Public bug reported:
Please sync python-django 2:2.2.15-2 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: Potential data leakage via malformed memcached keys
- debian/patches/CVE-2020-13254.patch: enforced cache key validation in
memcached backends in django/core/cache/__init__.py,
django/core/cache/backends/base.py,
django/core/cache/backends/memcached.py, tests/cache/tests.py.
- CVE-2020-13254
* SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
- debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
ForeignKeyRawIdWidget in django/contrib/admin/widgets.py,
tests/admin_widgets/models.py, tests/admin_widgets/tests.py.
- CVE-2020-13596
Our delta contains the 2 security fixes mentioned above for CVE-2020-13254 and
CVE-2020-13596. They were applied by upstream in version 2.2.13:
https://docs.djangoproject.com/en/3.0/releases/2.2.13/
I uploaded this new version to this PPA to make sure it builds fine in
Groovy:
https://launchpad.net/~lucaskanashiro/+archive/ubuntu/groovy-python-
django/
The DEP-8 tests were failing in version 2:2.2.15-1, I filed a bug against
Debian and it was fixed in 2:2.2.15-2:
https://bugs.debian.org/968577
I ran autopkgtest locally to confirm it was fixed:
autopkgtest [09:41:04]: @@@@@@@@@@@@@@@@@@@@ summary
command1 PASS
command2 PASS
Changelog entries since current groovy version 2:2.2.12-1ubuntu1:
python-django (2:2.2.15-2) unstable; urgency=medium
* Set the PYTHONPATH in the autopkgtests in the same way that we do in
debian/rules. (Closes: #968577)
-- Chris Lamb <la...@debian.org> Mon, 17 Aug 2020 23:02:17 +0100
python-django (2:2.2.15-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.0/releases/2.2.15/>
* Move to compat level 13.
-- Chris Lamb <la...@debian.org> Mon, 03 Aug 2020 10:30:30 +0100
python-django (2:2.2.14-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.0/releases/2.2.14/>
* Refresh patches.
-- Chris Lamb <la...@debian.org> Wed, 01 Jul 2020 15:23:50 +0100
python-django (2:2.2.13-2) unstable; urgency=medium
* Backport a regression in the handling of CVE-2020-13254.
-- Chris Lamb <la...@debian.org> Fri, 12 Jun 2020 11:08:07 +0100
python-django (2:2.2.13-1) unstable; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2020/jun/03/security-releases/>
* Drop from debian/source/include-binaries the file
debian/patches/0006-Fixed-a-missing-pyc-test-file-in-source-distribution.patch.
-- Chris Lamb <la...@debian.org> Wed, 03 Jun 2020 20:41:57 +0100
** Affects: python-django (Ubuntu)
Importance: Wishlist
Status: Confirmed
** Changed in: python-django (Ubuntu)
Importance: Undecided => Wishlist
** Changed in: python-django (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892037
Title:
Sync python-django 2:2.2.15-2 (main) from Debian unstable (main)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1892037/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
