Package: python-django / 1:1.10.7-2+deb9u9

Metadata

Package Version Patches format
python-django 1:1.10.7-2+deb9u9 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
02_disable sources in sphinxdoc.diff | (download)

docs/conf.py | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 disable creation of _sources directory by sphinx

 We do this to save some space as the sources of the documentation
 are not really useful in a binary package.
 .
 This is a Debian specific patch.
06_use_debian_geoip_database_as_default.diff | (download)

django/contrib/gis/geoip/base.py | 19 10 + 9 - 0 !
1 file changed, 10 insertions(+), 9 deletions(-)

 use debian geoip database path as default

 Default to Debian standard path for GeoIP directory and for GeoIP city
 file. Avoids the need to declare them in each project.
 .
 This is a Debian specific patch.
Bug-Debian: http://bugs.debian.org/645094
fix migration fake initial 1.patch | (download)

django/db/migrations/executor.py | 83 1 + 82 - 0 !
django/db/migrations/loader.py | 86 83 + 3 - 0 !
tests/migrations/test_executor.py | 12 6 + 6 - 0 !
3 files changed, 90 insertions(+), 91 deletions(-)

 [patch 1/2] move detect_soft_applied() from
 django.db.migrations.executor to .loader
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We want to be able to use that method in
loader.check_consistent_history() to accept an history where the initial
migration is going to be fake-applied. Since the executor has the
knowledge of the loader (but not the opposite), it makes sens to move
the code around.

Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
Bug: https://code.djangoproject.com/ticket/28250
Bug-Debian: https://bugs.debian.org/863267

fix migration fake initial 2.patch | (download)

django/core/management/commands/makemigrations.py | 2 1 + 1 - 0 !
django/core/management/commands/migrate.py | 2 1 + 1 - 0 !
django/db/migrations/executor.py | 7 6 + 1 - 0 !
django/db/migrations/loader.py | 28 21 + 7 - 0 !
tests/migrations/test_executor.py | 63 58 + 5 - 0 !
tests/migrations/test_loader.py | 27 26 + 1 - 0 !
6 files changed, 113 insertions(+), 16 deletions(-)

 [patch] fixed #25850 -- ignored soft applied migrations in
 consistency check.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ignored initial migrations that have been soft-applied and may be faked
with the --fake-initial flag in the migration history consistency
check. Does not ignore the initial migration if a later migration in
the same app has been recorded as applied.

Included soft-applied migrations in the pre-migrate project state if
any of its children has been applied.

Thanks to Raphaël Hertzog for the initial patch.

Bug: https://code.djangoproject.com/ticket/28250
Bug-Debian: https://bugs.debian.org/863267

fix test middleware classes headers.patch | (download)

tests/project_template/test_settings.py | 18 10 + 8 - 0 !
1 file changed, 10 insertions(+), 8 deletions(-)

 [patch] [1.11.x] fixed #26755 -- fixed
 test_middleware_classes_headers if Django source isn't writable.

Backport of 2ec56bb78237ebf58494d7a7f3262482399f0be6 from master

Bug: https://code.djangoproject.com/ticket/26755
Bug-Debian: https://bugs.debian.org/816435

0013 CVE 2018 7536.patch | (download)

django/utils/html.py | 33 21 + 12 - 0 !
tests/utils_tests/test_html.py | 8 8 + 0 - 0 !
2 files changed, 29 insertions(+), 12 deletions(-)

 fix cve-2018-7536 -- dos in urlize

This is a security fix.

0014 CVE 2018 7537.patch | (download)

django/utils/text.py | 2 1 + 1 - 0 !
tests/utils_tests/test_text.py | 4 4 + 0 - 0 !
2 files changed, 5 insertions(+), 1 deletion(-)

 fix cve-2018-7537 -- dos in truncate*_html

This is a security fix.

0015 CVE 2018 14574.patch | (download)

django/middleware/common.py | 3 3 + 0 - 0 !
django/urls/resolvers.py | 8 4 + 4 - 0 !
django/utils/http.py | 11 11 + 0 - 0 !
tests/middleware/tests.py | 19 19 + 0 - 0 !
tests/middleware/urls.py | 2 2 + 0 - 0 !
tests/utils_tests/test_http.py | 10 10 + 0 - 0 !
6 files changed, 49 insertions(+), 4 deletions(-)

 cve-2018-14574

Open redirect possibility in CommonMiddleware

If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting
are both enabled, and if the project has a URL pattern that accepts any path
ending in a slash (many content management systems have such a pattern), then a
request to a maliciously crafted URL of that site could lead to a redirect to
another site, enabling phishing and other attacks.

Thanks Andreas Hug for reporting this issue.

