UbuntuUpdates.org

Package "python-django"

Name: python-django

Description:

High-level Python web development framework (Python 2 version)

Latest version: 1.8.7-1ubuntu5.13
Release: xenial (16.04)
Level: security
Repository: main
Homepage: http://www.djangoproject.com/

Links


Download "python-django"


Other versions of "python-django" in Xenial

Repository Area Version
base main 1.8.7-1ubuntu5
updates main 1.8.7-1ubuntu5.13

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.8.7-1ubuntu5.13 2020-06-03 12:07:12 UTC

  python-django (1.8.7-1ubuntu5.13) xenial-security; urgency=medium

  * SECURITY UPDATE: Potential data leakage via malformed memcached keys
    - debian/patches/CVE-2020-13254.patch: enforced cache key validation in
      memcached backends in django/core/cache/__init__.py,
      django/core/cache/backends/base.py,
      django/core/cache/backends/memcached.py, tests/cache/tests.py.
    - CVE-2020-13254
  * SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
    - debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
      ForeignKeyRawIdWidget in django/contrib/admin/widgets.py.
    - CVE-2020-13596

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:48:45 -0400

Source diff to previous version
CVE-2020-13254 RESERVED
CVE-2020-13596 RESERVED

Version: 1.8.7-1ubuntu5.12 2020-03-04 14:06:26 UTC

  python-django (1.8.7-1ubuntu5.12) xenial-security; urgency=medium

  * SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
    - debian/patches/CVE-2020-9402.patch: properly escaped tolerance
      parameter in GIS functions and aggregates on Oracle in
      django/contrib/gis/db/models/aggregates.py,
      tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
    - CVE-2020-9402

 -- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:12:33 -0500

Source diff to previous version

Version: 1.8.7-1ubuntu5.11 2019-12-19 02:06:49 UTC

  python-django (1.8.7-1ubuntu5.11) xenial-security; urgency=medium

  * SECURITY UPDATE: Potential account hijack via password reset form
    - debian/patches/CVE-2019-19844.patch: Use verified user email for
      password reset requests.
    - CVE-2019-19844

 -- Steve Beattie <email address hidden> Wed, 18 Dec 2019 12:37:04 -0800

Source diff to previous version
CVE-2019-19844 Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows a ...

Version: 1.8.7-1ubuntu5.10 2019-08-01 13:07:05 UTC

  python-django (1.8.7-1ubuntu5.10) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial-of-service possibility in
    django.utils.text.Truncator
    - debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
      backtracking issues when truncating HTML in django/utils/text.py,
      tests/template_tests/filter_tests/test_truncatewords_html.py,
      tests/utils_tests/test_text.py.
    - CVE-2019-14232
  * SECURITY UPDATE: Denial-of-service possibility in strip_tags()
    - debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
      recursion in strip_tags() when handling incomplete HTML entities in
      django/utils/html.py, tests/utils_tests/test_html.py.
    - CVE-2019-14233
  * SECURITY UPDATE: SQL injection possibility in key and index lookups for
    JSONField/HStoreField
    - debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
      key and index lookups against SQL injection in
      django/contrib/postgres/fields/hstore.py,
      tests/postgres_tests/test_hstore.py.
    - CVE-2019-14234
  * SECURITY UPDATE: Potential memory exhaustion in
    django.utils.encoding.uri_to_iri()
    - debian/patches/CVE-2019-14235.patch: fixed potential memory
      exhaustion in django.utils.encoding.uri_to_iri() in
      django/utils/encoding.py, tests/utils_tests/test_encoding.py.
    - CVE-2019-14235

 -- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 07:41:12 -0400

Source diff to previous version
CVE-2019-14232 RESERVED
CVE-2019-14233 RESERVED
CVE-2019-14234 RESERVED
CVE-2019-14235 RESERVED

Version: 1.8.7-1ubuntu5.9 2019-07-03 12:07:21 UTC

  python-django (1.8.7-1ubuntu5.9) xenial-security; urgency=medium

  * SECURITY UPDATE: Incorrect HTTP detection with reverse-proxy
    connecting via HTTPS
    - debian/patches/CVE-2019-12781.patch: made HttpRequest always
      trusty SECURE_PROXY_SSL_HEADER if set in django/http/request.py,
      docs/ref/settings.txt and added tests to tests/settings_test/tests.py.
    - CVE-2019-12781

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 24 Jun 2019 11:30:16 -0300

CVE-2019-12781 Incorrect HTTP detection with reverse-proxy connecting via HTTPS



About   -   Send Feedback to @ubuntu_updates