Package: sqlalchemy / 1.2.18+ds1-2
Patch seriesview the series file
|0001 drop_notfound_page_from_docs.patch | (download)||
6 3 + 3 - 0 !
drop_notfound_page_from_docs this makes this package FTBFS with Sphinx 1.6
|CVE 2019 7164_and_7548_Illustrate_fix_for_4481_in_terms_of_a_1.2_patch.patch | (download)||
9 4 + 5 - 0 !
cve-2019-7164 / cve-2019-7548: illustrate fix for #4481 in terms of a 1.2 patch Release 1.2 has decided (so far) not to backport 1.3's fix for #4481 as it is backwards-incompatible with code that relied upon the feature of automatic text coercion in SQL statements. However, for the specific case of order_by() and group_by(), we present a patch that backports the specific change in compiler to have 1.3's behavior for order_by/group_by specifically. This is much more targeted than the 0.9 version of the patch as it takes advantage 1.0's architecture which runs all order_by() / group_by() through a label lookup that only warns if the label can't be matched. . For an example of an application that was actually impacted by 1.3's change and how they had to change it, see: . https://github.com/ctxis/CAPE/commit/be0482294f5eb30026fe97a967ee5a768d032278 . Basically, in the uncommon case an application is actually using the text coercion feature which was generally little-known, within the order_by() and group_by() an error is now raised instead of a warning; the application must instead ensure the SQL fragment is passed within a text() construct. The above application has also been seeing a warning about this since 1.0 which apparently remained unattended. . The patch includes adjustments to the tests that were testing for the warning to now test that an exception is raised. Any distro that wants to patch the specific CVE issue resolved in #4481 to SQLAlchemy 1.0, 1.1 or 1.2 can use this patch.