python-django (3:4.2.23-1) unstable; urgency=high
* New upstream bugfix release. Quoting upstream:
Following the June 4, 2025 security release [uploaded to Debian as
3:4.2.22-1], the Django team is issuing releases [to] complete mitigation
for CVE-2025-48432 […].
These follow-up releases migrate remaining response logging paths to a
safer logging implementation, ensuring that all untrusted input is
properly escaped before being written to logs. This update does not
introduce a new CVE but strengthens the original fix.
<https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/>
-- Chris Lamb <lamby@debian.org> Tue, 10 Jun 2025 09:37:03 -0700
python-django (3:4.2.22-1) unstable; urgency=high
* New upstream security release:
- CVE-2025-48432: Potential log injection via unescaped request path.
Django's internal HTTP response logging used request.path directly,
allowing control characters (e.g. newlines or ANSI escape sequences) to
be written unescaped into logs. This could enable log injection or
forgery, letting attackers manipulate log appearance or structure,
especially in logs processed by external systems or viewed in terminals.
Although this does not directly impact Django's security model, it poses
risks when logs are consumed or interpreted by other tools. To fix this,
the internal django.utils.log.log_response() function now escapes all
positional formatting arguments using a safe encoding.
(Closes: #1107282)
<https://www.djangoproject.com/weblog/2025/jun/04/security-releases/>
-- Chris Lamb <lamby@debian.org> Wed, 04 Jun 2025 08:21:53 -0700
python-django (3:4.2.21-1) unstable; urgency=medium
* New upstream security release:
- CVE-2025-32873: Denial-of-service possibility in strip_tags()
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used
to implement the striptags template filter, which was therefore also
vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
encounters an unusually large number of unclosed opening tags.
(Closes: #1104872)
<https://www.djangoproject.com/weblog/2025/may/07/security-releases/>
* Bump Standards-Version to 4.7.2.
* Add pybuild-plugin-pyproject to Build-Depends.
-- Chris Lamb <lamby@debian.org> Fri, 09 May 2025 15:47:11 -0700
python-django (3:4.2.20-1) unstable; urgency=high
* New upstream security release:
- CVE-2025-26699: Address a potential denial-of-service in
django.utils.text.wrap. The wrap() method and wordwrap template filter
were subject to a potential denial-of-service attack when used with very
long strings. (Closes: #1099682)
<https://www.djangoproject.com/weblog/2025/mar/06/security-releases/>
-- Chris Lamb <lamby@debian.org> Thu, 06 Mar 2025 17:55:06 +0000
python-django (3:4.2.19-1) unstable; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2025/feb/05/bugfix-releases/>
-- Chris Lamb <lamby@debian.org> Wed, 05 Feb 2025 16:45:05 +0000
python-django (3:4.2.18-1) unstable; urgency=high
* New upstream security release. (Closes: #1093049)
- CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
validation.
A lack of upper bound limit enforcement in strings passed when performing
IPv6 validation could have led to a potential denial-of-service (DoS)
attack. The undocumented and private functions clean_ipv6_address and
is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField
form field, which has now been updated to define a max_length of 39
characters. The GenericIPAddressField model field was not affected.
<https://www.djangoproject.com/weblog/2025/jan/14/security-releases/>
-- Chris Lamb <lamby@debian.org> Wed, 15 Jan 2025 17:38:10 +0000
python-django (3:4.2.17-2) unstable; urgency=medium
* Team upload.
* Fix CommandTypes.test_help_default_options_with_custom_arguments test on
Python 3.13+ (closes: #1082209).
-- Colin Watson <cjwatson@debian.org> Thu, 02 Jan 2025 15:36:58 +0000
python-django (3:4.2.17-1) unstable; urgency=medium
* New upstream security release:
- CVE-2024-53907: Potential DoS in django.utils.html.strip_tags.
The strip_tags() method and striptags template filter were subject to a
potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
- CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle
was subject to SQL injection if untrusted data is used as a lhs value.
Applications that use the jsonfield.has_key lookup through the __ syntax
are unaffected.
<https://www.djangoproject.com/weblog/2024/dec/04/security-releases/>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Wed, 04 Dec 2024 17:33:13 +0000
python-django (3:4.2.16-1) unstable; urgency=high
* New upstream security release:
- CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize(). urlize and urlizetrunc were subject to a
potential denial-of-service attack via very large inputs with a specific
sequence of characters.
- CVE-2024-45231: Potential user email enumeration via response status on
password reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes. To mitigate this risk, exceptions occurring
during password reset email sending are now handled and logged using the
django.contrib.auth logger.
* Bump Standards-Version to 4.7.0.
