Package: python-django | Debian Sources

Package: python-django / 1:1.10.7-2+deb9u9

Metadata

Package	Version	Patches format
python-django	1:1.10.7-2+deb9u9	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
02_disable sources in sphinxdoc.diff \| (download)	docs/conf.py \| 5 4 + 1 - 0 ! 1 file changed, 4 insertions(+), 1 deletion(-)	disable creation of _sources directory by sphinx We do this to save some space as the sources of the documentation are not really useful in a binary package. . This is a Debian specific patch.
06_use_debian_geoip_database_as_default.diff \| (download)	django/contrib/gis/geoip/base.py \| 19 10 + 9 - 0 ! 1 file changed, 10 insertions(+), 9 deletions(-)	use debian geoip database path as default Default to Debian standard path for GeoIP directory and for GeoIP city file. Avoids the need to declare them in each project. . This is a Debian specific patch. Bug-Debian: http://bugs.debian.org/645094
fix migration fake initial 1.patch \| (download)	django/db/migrations/executor.py \| 83 1 + 82 - 0 ! django/db/migrations/loader.py \| 86 83 + 3 - 0 ! tests/migrations/test_executor.py \| 12 6 + 6 - 0 ! 3 files changed, 90 insertions(+), 91 deletions(-)	[patch 1/2] move detect_soft_applied() from django.db.migrations.executor to .loader MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We want to be able to use that method in loader.check_consistent_history() to accept an history where the initial migration is going to be fake-applied. Since the executor has the knowledge of the loader (but not the opposite), it makes sens to move the code around. Signed-off-by: Raphaël Hertzog <hertzog@debian.org> Bug: https://code.djangoproject.com/ticket/28250 Bug-Debian: https://bugs.debian.org/863267
fix migration fake initial 2.patch \| (download)	django/core/management/commands/makemigrations.py \| 2 1 + 1 - 0 ! django/core/management/commands/migrate.py \| 2 1 + 1 - 0 ! django/db/migrations/executor.py \| 7 6 + 1 - 0 ! django/db/migrations/loader.py \| 28 21 + 7 - 0 ! tests/migrations/test_executor.py \| 63 58 + 5 - 0 ! tests/migrations/test_loader.py \| 27 26 + 1 - 0 ! 6 files changed, 113 insertions(+), 16 deletions(-)	[patch] fixed #25850 -- ignored soft applied migrations in consistency check. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignored initial migrations that have been soft-applied and may be faked with the --fake-initial flag in the migration history consistency check. Does not ignore the initial migration if a later migration in the same app has been recorded as applied. Included soft-applied migrations in the pre-migrate project state if any of its children has been applied. Thanks to Raphaël Hertzog for the initial patch. Bug: https://code.djangoproject.com/ticket/28250 Bug-Debian: https://bugs.debian.org/863267
fix test middleware classes headers.patch \| (download)	tests/project_template/test_settings.py \| 18 10 + 8 - 0 ! 1 file changed, 10 insertions(+), 8 deletions(-)	[patch] [1.11.x] fixed #26755 -- fixed test_middleware_classes_headers if Django source isn't writable. Backport of 2ec56bb78237ebf58494d7a7f3262482399f0be6 from master Bug: https://code.djangoproject.com/ticket/26755 Bug-Debian: https://bugs.debian.org/816435
0013 CVE 2018 7536.patch \| (download)	django/utils/html.py \| 33 21 + 12 - 0 ! tests/utils_tests/test_html.py \| 8 8 + 0 - 0 ! 2 files changed, 29 insertions(+), 12 deletions(-)	fix cve-2018-7536 -- dos in urlize This is a security fix.
0014 CVE 2018 7537.patch \| (download)	django/utils/text.py \| 2 1 + 1 - 0 ! tests/utils_tests/test_text.py \| 4 4 + 0 - 0 ! 2 files changed, 5 insertions(+), 1 deletion(-)	fix cve-2018-7537 -- dos in truncate*_html This is a security fix.
