Public bug reported:
python-django (1:1.9.7-2ubuntu1~ppa1) yakkety; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.
- debian/control: Drop python-mysqldb in favor of python-pymysql.
* Drop:
- SECURITY UPDATE: malicious redirect and possible XSS attack via
user-supplied redirect URLs containing basic auth
+ debian/patches/CVE-2016-2512.patch: prevent spoofing in
django/utils/http.py, added test to tests/utils_tests/test_http.py.
+ CVE-2016-2512
[ Fixed upstream ]
- SECURITY UPDATE: user enumeration through timing difference on
password hasher work factor upgrade
+ debian/patches/CVE-2016-2513.patch: fix timing in
django/contrib/auth/hashers.py, added note to
docs/topics/auth/passwords.txt, added tests to
tests/auth_tests/test_hashers.py.
+ CVE-2016-2513
[ Fixed upstream ]
- SECURITY REGRESSION: is_safe_url() with non-unicode url
(LP #1553251)
+ debian/patches/CVE-2016-2512-regression.patch: force url to
unicode in django/utils/http.py, added test to
tests/utils_tests/test_http.py. Updated to final upstream fix.
+ CVE-2016-2512
[ Fixed upstream ]
- Backport b1afebf882db5296cd9dcea26ee66d5250922e53 for ticket 26204
from upstream (1.8.10) to allow dashes in TLDs again (in the
URL validator.) LP #1528710
[ Fixed upstream ]
-- Nishanth Aravamudan <[email protected]> Wed, 13 Jul
2016 17:16:48 -0700
** Affects: python-django (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1602893
Title:
Please merge with 1.9.7-2 from Debian unstable
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1602893/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