-- Chris Lamb <lamby@debian.org> Tue, 03 Sep 2024 17:31:33 +0100
python-django (3:4.2.15-1) unstable; urgency=high
* New upstream security release. (Closes: #1078074)
- CVE-2024-41989: Memory exhaustion in django.utils.numberformat.
The floatformat template filter is subject to significant memory
consumption when given a string representation of a number in
scientific notation with a large exponent.
- CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize.
The urlize() and urlizetrunc() template filters are subject to a
potential denial-of-service attack via very large inputs with a specific
sequence of characters.
- CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget
The urlize and urlizetrunc template filters, and the AdminURLFieldWidget
widget, are subject to a potential denial-of-service attack via certain
inputs with a very large number of Unicode characters.
- CVE-2024-42005: Potential SQL injection in QuerySet.values() and
values_list()
QuerySet.values() and values_list() methods on models with a JSONField
are subject to SQL injection in column aliases via a crafted JSON object
key as a passed *arg.
<https://www.djangoproject.com/weblog/2024/aug/06/security-releases/>
-- Chris Lamb <lamby@debian.org> Tue, 06 Aug 2024 16:59:24 +0100
python-django (3:4.2.14-1) unstable; urgency=medium
* New upstream security release. (Closes: #1076069)
- CVE-2024-38875: Prevent a potential denial-of-service in
django.utils.html.urlize. This method (and urlizetrunc) were subject to a
potential DoS attack via specially-crafted inputs with a very large
number of brackets.
- CVE-2024-39329: Avoid a username enumeration vulnerability through timing
difference for users with unusable password. The authenticate method of
django.contrib.auth.backends.ModelBackend method allowed remote attackers
to enumerate users via a timing attack involving login requests for users
with unusable passwords.
- CVE-2024-39330: Address a potential directory-traversal in
django.core.files.storage.Storage.save. Derived classes of this method's
base class which override generate_filename without replicating the file
path validations existing in the parent class allowed for potential
directory-traversal via certain inputs when calling save(). Built-in
Storage sub-classes were not affected by this vulnerability.
- CVE-2024-39614: Fix a potential denial-of-service in
django.utils.translation.get_supported_language_variant. This method
was subject to a potential DoS attack when used with very long strings
containing specific characters. To mitigate this vulnerability, the
language code provided to get_supported_language_variant is now parsed up
to a maximum length of 500 characters.
<https://www.djangoproject.com/weblog/2024/jul/09/security-releases/>
-- Chris Lamb <lamby@debian.org> Wed, 10 Jul 2024 09:50:49 +0100
python-django (3:4.2.13-1) unstable; urgency=medium
* New upstream bugfix releases.
<https://docs.djangoproject.com/en/5.0/releases/4.2.12/>
<https://docs.djangoproject.com/en/5.0/releases/4.2.13/>
-- Chris Lamb <lamby@debian.org> Wed, 08 May 2024 11:28:44 +0100
python-django (3:4.2.11-1) unstable; urgency=high
* New upstream security release:
- CVE-2024-27351: Fix a potential regular expression denial-of-service
(ReDoS) attack in django.utils.text.Truncator.words. This method
(with html=True) and the truncatewords_html template filter were subject
to a potential regular expression denial-of-service attack via a suitably
crafted string. This is, in part, a follow up to CVE-2019-14232 and
CVE-2023-43665.
<https://docs.djangoproject.com/en/dev/releases/4.2.11/>
-- Chris Lamb <lamby@debian.org> Tue, 05 Mar 2024 13:03:35 +0000
python-django (3:4.2.10-1) unstable; urgency=high
* New upstream security release:
- CVE-2024-24680: Potential denial-of-service in intcomma template filter.
The intcomma template filter was subject to a potential denial-of-service
attack when used with very long strings.
<https://docs.djangoproject.com/en/dev/releases/4.2.10/>
-- Chris Lamb <lamby@debian.org> Tue, 06 Feb 2024 08:15:25 -0800
python-django (3:4.2.9-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/dev/releases/4.2.9/>
-- Chris Lamb <lamby@debian.org> Wed, 03 Jan 2024 11:15:04 +0000
python-django (3:4.2.8-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/5.0/releases/4.2.8/>
-- Chris Lamb <lamby@debian.org> Thu, 07 Dec 2023 13:05:03 +0000
python-django (3:4.2.6-1) unstable; urgency=high
* New upstream security release.
- CVE-2023-43665: Address a denial-of-service possibility in
django.utils.text.Truncator.
Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator’s chars() and words()
methods (with html=True) were revised and improved. However, these
regular expressions still exhibited linear backtracking complexity, so
when given a very long, potentially malformed HTML input, the evaluation
would still be slow, leading to a potential denial of service
vulnerability.