0015 CVE 2018 14574.patch \| (download)	django/middleware/common.py \| 3 3 + 0 - 0 ! django/urls/resolvers.py \| 8 4 + 4 - 0 ! django/utils/http.py \| 11 11 + 0 - 0 ! tests/middleware/tests.py \| 19 19 + 0 - 0 ! tests/middleware/urls.py \| 2 2 + 0 - 0 ! tests/utils_tests/test_http.py \| 10 10 + 0 - 0 ! 6 files changed, 49 insertions(+), 4 deletions(-)	cve-2018-14574 Open redirect possibility in CommonMiddleware If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks. Thanks Andreas Hug for reporting this issue. -- <https://www.djangoproject.com/weblog/2018/aug/01/security-releases/>
0016 CVE 2017 12794.patch \| (download)	django/views/debug.py \| 20 9 + 11 - 0 ! tests/view_tests/tests/py3_test_debug.py \| 13 7 + 6 - 0 ! 2 files changed, 16 insertions(+), 17 deletions(-)	cve-2017-12794 Fix a cross-site scripting attack in the technical HTTP 500 page. This vulnerability did not affect production sites as they typically do not run with "DEBUG = True".
0006 Default to supporting Spatialite 4.2.patch \| (download)	django/contrib/gis/db/backends/spatialite/base.py \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	default to supporting spatialite 4.2 See, for example: https://www.gaia-gis.it/fossil/libspatialite/wiki?name=mod_spatialite ... and: https://docs.djangoproject.com/en/2.1/ref/contrib/gis/install/spatialite/#installing-spatialite
0017 CVE 2019 3498.patch \| (download)	django/views/defaults.py \| 8 5 + 3 - 0 ! tests/handlers/tests.py \| 12 8 + 4 - 0 ! 2 files changed, 13 insertions(+), 7 deletions(-)	fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. Co-Authored-By: Tim Graham <timograham@gmail.com> Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.
0018 CVE 2019 6975.patch \| (download)	django/utils/numberformat.py \| 15 14 + 1 - 0 ! tests/utils_tests/test_numberformat.py \| 18 18 + 0 - 0 ! 2 files changed, 32 insertions(+), 1 deletion(-)	fixed cve-2019-6975 -- fixed memory exhaustion in utils.numberformat.format(). Thanks Sjoerd Job Postmus for the report and initial patch. Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review. Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master.
0019 CVE 2019 12308.patch \| (download)	django/contrib/admin/widgets.py \| 11 9 + 2 - 0 ! tests/admin_widgets/tests.py \| 16 6 + 10 - 0 ! 2 files changed, 15 insertions(+), 12 deletions(-)	cve-2019-12308 Backported from https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
0020 CVE 2019 12781.patch \| (download)	django/http/request.py \| 7 4 + 3 - 0 ! tests/settings_tests/tests.py \| 12 12 + 0 - 0 ! 2 files changed, 16 insertions(+), 3 deletions(-)	cve-2019-12781 Backport of https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050
0021 CVE 2019 14232.patch \| (download)	django/utils/text.py \| 4 2 + 2 - 0 ! tests/template_tests/filter_tests/test_truncatewords_html.py \| 4 2 + 2 - 0 ! tests/utils_tests/test_text.py \| 23 19 + 4 - 0 ! 3 files changed, 23 insertions(+), 8 deletions(-)	cve-2019-14232 Backported from <https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d>
0022 CVE 2019 14233.patch \| (download)	django/utils/html.py \| 4 2 + 2 - 0 ! tests/utils_tests/test_html.py \| 2 2 + 0 - 0 ! 2 files changed, 4 insertions(+), 2 deletions(-)	cve-2019-14233 Backported from <https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72>
