python-django (1.0.2-1+lenny3) oldstable-security; urgency=low

  * Security upload:
    https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
  * Backport the 3 patches provided for Django 1.2 to the old 1.0 version
    provided in Debian Lenny.
    Closes: #641405

 -- Raphael Hertzog <hertzog@debian.org>  Fri, 28 Oct 2011 08:47:50 +0200

python-django (1.0.2-1+lenny2) stable-security; urgency=high

  * Add patch to fix remote denial of service by exploiting pathological
    performance of regular expressions (Closes: #550457)

    Upstream writes:

      SECURITY ALERT: Corrected regular expressions for URL and email fields. 

      Certain email addresses/URLs could trigger a catastrophic backtracking
      situation, causing 100% CPU and server overload. If deliberately triggered, this
      could be the basis of a denial-of-service attack.

           <http://www.djangoproject.com/weblog/2009/oct/09/security/>

 -- Chris Lamb <lamby@debian.org>  Sat, 10 Oct 2009 10:33:24 +0100

python-django (1.0.2-1+lenny1) stable-proposed-updates; urgency=low

  * Add patch to fix issue with a maliciously crafted URL gaining access to
    any file on the filesystem (Closes: #539134)
    
    Upstream writes:
  
      Django includes a lightweight, WSGI-based web server for use in
      learning Django and in testing new applications during early stages of
      development. For sake of convenience, this web server automatically
      maps certain URLs corresponding to the static media files used by the
      Django administrative application.
     
      The handler which maps these URLs did not properly check the requested
      URL to verify that it corresponds to a static media file used by
      Django. As such, a carefully-crafted URL can cause the development
      server to serve any file to which it has read access.

             <http://www.djangoproject.com/weblog/2009/jul/28/security/>

 -- Chris Lamb <lamby@debian.org>  Thu, 30 Jul 2009 17:43:56 +0200

python-django (1.0.2-1) unstable; urgency=low

  [ Chris Lamb ]
  * New upstream bugfix release. Closes: #505783
  * Add myself to Uploaders with ACK from Brett.

  [ David Spreen ]
  * Remove python-pysqlite2 from Recommends because Python 2.5 includes
    sqlite library used by Django. Closes: 497886

  [ Sandro Tosi ]
  * debian/control
    - switch Vcs-Browser field to viewsvn

 -- Chris Lamb <lamby@debian.org>  Wed, 19 Nov 2008 21:31:00 +0000

python-django (1.0-1) unstable; urgency=low

  [ David Spreen ]
  * New _stable_ upstream release.

  [ Raphael Hertzog ]
  * This version fixes the latest security issue:
    http://www.djangoproject.com/weblog/2008/sep/02/security/
    Closes: #497765
  * Don't include source files of documentation in the binary package,
    keep only the HTML version.
  * Updated README.Debian with information about the switch from 0.96 to
    1.0.
  * Remove execute right on /etc/bash_completion.d/django_bash_completion
  * Add debian/patches/04_hyphen-manpage.diff to fix a lintian message
    (hyphen-used-as-minus-sign usr/share/man/man1/django-admin.1.gz:156).
  * Don't compress javascript files.
  * Add libjs-jquery to Recommends since it's used by the HTML
    documentation.

 -- Raphael Hertzog <hertzog@debian.org>  Thu, 04 Sep 2008 08:33:32 +0200

python-django (1.0~beta2+ds-1) unstable; urgency=low

  * Bumping up upstream version to push sources into unstable.
    (Thanks to Raphael Hertzog).

 -- David Spreen <netzwurm@debian.org>  Sat, 30 Aug 2008 20:56:09 -0700

python-django (1.0~beta2-3) unstable; urgency=low

  [ David Spreen ]
  * Updated the copyright information to include copyright and 
    licenses for individual contributions. 
  * Added the documentation to the main python-django package:
  * debian/python-django.install
    - Added installation of html documentation.
  * debian/python-django.doc-base
    - Added.
  * debian/control
    - Added Build-Depends-Indep on python-sphinx and libjs-jquery.
  * debian/rules
    - Readded code to build documentation.
    - Readded code to link to libjs-jquery.
  * debian/NEWS
    - Fixed format.
    - Added more comprehensive list of changes and references to 
      local documentation as well as the wiki pages for 
      backwards-incompatible changes.
  * debian/python-django.docs
    - Removed docs/*.txt since those are templates for the 
      generated docs now included with doc-base.
  
 -- David Spreen <netzwurm@debian.org>  Fri, 29 Aug 2008 09:20:45 -0700

python-django (1.0~beta2-2) unstable; urgency=low

  [ David Spreen ]
  * Removed all -doc related files temporarily to push beta2 into 
    unstable for extensive testing. The -doc package will be 
    readded once this package is in unstable as recommended in
    http://lists.debian.org/debian-release/2008/08/msg01475.html.
  * debian/python-django-doc.install
    - Removed.
  * debian/python-django-doc.doc-base
    - Removed.
  * debian/python-django-doc.examples
    - Moved to python-django.examples.
  * debian/rules
    - Removed python-doc related build and post-installation.
  * debian/control
    - Removed binary package python-django-doc.
    - Removed Build-Depends-Indep on python-sphinx and libjs-jquery.
  * debian/python-django.install:
    - Removed multiple package related issues.