The chars() and words() methods are used to implement the
truncatechars_html and truncatewords_html template filters, which were
thus also vulnerable.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
<https://www.djangoproject.com/weblog/2023/oct/04/security-releases/>
-- Chris Lamb <lamby@debian.org> Thu, 05 Oct 2023 09:17:06 +0200
python-django (3:4.2.5-2) unstable; urgency=medium
* Upload 4.2.x branch to unstable with a -2 suffix to prevent collision with
previous upload of 3:4.2.5-1 to experimental.
-- Chris Lamb <lamby@debian.org> Sun, 24 Sep 2023 13:52:16 -0700
python-django (3:3.2.21-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-41164: Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri(). This method was subject to potential
denial of service attack via certain inputs with a very large number of
Unicode characters. (Closes: #1051226)
<https://www.djangoproject.com/weblog/2023/sep/04/security-releases/>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Mon, 04 Sep 2023 11:02:53 -0700
python-django (3:3.2.20-1.1) unstable; urgency=high
[ Gianfranco Costamagna ]
* Non-maintainer upload.
[ Graham Inggs ]
* Cherry-pick upstream commit to fix URLValidator crash in
some edge cases (LP: #2025155, Closes: #1037920)
-- Gianfranco Costamagna <locutusofborg@debian.org> Tue, 04 Jul 2023 09:31:10 +0200
python-django (3:3.2.20-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator.
EmailValidator and URLValidator were subject to potential regular
expression denial of service attack via a very large number of domain
name labels of emails and URLs. (Closes: #1040225)
-- Chris Lamb <lamby@debian.org> Mon, 03 Jul 2023 20:34:24 +0100
python-django (3:3.2.19-1) unstable; urgency=medium
* New upstream security release.
* CVE-2023-31047: Prevent a potential bypass of validation when uploading
multiple files using one form field.
Uploading multiple files using one form field has never been supported by
forms.FileField or forms.ImageField as only the last uploaded file was
validated. Unfortunately, Uploading multiple files topic suggested
otherwise. In order to avoid the vulnerability, the ClearableFileInput and
FileInput form widgets now raise ValueError when the multiple HTML
attribute is set on them. To prevent the exception and keep the old
behavior, set the allow_multiple_selected attribute to True.
For more details on using the new attribute and handling of multiple files
through a single field, see:
<https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>
(Closes: #1035467)
* Bump Standards-Version to 4.6.2.
-- Chris Lamb <lamby@debian.org> Wed, 03 May 2023 09:32:59 -0700
python-django (3:3.2.18-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
Passing certain inputs to multipart forms could result in too many open
files or memory exhaustion, and provided a potential vector for a
denial-of-service attack.
The number of files parts parsed is now limited via the new
DATA_UPLOAD_MAX_NUMBER_FILES setting.
Thanks to Jakob Ackermann for the report. (Closes: #1031290)
-- Chris Lamb <lamby@debian.org> Tue, 14 Feb 2023 09:12:57 -0800
python-django (3:3.2.17-1) unstable; urgency=medium
* New security upstream release.
<https://www.djangoproject.com/weblog/2023/feb/01/security-releases/>
- CVE-2023-23969: Potential denial-of-service via Accept-Language headers
The parsed values of Accept-Language headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector
via excessive memory usage if large header values are sent.
In order to avoid this vulnerability, the Accept-Language header is now
parsed up to a maximum length. (Closes: #1030251)
* Drop 0010-Fixed-inspectdb.tests.InspectDBTestCase.test_custom_.patch;
applied upstream.
* Refresh all patches.
-- Chris Lamb <lamby@debian.org> Wed, 01 Feb 2023 08:01:01 -0800
python-django (3:3.2.16-2) unstable; urgency=medium
* Team upload.
[ Chris Lamb ]
* Drop README.source.
[ Lena Voytek ]
* Make unit tests compatible with Python 3.11 to fix build errors
(Closes: #1026476) (LP: #2002012)
-- Jochen Sprickerhof <jspricke@debian.org> Thu, 19 Jan 2023 16:53:53 +0100
python-django (3:3.2.16-1) unstable; urgency=high
* New upstream security release.
<https://www.djangoproject.com/weblog/2022/oct/04/security-releases/>
- CVE-2022-41323: Prevent a potential denial-of-service vulnerability in
internationalized URLs. Internationalised URLs were subject to potential
denial of service attack via the locale parameter. This is now escaped to
avoid this possibility.
-- Chris Lamb <lamby@debian.org> Tue, 04 Oct 2022 07:51:21 -0700
python-django (3:3.2.15-1) unstable; urgency=high
* New upstream security release.
- CVE-2022-36359: Potential reflected file download vulnerability in
FileResponse. An application may have been vulnerable to a reflected file
download (RFD) attack that sets the Content-Disposition header of a
FileResponse when the filename was derived from user-supplied input. The
filename is now escaped to avoid this possibility.