 -- <https://www.djangoproject.com/weblog/2018/aug/01/security-releases/>

0016 CVE 2017 12794.patch | (download)

django/views/debug.py | 20 9 + 11 - 0 !
tests/view_tests/tests/py3_test_debug.py | 13 7 + 6 - 0 !
2 files changed, 16 insertions(+), 17 deletions(-)

 cve-2017-12794

Fix a cross-site scripting attack in the technical HTTP 500
page. This vulnerability did not affect production sites as they
typically do not run with "DEBUG = True".

0006 Default to supporting Spatialite 4.2.patch | (download)

django/contrib/gis/db/backends/spatialite/base.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 default to supporting spatialite 4.2

See, for example:

  https://www.gaia-gis.it/fossil/libspatialite/wiki?name=mod_spatialite

... and:

  https://docs.djangoproject.com/en/2.1/ref/contrib/gis/install/spatialite/#installing-spatialite

0017 CVE 2019 3498.patch | (download)

django/views/defaults.py | 8 5 + 3 - 0 !
tests/handlers/tests.py | 12 8 + 4 - 0 !
2 files changed, 13 insertions(+), 7 deletions(-)

 fixed #30070,
 CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page.

Co-Authored-By: Tim Graham <timograham@gmail.com>
Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.

0018 CVE 2019 6975.patch | (download)

django/utils/numberformat.py | 15 14 + 1 - 0 !
tests/utils_tests/test_numberformat.py | 18 18 + 0 - 0 !
2 files changed, 32 insertions(+), 1 deletion(-)

 fixed cve-2019-6975 -- fixed memory exhaustion in
 utils.numberformat.format().

Thanks Sjoerd Job Postmus for the report and initial patch.
Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review.

Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master.

0019 CVE 2019 12308.patch | (download)

django/contrib/admin/widgets.py | 11 9 + 2 - 0 !
tests/admin_widgets/tests.py | 16 6 + 10 - 0 !
2 files changed, 15 insertions(+), 12 deletions(-)

 cve-2019-12308

Backported from https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b


0020 CVE 2019 12781.patch | (download)

django/http/request.py | 7 4 + 3 - 0 !
tests/settings_tests/tests.py | 12 12 + 0 - 0 !
2 files changed, 16 insertions(+), 3 deletions(-)

 cve-2019-12781

Backport of https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050

0021 CVE 2019 14232.patch | (download)

django/utils/text.py | 4 2 + 2 - 0 !
tests/template_tests/filter_tests/test_truncatewords_html.py | 4 2 + 2 - 0 !
tests/utils_tests/test_text.py | 23 19 + 4 - 0 !
3 files changed, 23 insertions(+), 8 deletions(-)

 cve-2019-14232

Backported from
<https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d>

0022 CVE 2019 14233.patch | (download)

django/utils/html.py | 4 2 + 2 - 0 !
tests/utils_tests/test_html.py | 2 2 + 0 - 0 !
2 files changed, 4 insertions(+), 2 deletions(-)

 cve-2019-14233

Backported from
<https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72>

0023 CVE 2019 14234.patch | (download)

django/contrib/postgres/fields/hstore.py | 2 1 + 1 - 0 !
django/contrib/postgres/fields/jsonb.py | 8 3 + 5 - 0 !
tests/postgres_tests/test_hstore.py | 14 14 + 0 - 0 !
tests/postgres_tests/test_json.py | 15 14 + 1 - 0 !
4 files changed, 32 insertions(+), 7 deletions(-)

 cve-2019-14234

Backported from
<https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef>

0024 CVE 2019 14235.patch | (download)

django/utils/encoding.py | 17 10 + 7 - 0 !
tests/utils_tests/test_encoding.py | 12 11 + 1 - 0 !
2 files changed, 21 insertions(+), 8 deletions(-)

 cve-2019-14235

Backported from
<https://github.com/django/django/commit/869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79>

0025 CVE 2019 19844.patch | (download)

django/contrib/auth/forms.py | 20 19 + 1 - 0 !
tests/auth_tests/test_forms.py | 42 42 + 0 - 0 !
2 files changed, 61 insertions(+), 1 deletion(-)

 cve-2019-19844


0026 CVE 2020 7471.patch | (download)

django/contrib/postgres/aggregates/general.py | 5 3 + 2 - 0 !
tests/postgres_tests/test_aggregates.py | 4 4 + 0 - 0 !
2 files changed, 7 insertions(+), 2 deletions(-)

 cve-2020-7471 -- properly escape stringagg(delimiter) parameter


0027 CVE 2020 13254.patch | (download)

django/core/cache/__init__.py | 4 2 + 2 - 0 !
django/core/cache/backends/base.py | 33 21 + 12 - 0 !
django/core/cache/backends/memcached.py | 24 22 + 2 - 0 !
3 files changed, 45 insertions(+), 16 deletions(-)

 cve-2020-13254


0028 CVE 2020 13596.patch | (download)

django/contrib/admin/widgets.py | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 cve-2020-13596