Deslauriers <email address hidden> Mon, 07 Mar 2016 08:50:01 -0500

Source diff to previous version
1553251 USN-2915-1 introduced a regression in is_safe_url()
CVE-2016-2512 RESERVED

Version: 1.6.1-2ubuntu0.13 2016-03-07 14:06:29 UTC

  python-django (1.6.1-2ubuntu0.13) trusty-security; urgency=medium

  * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251)
    - debian/patches/CVE-2016-2512-regression.patch: force url to unicode
      in django/utils/http.py, added test to
      tests/utils_tests/test_http.py.
    - CVE-2016-2512

 -- Marc Deslauriers <email address hidden> Fri, 04 Mar 2016 11:07:40 -0500

Source diff to previous version
1553251 USN-2915-1 introduced a regression in is_safe_url()
CVE-2016-2512 RESERVED

Version: 1.6.1-2ubuntu0.12 2016-03-01 19:07:00 UTC

  python-django (1.6.1-2ubuntu0.12) trusty-security; urgency=medium

  * SECURITY UPDATE: malicious redirect and possible XSS attack via
    user-supplied redirect URLs containing basic auth
    - debian/patches/CVE-2016-2512.patch: prevent spoofing in
      django/utils/http.py, added test to tests/utils_tests/test_http.py.
    - CVE-2016-2512
  * SECURITY UPDATE: user enumeration through timing difference on password
    hasher work factor upgrade
    - debian/patches/CVE-2016-2513.patch: fix timing in
      django/contrib/auth/hashers.py, added note to
      docs/topics/auth/passwords.txt, added tests to
      django/contrib/auth/tests/test_hashers.py.
    - debian/control: added python-mock to Build-Depends
    - CVE-2016-2513

 -- Marc Deslauriers <email address hidden> Thu, 25 Feb 2016 14:41:20 -0500

Source diff to previous version
CVE-2016-2512 RESERVED
CVE-2016-2513 RESERVED

Version: 1.6.1-2ubuntu0.11 2015-11-24 19:06:25 UTC

  python-django (1.6.1-2ubuntu0.11) trusty-security; urgency=medium

  * SECURITY UPDATE: Settings leak possibility in date template filter
    - debian/patches/CVE-2015-8213.patch: check format type in
      django/utils/formats.py, added test to tests/i18n/tests.py.
    - CVE-2015-8213

 -- Marc Deslauriers Wed, 18 Nov 2015 15:15:27 -0500

Source diff to previous version
CVE-2015-8213 Fixed settings leak possibility in date template filter

Version: 1.6.1-2ubuntu0.10 2015-08-18 19:06:44 UTC

  python-django (1.6.1-2ubuntu0.10) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service by filling session store
    - debian/patches/CVE-2015-596x.patch: don't create empty sessions in
      django/contrib/sessions/backends/base.py,
      django/contrib/sessions/backends/cached_db.py,
      django/contrib/sessions/middleware.py, added tests to
      django/contrib/sessions/tests.py, updated docs in
      docs/topics/http/sessions.txt.
    - CVE-2015-5963
    - CVE-2015-5964

 -- Marc Deslauriers Thu, 13 Aug 2015 11:49:44 -0400

CVE-2015-5963 Denial-of-service possibility in logout() view by filling session store
CVE-2015-5964 more to CVE-2015-5963



About   -   Send Feedback to @ubuntu_updates