<https://www.djangoproject.com/weblog/2022/aug/03/security-releases/>
-- Chris Lamb <lamby@debian.org> Wed, 03 Aug 2022 07:11:45 -0700
python-django (3:3.2.14-1) unstable; urgency=medium
* Revert Debian unstable to 3.2.x LTS release stream, bumping epoch.
(Closes: #1016090)
* Refresh patches.
* Bump Standards-Version to 4.6.1.
-- Chris Lamb <lamby@debian.org> Tue, 02 Aug 2022 09:02:41 -0700
python-django (2:4.0.6-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-34265: Potential SQL injection via Trunc(kind) and
Extract(lookup_name) arguments.
"Trunc() and Extract() database functions were subject to SQL injection if
untrusted data was used as a kind/lookup_name value. Applications that
constrain the lookup name and kind choice to a known safe list are
unaffected."
"This security release mitigates the issue, but we have identified
improvements to the Database API methods related to date extract and
truncate that would be beneficial to add to Django 4.1 before it's final
release. This will impact 3rd party database backends using Django 4.1
release candidate 1 or newer, until they are able to update to the API
changes. We apologize for the inconvenience."
<https://www.djangoproject.com/weblog/2022/jul/04/security-releases/>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Tue, 05 Jul 2022 12:38:15 +0100
python-django (2:4.0.5-2) unstable; urgency=medium
[ Lena Voytek ]
* Add updated version of SQLite 3.37+ / test_custom_fields patch.
(Closes: #1012784)
[ Chris Lamb ]
* Add debian/gitlab-ci.yml.
- Allow some elements of the pipeline to fail.
-- Chris Lamb <lamby@debian.org> Thu, 16 Jun 2022 08:00:35 +0100
python-django (2:4.0.5-1) unstable; urgency=medium
* Upload 4.x stable release stream to unstable using the 4.0.5 bugfix
release. (The 4.x stream has been in experimental since September 2021.)
* Update debian/gbp.conf and debian/watch to match new version series.
* Update patches.
* No need to delete django-admin.py script anymore; does not exist in 4.x.
-- Chris Lamb <lamby@debian.org> Mon, 06 Jun 2022 12:31:50 +0100
python-django (2:3.2.13-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-28346: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra().
QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods.
- CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options)
on PostgreSQL.
QuerySet.explain() method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/>
for more info.
-- Chris Lamb <lamby@debian.org> Tue, 12 Apr 2022 18:22:30 +0200
python-django (2:3.2.12-2) unstable; urgency=medium
* Fix a traceback around the handling of RequestSite/get_current_site() due
to a circular import by backporting commit 78163d1a from upstream. Thanks
to Raphaël Hertzog for the report. (Closes: #1003478)
-- Chris Lamb <lamby@debian.org> Tue, 22 Feb 2022 09:43:02 +0000
python-django (2:3.2.12-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
- CVE-2022-23833: Denial-of-service possibility in file uploads.
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/>
for more information. (Closes: #1004752)
-- Chris Lamb <lamby@debian.org> Tue, 01 Feb 2022 09:28:58 -0800
python-django (2:3.2.11-2) unstable; urgency=medium
[ Chris Lamb ]
* Fix compatibility with SQLite 3.37+. (Closes: #1004464)
[ Salman Mohammadi]
* Drop references to the deprecated python3-memcache package.
[ Mattia Rizzolo ]
* Add a Breaks against python3-django-countries (<< 7,1~).
* Add a Breaks against python3-django-tables2 (<< 2.3.4) (see #985774).
-- Chris Lamb <lamby@debian.org> Fri, 28 Jan 2022 08:52:06 -0800
python-django (2:3.2.11-1) unstable; urgency=high
* New upstream security release:
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSimilarityValidator.
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.
See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>
for more information. (Closes: #1003113)
-- Chris Lamb <lamby@debian.org> Tue, 04 Jan 2022 12:35:16 +0000
python-django (2:3.2.10-2) unstable; urgency=medium
* autopkgtest: give the tests names.
This allows to easily run any of them individually, and also is better
than having them called "command1" and "command2" in the autopkgtest
logs.
* Backport fixes for more Django ORM regressions.
Upstream issue: https://code.djangoproject.com/ticket/33282).
That regression affects src:lava in Debian.