0023 CVE 2019 14234.patch \| (download)	django/contrib/postgres/fields/hstore.py \| 2 1 + 1 - 0 ! django/contrib/postgres/fields/jsonb.py \| 8 3 + 5 - 0 ! tests/postgres_tests/test_hstore.py \| 14 14 + 0 - 0 ! tests/postgres_tests/test_json.py \| 15 14 + 1 - 0 ! 4 files changed, 32 insertions(+), 7 deletions(-)	cve-2019-14234 Backported from <https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef>
0024 CVE 2019 14235.patch \| (download)	django/utils/encoding.py \| 17 10 + 7 - 0 ! tests/utils_tests/test_encoding.py \| 12 11 + 1 - 0 ! 2 files changed, 21 insertions(+), 8 deletions(-)	cve-2019-14235 Backported from <https://github.com/django/django/commit/869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79>
0025 CVE 2019 19844.patch \| (download)	django/contrib/auth/forms.py \| 20 19 + 1 - 0 ! tests/auth_tests/test_forms.py \| 42 42 + 0 - 0 ! 2 files changed, 61 insertions(+), 1 deletion(-)	cve-2019-19844
0026 CVE 2020 7471.patch \| (download)	django/contrib/postgres/aggregates/general.py \| 5 3 + 2 - 0 ! tests/postgres_tests/test_aggregates.py \| 4 4 + 0 - 0 ! 2 files changed, 7 insertions(+), 2 deletions(-)	cve-2020-7471 -- properly escape stringagg(delimiter) parameter
0027 CVE 2020 13254.patch \| (download)	django/core/cache/__init__.py \| 4 2 + 2 - 0 ! django/core/cache/backends/base.py \| 33 21 + 12 - 0 ! django/core/cache/backends/memcached.py \| 24 22 + 2 - 0 ! 3 files changed, 45 insertions(+), 16 deletions(-)	cve-2020-13254
0028 CVE 2020 13596.patch \| (download)	django/contrib/admin/widgets.py \| 3 2 + 1 - 0 ! 1 file changed, 2 insertions(+), 1 deletion(-)	cve-2020-13596

Patch	File delta	Description
02_disable sources in sphinxdoc.diff \| (download)	docs/conf.py \| 5 4 + 1 - 0 ! 1 file changed, 4 insertions(+), 1 deletion(-)	disable creation of _sources directory by sphinx We do this to save some space as the sources of the documentation are not really useful in a binary package. . This is a Debian specific patch.
06_use_debian_geoip_database_as_default.diff \| (download)	django/contrib/gis/geoip/base.py \| 19 10 + 9 - 0 ! 1 file changed, 10 insertions(+), 9 deletions(-)	use debian geoip database path as default Default to Debian standard path for GeoIP directory and for GeoIP city file. Avoids the need to declare them in each project. . This is a Debian specific patch. Bug-Debian: http://bugs.debian.org/645094
fix migration fake initial 1.patch \| (download)	django/db/migrations/executor.py \| 83 1 + 82 - 0 ! django/db/migrations/loader.py \| 86 83 + 3 - 0 ! tests/migrations/test_executor.py \| 12 6 + 6 - 0 ! 3 files changed, 90 insertions(+), 91 deletions(-)	[patch 1/2] move detect_soft_applied() from django.db.migrations.executor to .loader MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We want to be able to use that method in loader.check_consistent_history() to accept an history where the initial migration is going to be fake-applied. Since the executor has the knowledge of the loader (but not the opposite), it makes sens to move the code around. Signed-off-by: Raphaël Hertzog <hertzog@debian.org> Bug: https://code.djangoproject.com/ticket/28250 Bug-Debian: https://bugs.debian.org/863267