 -- David Spreen <netzwurm@debian.org>  Thu, 28 Aug 2008 20:15:21 -0700

python-django (1.0~beta2-1) experimental; urgency=low

  [ David Spreen ]
  * The `hooray for the documentation' release!
  * New upstream beta release. 
  * debian/control 
    - Updated standards version.
    - Added python-sphinx and libjs-jquery.
    - Added python-django-doc package depending on libjs-jquery.
  * debian/docs
    - Moved to debian/python-django.docs.
  * debian/install
    - Moved to debian/python-django.install.
  * debian/manpages
    - Moved to debian/python-django.manpages.
  * debian/examples
    - Moved to debian/python-django-doc.examples
  * debian/README.Debian
    - Moved to debian/python-django.README.Debian
  * debian/python-django-doc.doc-base:
    - Added doc-base file for the documentation.
  * debian/python-django-doc.install:
    - Added install file for sphinx generated documentation.
  * debian/rules:
    - Added code to generate documentation with sphinx and 
      replace convenience file of jquery.js with the respective
      symlink to libjs-jquery.
  
 -- David Spreen <netzwurm@debian.org>  Thu, 28 Aug 2008 10:22:29 -0700

python-django (1.0~beta1-1) experimental; urgency=low

  [ David Spreen ]
  * New upstream beta release. Closes: #492956
  * debian/control: Added myself to Uploaders field.
  * debian/watch: Added mangling for filename and version. Old watch file would 
    name the download 'tarball'. Also added mangling to handle alpha and beta 
    versioning.
  * Drop debian/patches/01_add_shebang.diff as this has been fixed upstream.
  * Drop debian/patches/02_bash_completion.diff as this has been committed
    upstream http://code.djangoproject.com/ticket/7268.
  * debian/control: Added python-flup to the Suggest field. Closes: #488123
  * debian/patches/03_manpage.diff: Adapted patch to new upstream version.
  
  [ Jan Dittberner ]
  * add debian/watch file.
  
 -- David Spreen <netzwurm@debian.org>  Fri, 15 Aug 2008 16:05:07 -0700

python-django (0.97~svn7534-1) experimental; urgency=low

  * New upstream snapshot. Closes: #409565, #481051
    - Include an XSS security fix (CVE-2008-2302). Closes: #481164
  * Drop debian/patches/04_pg_version_fix.diff as another fix
    has been committed upstream (see http://code.djangoproject.com/ticket/6433
    and http://code.djangoproject.com/changeset/7415).
  * Add some headers to the remaining patches.

 -- Raphael Hertzog <hertzog@debian.org>  Mon, 19 May 2008 23:41:50 +0200

python-django (0.97~svn7189-1) experimental; urgency=low

  * New upstream snapshot including bash completion fix
    Closes: #450913

 -- Brett Parker <iDunno@sommitrealweird.co.uk>  Sun, 02 Mar 2008 12:59:03 +0000

python-django (0.97~svn7047-2) experimental; urgency=low

  [ Brett Parker ]
  * Patch for postgresql version issue with 8.3 beta/rc releases
    Closes: #462058

  [ Raphael Hertzog ]
  * Updated Standards-Version to 3.7.3.
  * Adjusted build-dependency on python-setuptools to strip the -1 part.

 -- Brett Parker <iDunno@sommitrealweird.co.uk>  Wed,  6 Feb 2008 15:15:37 +0000

python-django (0.97~svn7047-1) experimental; urgency=low

  * New upstream snapshot (rev 7047)
  - tarball prepared by Gabriel Falcão Gonçalves de Moura
    <gabriel@guake-terminal.org>

 -- Gustavo Noronha Silva <kov@debian.org>  Tue, 29 Jan 2008 10:54:47 -0200

python-django (0.97~svn6996-1) experimental; urgency=low

  * New upstream snapshot
  * debian/control:
  - added myself to Uploaders

 -- Gustavo Noronha Silva <kov@debian.org>  Sat, 05 Jan 2008 20:53:23 -0200

python-django (0.97~svn6668-2) UNRELEASED; urgency=low

  [ Raphael Hertzog ]
  * Install examples with dh_installexamples instead of dh_installdocs
    (change done by Ubuntu) as empty files are kept.

  [ Sandro Tosi ]
  * debian/control
    - uniforming Vcs-Browser field

 -- Raphael Hertzog <hertzog@debian.org>  Mon, 17 Dec 2007 09:09:16 +0100

python-django (0.97~svn6668-1) experimental; urgency=low

  * New SVN snapshot (rev 6668)
    - Auth system delegations
    - Apps can now have thier own management commands
    - Fix for CVE-2007-5712 remote denial of service
      Closes: #448838
  * Fix missing upstream info in changelog
    Closes: #450659

 -- Brett Parker <iDunno@sommitrealweird.co.uk>  Sun, 11 Nov 2007 10:15:55 +0000

python-django (0.96+svn6373-1) experimental; urgency=low

  [ Raphael Hertzog ]
  * New SVN snapshot (rev 6373, a few days after the last Django sprint).
  * Note: The version 0.96+svn6034-1 never got uploaded.
  * Rename XS-Vcs* fields to Vcs-* since they are now supported by dpkg.