The patches are:
- 0007-Refs-32786-Made-Query.clear_ordering-not-to-cause-si.patch
- 0008-Refs-32690-Altered-lookups-Query-rhs-alterations-dur.patch
- 0009-Fixed-33282-Fixed-a-crash-when-OR-ing-subquery-and-a.patch
-- Antonio Terceiro <terceiro@debian.org> Wed, 08 Dec 2021 15:11:52 -0300
python-django (2:3.2.10-1) unstable; urgency=medium
* New upstream release:
- CVE-2021-44420: Potential bypass of an upstream access control based on
URL paths:
Full details are available here:
<https://www.djangoproject.com/weblog/2021/dec/07/security-releases/>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Tue, 07 Dec 2021 07:46:51 -0800
python-django (2:3.2.9-2) unstable; urgency=medium
* Team upload.
* Fix __in lookup crash when combining with filtered aggregates.
Fix for: https://code.djangoproject.com/ticket/32690
This issue affects src:lava, where work is being done towards Django 3.2
compatibility.
Upstream patch from:
https://github.com/django/django/commit/136ff592ad8aa8b7fa1e61435e5501cc98ce8573
* Add Breaks: on lava-server << 2021.11 (Closes: #996931)
* Add Breaks: on python-django-pyscss << 2.0.2-10 (Closes: #983618)
-- Antonio Terceiro <terceiro@debian.org> Wed, 10 Nov 2021 11:22:48 -0300
python-django (2:3.2.9-1) unstable; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.9/>
-- Chris Lamb <lamby@debian.org> Mon, 01 Nov 2021 16:13:55 +0000
python-django (2:3.2.8-1) unstable; urgency=medium
* New upstream bugfix release.
* Drop a patch applied upstream.
* Bump Standards-Version to 4.6.0.
-- Chris Lamb <lamby@debian.org> Tue, 05 Oct 2021 09:34:57 +0100
python-django (2:3.2.7-4) unstable; urgency=medium
* Skip a test that is fixed upstream (with a number of overlapping patches).
-- Chris Lamb <lamby@debian.org> Mon, 13 Sep 2021 09:03:27 +0100
python-django (2:3.2.7-3) unstable; urgency=medium
* Actually upload 3.2 branch to unstable...
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 17:49:23 +0100
python-django (2:3.2.7-2) experimental; urgency=medium
* Upload 3.2 branch to unstable.
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 15:51:11 +0100
python-django (2:3.2.7-1) experimental; urgency=medium
* New upstream bugfix release.
-- Chris Lamb <lamby@debian.org> Wed, 01 Sep 2021 10:46:07 +0100
python-django (2:3.2.6-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.6/>
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Mon, 02 Aug 2021 09:16:21 +0100
python-django (2:3.2.5-2) experimental; urgency=medium
* Don't symlink /usr/bin/django-admin to "django-admin.py"; ship the script
generated by the entry_points system instead, otherwise we introduce a
confusing "django-admin.py" deprecation message when using "django-admin".
(Closes: #991098)
-- Chris Lamb <lamby@debian.org> Thu, 15 Jul 2021 13:54:57 +0100
python-django (2:3.2.5-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-35042: Potential SQL injection via unsanitized
QuerySet.order_by() input.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation, the strict column reference validation was
restored for the duration of the deprecation period. This regression
appeared in Django version 3.1 as a side effect of fixing another bug
(#31426).
For more information, please see:
<https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
-- Chris Lamb <lamby@debian.org> Thu, 01 Jul 2021 10:56:07 +0100
python-django (2:3.2.4-1) experimental; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
This issue has medium severity, according to the Django security
policy.
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Wed, 02 Jun 2021 16:08:13 +0100
python-django (2:3.2.3-1) experimental; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.3/>
-- Chris Lamb <lamby@debian.org> Thu, 13 May 2021 10:25:49 +0100
python-django (2:3.2.2-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+. (Closes: #988136)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/06/security-releases/>
-- Chris Lamb <lamby@debian.org> Thu, 06 May 2021 13:04:03 +0100
python-django (2:3.2.1-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-31542: Potential directory-traversal via uploaded files.
(Closes: #988053)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/04/security-releases/>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Tue, 04 May 2021 12:59:07 +0100
python-django (2:3.2-1) experimental; urgency=medium
* New upstream major release:
- Full release notes: <https://docs.djangoproject.com/en/3.2/releases/3.2/>
- CVE-2021-28658: The MultiPartParser class allowed directory-traversal
via uploaded files via maliciously crafted filenames. (Closes: #986447)
-- Chris Lamb <lamby@debian.org> Tue, 06 Apr 2021 11:38:48 +0100
python-django (2:3.2~rc1-1) experimental; urgency=medium
* New upstream release candidate.
<https://www.djangoproject.com/weblog/2021/mar/18/django-32-rc1/#s-id5>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Fri, 19 Mar 2021 09:56:40 +0000
python-django (2:3.2~beta1-1) experimental; urgency=medium
* New upstream beta release.