fix migration fake initial 2.patch \| (download)	django/core/management/commands/makemigrations.py \| 2 1 + 1 - 0 ! django/core/management/commands/migrate.py \| 2 1 + 1 - 0 ! django/db/migrations/executor.py \| 7 6 + 1 - 0 ! django/db/migrations/loader.py \| 28 21 + 7 - 0 ! tests/migrations/test_executor.py \| 63 58 + 5 - 0 ! tests/migrations/test_loader.py \| 27 26 + 1 - 0 ! 6 files changed, 113 insertions(+), 16 deletions(-)	[patch] fixed #25850 -- ignored soft applied migrations in consistency check. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignored initial migrations that have been soft-applied and may be faked with the --fake-initial flag in the migration history consistency check. Does not ignore the initial migration if a later migration in the same app has been recorded as applied. Included soft-applied migrations in the pre-migrate project state if any of its children has been applied. Thanks to Raphaël Hertzog for the initial patch. Bug: https://code.djangoproject.com/ticket/28250 Bug-Debian: https://bugs.debian.org/863267
fix test middleware classes headers.patch \| (download)	tests/project_template/test_settings.py \| 18 10 + 8 - 0 ! 1 file changed, 10 insertions(+), 8 deletions(-)	[patch] [1.11.x] fixed #26755 -- fixed test_middleware_classes_headers if Django source isn't writable. Backport of 2ec56bb78237ebf58494d7a7f3262482399f0be6 from master Bug: https://code.djangoproject.com/ticket/26755 Bug-Debian: https://bugs.debian.org/816435
0013 CVE 2018 7536.patch \| (download)	django/utils/html.py \| 33 21 + 12 - 0 ! tests/utils_tests/test_html.py \| 8 8 + 0 - 0 ! 2 files changed, 29 insertions(+), 12 deletions(-)	fix cve-2018-7536 -- dos in urlize This is a security fix.
0014 CVE 2018 7537.patch \| (download)	django/utils/text.py \| 2 1 + 1 - 0 ! tests/utils_tests/test_text.py \| 4 4 + 0 - 0 ! 2 files changed, 5 insertions(+), 1 deletion(-)	fix cve-2018-7537 -- dos in truncate*_html This is a security fix.
0015 CVE 2018 14574.patch \| (download)	django/middleware/common.py \| 3 3 + 0 - 0 ! django/urls/resolvers.py \| 8 4 + 4 - 0 ! django/utils/http.py \| 11 11 + 0 - 0 ! tests/middleware/tests.py \| 19 19 + 0 - 0 ! tests/middleware/urls.py \| 2 2 + 0 - 0 ! tests/utils_tests/test_http.py \| 10 10 + 0 - 0 ! 6 files changed, 49 insertions(+), 4 deletions(-)	cve-2018-14574 Open redirect possibility in CommonMiddleware If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks. Thanks Andreas Hug for reporting this issue. -- <https://www.djangoproject.com/weblog/2018/aug/01/security-releases/>
0016 CVE 2017 12794.patch \| (download)	django/views/debug.py \| 20 9 + 11 - 0 ! tests/view_tests/tests/py3_test_debug.py \| 13 7 + 6 - 0 ! 2 files changed, 16 insertions(+), 17 deletions(-)	cve-2017-12794 Fix a cross-site scripting attack in the technical HTTP 500 page. This vulnerability did not affect production sites as they typically do not run with "DEBUG = True".
0006 Default to supporting Spatialite 4.2.patch \| (download)	django/contrib/gis/db/backends/spatialite/base.py \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	default to supporting spatialite 4.2 See, for example: https://www.gaia-gis.it/fossil/libspatialite/wiki?name=mod_spatialite ... and: https://docs.djangoproject.com/en/2.1/ref/contrib/gis/install/spatialite/#installing-spatialite
0017 CVE 2019 3498.patch \| (download)	django/views/defaults.py \| 8 5 + 3 - 0 ! tests/handlers/tests.py \| 12 8 + 4 - 0 ! 2 files changed, 13 insertions(+), 7 deletions(-)	fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. Co-Authored-By: Tim Graham <timograham@gmail.com> Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.