  [ Piotr Ożarowski ]
  * XS-Vcs-Browser and Homepage fields added

 -- Raphael Hertzog <hertzog@debian.org>  Thu, 04 Oct 2007 14:59:01 +0200

python-django (0.96+svn6034-1) experimental; urgency=low

  [ Brett Parker]
  * New SVN snapshot (rev 6034).
     * validate and runserver commands now display the number of errors
       (returning back to previous functionality).
     * Small documentation fixes
     * assertRedirects handling for paths with get data
     * start{project,app} no make sure files created are writable
  * Add man page for django-admin to the debian package

 -- Brett Parker <iDunno@sommitrealweird.co.uk>  Sat,  8 Sep 2007 10:37:00 +0100

python-django (0.96+svn6020-1) experimental; urgency=low

  * New SVN snapshot (rev 6020).

 -- Raphael Hertzog <hertzog@debian.org>  Sun, 26 Aug 2007 18:16:08 +0200

python-django (0.96+svn5779-1) experimental; urgency=low

  * SVN snapshot (rev 5779) packaged to experimental as many interesting
    Django applications rely on newer unreleased features.

 -- Raphael Hertzog <hertzog@debian.org>  Tue, 31 Jul 2007 13:40:18 +0200

python-django (0.96-1) unstable; urgency=low

  [ Brett Parker ]
  * New upstream release - introduces some backwards incompatible changes, see
    README.Debian or the backwards incompatible changes page at
    http://code.djangoproject.com/wiki/BackwardsIncompatibleChanges
  * Add documentation from upstream to /usr/share/doc/python-django
    Closes: #411249
  * Install the bash completion file from extras in to
    /etc/bash_completion.d/django_bash_completion
    Closes: #414399
  * Egg support dropped as it's been dropped by upstream.

 -- Brett Parker <iDunno@sommitrealweird.co.uk>  Sun, 25 Mar 2007 19:18:39 +0100

python-django (0.95.1-1) unstable; urgency=low

  [ Brett Parker ]
  * New upstream minor release for security bugs:
    - http://www.djangoproject.com/weblog/2007/jan/21/0951/
      - Fixes a small security vulnerability in the script Django's
        internationalization system uses to compile translation files
        (changeset 4360 in the "0.95-bugfixes" branch).
      - fix for a bug in Django's authentication middleware which could cause
        apparent "caching" of a logged-in user (changeset 4361).
      - patch which disables debugging mode in the flup FastCGI package Django
        uses to launch its FastCGI server, which prevents tracebacks from
        bubbling up during production use (changeset 4363).
    Closes: #407786, #407607
  * Sets Recommends to python-psycopg and moves other database engines to
    the Suggests field.

  [ Raphael Hertzog ]
  * Use python-pysqlite2 as default database engine in Recommends. Others are
    in Suggests. Closes: #403761
  * Add python-psycopg2 in Suggests. Closes: #407489

 -- Raphael Hertzog <hertzog@debian.org>  Sun, 21 Jan 2007 17:45:50 +0100

python-django (0.95-3) unstable; urgency=low

  * Integrate 2 upstream changesets:
    - http://code.djangoproject.com/changeset/3754 as
      debian/patches/04_sec_fix_auth.diff
      Fixes a possible case of mis-authentication due to bad caching.
      Closes: #407521
    - http://code.djangoproject.com/changeset/3592 as
      debian/patches/03_sec_fix_compile-messages.diff
      Fixes an (unlikely) arbitrary command execution if the user is blindly
      running compile-messages.py on a untrusted set of *.po files.
      Closes: #407519

 -- Raphael Hertzog <hertzog@debian.org>  Sat, 16 Dec 2006 15:13:29 +0100

python-django (0.95-2) unstable; urgency=low

  [ Piotr Ozarowski ]
  * Added XS-Vcs-Svn field

  [ Brett Parker ]
  * Made manage.py get a shebang with the version of python
    used when running django-admin (closes: #401616)
  * Created a convenience /usr/lib/python-django/bin symlink.

  [ Raphael Hertzog ]
  * Adapted Brett's work to better fit my views of the packaging.

 -- Raphael Hertzog <hertzog@debian.org>  Sat, 16 Dec 2006 11:03:20 +0100

python-django (0.95-1) unstable; urgency=low

  [ Brett Parker ]
  * 0.95 release - initial packaging

  [ Raphael Hertzog ]
  * Fix recommends: s/python-sqlite/python-pysqlite2/
  * Add debian/pyversions to ensure that we have at least python 2.3 (and to
    work around bug #391689 of python-support).

 -- Raphael Hertzog <hertzog@debian.org>  Mon,  9 Oct 2006 12:10:27 +0200