<https://www.djangoproject.com/weblog/2021/feb/19/django-32-beta-1-released/>
* Apply wrap-and-sort -sa.
-- Chris Lamb <lamby@debian.org> Fri, 19 Feb 2021 16:13:21 +0000
python-django (2:3.2~alpha1-2) experimental; urgency=medium
* Apply security fix from upstream:
- CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a
query parameter separator by default. (Closes: #983090)
<https://www.djangoproject.com/weblog/2021/feb/19/security-releases/>
-- Chris Lamb <lamby@debian.org> Fri, 19 Feb 2021 09:28:42 +0000
python-django (2:3.2~alpha1-1) experimental; urgency=medium
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2021/jan/19/django-32-alpha-1-released/>
* Refresh patches.
* Drop no-upstream-changelog overrides; removed from Lintian.
-- Chris Lamb <lamby@debian.org> Wed, 20 Jan 2021 09:27:49 +0000
python-django (2:3.1.5-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.1/releases/3.1.5/>
-- Chris Lamb <lamby@debian.org> Mon, 04 Jan 2021 12:45:20 +0000
python-django (2:3.1.4-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.1/releases/3.1.4/>
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Tue, 01 Dec 2020 11:25:32 +0000
python-django (2:3.1.3-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/stable/releases/3.1.3/>
-- Chris Lamb <lamby@debian.org> Tue, 03 Nov 2020 11:59:29 +0000
python-django (2:3.1.2-1) experimental; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2020/oct/01/django-bugfix-release-312/>
* Update Maintainer field with new Debian Python Team contact address.
* Update Vcs-* fields with new Debian Python Team Salsa layout.
-- Chris Lamb <lamby@debian.org> Thu, 01 Oct 2020 10:06:16 +0100
python-django (2:3.1.1-1) experimental; urgency=medium
* New upstream security release to address CVE-2020-24583, CVE-2020-24584.
(Closes: #969367)
<https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>
-- Chris Lamb <lamby@debian.org> Tue, 01 Sep 2020 12:32:23 +0100
python-django (2:3.1-2) experimental; urgency=medium
* Set the PYTHONPATH in the autopkgtests in the same way that we do in
debian/rules. (Closes: #968577)
-- Chris Lamb <lamby@debian.org> Mon, 17 Aug 2020 23:11:30 +0100
python-django (2:3.1-1) experimental; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.1/releases/3.1/>
-- Chris Lamb <lamby@debian.org> Tue, 04 Aug 2020 10:11:43 +0100
python-django (2:3.1~rc1-1) experimental; urgency=medium
* New upstream release candidate release.
<https://www.djangoproject.com/weblog/2020/jul/20/django-31-release-candidate-1-released/>
-- Chris Lamb <lamby@debian.org> Mon, 20 Jul 2020 11:43:40 +0100
python-django (2:3.1~beta1-1) experimental; urgency=medium
* New upstream beta release.
<https://www.djangoproject.com/weblog/2020/jun/15/django-31-beta-1-released/>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Mon, 15 Jun 2020 11:30:39 +0100
python-django (2:3.0.7-2) experimental; urgency=medium
* Fix a regression in the handling of CVE-2020-13596.
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Sat, 13 Jun 2020 15:15:34 +0100
python-django (2:3.0.7-1) experimental; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2020/jun/03/security-releases/>
-- Chris Lamb <lamby@debian.org> Wed, 03 Jun 2020 21:16:00 +0100
python-django (2:3.0.6-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.0/releases/3.0.6/>
-- Chris Lamb <lamby@debian.org> Mon, 04 May 2020 19:33:25 +0100
python-django (2:3.0.5-1) experimental; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.0/releases/3.0.5/>
* Refresh all patches.
-- Chris Lamb <lamby@debian.org> Wed, 01 Apr 2020 10:35:42 +0100
python-django (2:3.0.4-1) experimental; urgency=medium
* New upstream security release. (Closes: #953102)
<https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>
* Bump Standards-Version to 4.5.0.
* Refresh debian/patches/0004-Use-locally-installed-documentation-sources.patch.
-- Chris Lamb <lamby@debian.org> Wed, 04 Mar 2020 08:22:30 -0800
python-django (2:3.0.2-1) experimental; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2020/jan/02/django-bugfix-release-302/>
* Add python3-selenium to test-dependencies and to a runtime "Suggests".
(Closes: #947549)
-- Chris Lamb <lamby@debian.org> Thu, 02 Jan 2020 10:52:39 +0000
python-django (2:3.0.1-1) experimental; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>
(Closes: #946937)
-- Chris Lamb <lamby@debian.org> Mon, 30 Dec 2019 10:44:01 +0000
python-django (2:3.0-1) experimental; urgency=medium
* New upstream release.