0018 CVE 2019 6975.patch \| (download)	django/utils/numberformat.py \| 15 14 + 1 - 0 ! tests/utils_tests/test_numberformat.py \| 18 18 + 0 - 0 ! 2 files changed, 32 insertions(+), 1 deletion(-)	fixed cve-2019-6975 -- fixed memory exhaustion in utils.numberformat.format(). Thanks Sjoerd Job Postmus for the report and initial patch. Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review. Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master.
0019 CVE 2019 12308.patch \| (download)	django/contrib/admin/widgets.py \| 11 9 + 2 - 0 ! tests/admin_widgets/tests.py \| 16 6 + 10 - 0 ! 2 files changed, 15 insertions(+), 12 deletions(-)	cve-2019-12308 Backported from https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
0020 CVE 2019 12781.patch \| (download)	django/http/request.py \| 7 4 + 3 - 0 ! tests/settings_tests/tests.py \| 12 12 + 0 - 0 ! 2 files changed, 16 insertions(+), 3 deletions(-)	cve-2019-12781 Backport of https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050
0021 CVE 2019 14232.patch \| (download)	django/utils/text.py \| 4 2 + 2 - 0 ! tests/template_tests/filter_tests/test_truncatewords_html.py \| 4 2 + 2 - 0 ! tests/utils_tests/test_text.py \| 23 19 + 4 - 0 ! 3 files changed, 23 insertions(+), 8 deletions(-)	cve-2019-14232 Backported from <https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d>
0022 CVE 2019 14233.patch \| (download)	django/utils/html.py \| 4 2 + 2 - 0 ! tests/utils_tests/test_html.py \| 2 2 + 0 - 0 ! 2 files changed, 4 insertions(+), 2 deletions(-)	cve-2019-14233 Backported from <https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72>
0023 CVE 2019 14234.patch \| (download)	django/contrib/postgres/fields/hstore.py \| 2 1 + 1 - 0 ! django/contrib/postgres/fields/jsonb.py \| 8 3 + 5 - 0 ! tests/postgres_tests/test_hstore.py \| 14 14 + 0 - 0 ! tests/postgres_tests/test_json.py \| 15 14 + 1 - 0 ! 4 files changed, 32 insertions(+), 7 deletions(-)	cve-2019-14234 Backported from <https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef>
0024 CVE 2019 14235.patch \| (download)	django/utils/encoding.py \| 17 10 + 7 - 0 ! tests/utils_tests/test_encoding.py \| 12 11 + 1 - 0 ! 2 files changed, 21 insertions(+), 8 deletions(-)	cve-2019-14235 Backported from <https://github.com/django/django/commit/869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79>
0025 CVE 2019 19844.patch \| (download)	django/contrib/auth/forms.py \| 20 19 + 1 - 0 ! tests/auth_tests/test_forms.py \| 42 42 + 0 - 0 ! 2 files changed, 61 insertions(+), 1 deletion(-)	cve-2019-19844
0026 CVE 2020 7471.patch \| (download)	django/contrib/postgres/aggregates/general.py \| 5 3 + 2 - 0 ! tests/postgres_tests/test_aggregates.py \| 4 4 + 0 - 0 ! 2 files changed, 7 insertions(+), 2 deletions(-)	cve-2020-7471 -- properly escape stringagg(delimiter) parameter
0027 CVE 2020 13254.patch \| (download)	django/core/cache/__init__.py \| 4 2 + 2 - 0 ! django/core/cache/backends/base.py \| 33 21 + 12 - 0 ! django/core/cache/backends/memcached.py \| 24 22 + 2 - 0 ! 3 files changed, 45 insertions(+), 16 deletions(-)	cve-2020-13254
0028 CVE 2020 13596.patch \| (download)	django/contrib/admin/widgets.py \| 3 2 + 1 - 0 ! 1 file changed, 2 insertions(+), 1 deletion(-)	cve-2020-13596