<https://www.djangoproject.com/weblog/2019/dec/02/django-3-released/>
-- Chris Lamb <lamby@debian.org> Mon, 02 Dec 2019 12:24:50 +0000
python-django (2:3.0~rc1-1) experimental; urgency=medium
* New upstream release candidate release.
<https://www.djangoproject.com/weblog/2019/nov/18/django-30-release-candidate-1-released/>
-- Chris Lamb <lamby@debian.org> Mon, 18 Nov 2019 11:25:38 -0500
python-django (2:3.0~beta1-1) experimental; urgency=medium
* New upstream beta release.
<https://www.djangoproject.com/weblog/2019/oct/14/django-30-beta-1-released/>
* Bump Standards-Version to 4.4.1.
* wrap-and-sort -sa.
-- Chris Lamb <lamby@debian.org> Mon, 14 Oct 2019 11:11:10 -0700
python-django (2:3.0~alpha1-1) experimental; urgency=medium
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2019/sep/10/django-30-alpha-1-released/>
* Refresh all patches.
* Add asgiref to build and runtime dependencies.
* Update debian/copyright.
-- Chris Lamb <lamby@debian.org> Tue, 10 Sep 2019 11:22:45 +0100
python-django (2:2.2.24-1) unstable; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
This issue has medium severity, according to the Django security
policy.
-- Chris Lamb <lamby@debian.org> Wed, 02 Jun 2021 16:15:13 +0100
python-django (2:2.2.23-1) unstable; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/2.2.23/>
-- Chris Lamb <lamby@debian.org> Thu, 13 May 2021 10:41:04 +0100
python-django (2:2.2.22-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+. (Closes: #988136)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/06/security-releases/>
-- Chris Lamb <lamby@debian.org> Thu, 06 May 2021 15:52:24 +0100
python-django (2:2.2.21-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-31542: Potential directory-traversal via uploaded files.
(Closes: #988053)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/04/security-releases/>
-- Chris Lamb <lamby@debian.org> Tue, 04 May 2021 13:07:54 +0100
python-django (2:2.2.20-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-28658: The MultiPartParser class allowed directory-traversal
via uploaded files via maliciously crafted filenames. (Closes: #986447)
-- Chris Lamb <lamby@debian.org> Tue, 06 Apr 2021 11:44:51 +0100
python-django (2:2.2.19-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a
query parameter separator by default. (Closes: #983090)
<https://www.djangoproject.com/weblog/2021/feb/19/security-releases/>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Fri, 19 Feb 2021 09:22:37 +0000
python-django (2:2.2.18-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-3281: Potential directory-traversal via archive.extract().
The django.utils.archive.extract() function, used by startapp --template
and startproject --template, allowed directory-traversal via an archive
with absolute paths or relative paths with dot segments.
(Closes: #981562)
<https://www.djangoproject.com/weblog/2021/feb/01/security-releases/>
* Drop 0006-Fixed-31850-Fixed-BasicExtractorTests.test_extractio.patch;
applied upstream.
-- Chris Lamb <lamby@debian.org> Mon, 01 Feb 2021 11:59:58 +0000
python-django (2:2.2.17-2) unstable; urgency=medium
* Fix compatibility with xgettext 0.21. (Closes: #978263)
* Move to debian/watch file version 4.
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Sun, 27 Dec 2020 16:42:36 +0000
python-django (2:2.2.17-1) unstable; urgency=medium
[ Chris Lamb ]
* New upstream bugfix release.
<https://docs.djangoproject.com/en/stable/releases/2.2.17/>
[ Ondřej Nový ]
* d/control: Update Maintainer field with new Debian Python Team
contact address.
* d/control: Update Vcs-* fields with new Debian Python Team Salsa
layout.
-- Chris Lamb <lamby@debian.org> Tue, 03 Nov 2020 10:46:54 +0000
python-django (2:2.2.16-1) unstable; urgency=medium
* New upstream security release to address CVE-2020-24583, CVE-2020-24584.
(Closes: #969367)
<https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>
-- Chris Lamb <lamby@debian.org> Tue, 01 Sep 2020 12:21:39 +0100
python-django (2:2.2.15-2) unstable; urgency=medium
* Set the PYTHONPATH in the autopkgtests in the same way that we do in
debian/rules. (Closes: #968577)
-- Chris Lamb <lamby@debian.org> Mon, 17 Aug 2020 23:02:17 +0100
python-django (2:2.2.15-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.0/releases/2.2.15/>
* Move to compat level 13.
-- Chris Lamb <lamby@debian.org> Mon, 03 Aug 2020 10:30:30 +0100
python-django (2:2.2.14-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.0/releases/2.2.14/>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Wed, 01 Jul 2020 15:23:50 +0100
python-django (2:2.2.13-2) unstable; urgency=medium
* Backport a regression in the handling of CVE-2020-13254.
-- Chris Lamb <lamby@debian.org> Fri, 12 Jun 2020 11:08:07 +0100
python-django (2:2.2.13-1) unstable; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2020/jun/03/security-releases/>
* Drop from debian/source/include-binaries the file
debian/patches/0006-Fixed-a-missing-pyc-test-file-in-source-distribution.patch.
-- Chris Lamb <lamby@debian.org> Wed, 03 Jun 2020 20:41:57 +0100
python-django (2:2.2.12-1) unstable; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.0/releases/2.2.12/>
-- Chris Lamb <lamby@debian.org> Wed, 01 Apr 2020 10:43:19 +0100
python-django (2:2.2.11-1) unstable; urgency=medium
[ Chris Lamb ]
* New upstream security release. (Closes: #953102)
<https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>
[ Mattia Rizzolo ]
* Add a Breaks against python3-django-filters (<< 2.1.0).
* Mark python-django-doc as Multi-Arch:foreign (via the Multi-Arch hinter).
-- Chris Lamb <lamby@debian.org> Wed, 04 Mar 2020 08:01:27 -0800
python-django (2:2.2.10-1) unstable; urgency=medium
* New upstream security release. (Closes: #950581)
<https://www.djangoproject.com/weblog/2020/feb/03/security-releases/>
* Bump Standards-Version to 4.5.0.
-- Chris Lamb <lamby@debian.org> Tue, 04 Feb 2020 17:19:01 +0100
python-django (2:2.2.9-2) unstable; urgency=medium
* Add python3-selenium to test-dependencies and to a runtime "Suggests".
(Closes: #947549)
-- Chris Lamb <lamby@debian.org> Sat, 28 Dec 2019 11:11:37 +0000
python-django (2:2.2.9-1) unstable; urgency=medium
* New upstream security release. (Closes: #946937)
<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>
-- Chris Lamb <lamby@debian.org> Sat, 28 Dec 2019 11:11:32 +0000
python-django (2:2.2.8-1) unstable; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/dec/02/security-releases/>
-- Chris Lamb <lamby@debian.org> Mon, 02 Dec 2019 12:36:34 +0000
python-django (2:2.2.7-1) unstable; urgency=medium
[ Chris Lamb ]
* New upstream bugfix release.
<https://docs.djangoproject.com/en/2.2/releases/2.2.7/>
[ Ondřej Nový ]
* Bump Standards-Version to 4.4.1.
-- Chris Lamb <lamby@debian.org> Mon, 04 Nov 2019 10:59:01 -0800
python-django (2:2.2.6-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/2.2/releases/2.2.6/>
-- Chris Lamb <lamby@debian.org> Tue, 01 Oct 2019 10:44:50 +0100
python-django (2:2.2.5-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/2.2/releases/2.2.5/>
-- Chris Lamb <lamby@debian.org> Mon, 02 Sep 2019 14:07:48 +0100
python-django (2:2.2.4-1) unstable; urgency=medium
* New upstream security release. (Closes: #934026)
<https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
-- Chris Lamb <lamby@debian.org> Mon, 02 Sep 2019 14:02:43 +0100
python-django (2:2.2.3-5) unstable; urgency=medium
[ Chris Lamb ]
* Drop Pre-Depends on version of dpkg that is now satisfied in oldoldstable.
[ Ondřej Nový ]
* Bump Standards-Version to 4.4.0
-- Chris Lamb <lamby@debian.org> Wed, 24 Jul 2019 11:36:15 -0300
python-django (2:2.2.3-4) unstable; urgency=medium
* Fixup debian/python-django-doc.doc-base to refer to the new location(s) of
the documentation. (Closes: #931652)
-- Chris Lamb <lamby@debian.org> Mon, 08 Jul 2019 21:49:47 -0300
python-django (2:2.2.3-3) unstable; urgency=medium
* python3-mysqlclient 1.3.13 or newer is now required so add a "Breaks" on
versions older than this. Thanks to Zhang Jingqiang for the report.
(Closes: #931592)
* Drop "Python 3 version" from package description; we only have this
version now.
* Run `wrap-and-sort -sa`.
-- Chris Lamb <lamby@debian.org> Mon, 08 Jul 2019 09:57:25 -0300
python-django (2:2.2.3-2) unstable; urgency=medium
* Upload (Python 3.x-only) branch to unstable after the release of
Debian "buster".
* Update debian/gbp.conf to refer to debian/sid after merge.
-- Chris Lamb <lamby@debian.org> Sun, 07 Jul 2019 11:59:04 -0300
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog python3-django`.
Generated by dwww version 1.16 on Tue Dec 16 05:37:27 CET 2025.