File python-Django.changes of Package python-Django
-------------------------------------------------------------------
Mon Oct 12 12:49:26 UTC 2015 - bwiedemann@suse.com
- add 0002-1.6.x-Fixed-19324-Avoided-creating-a-session-record-.patch
to prevent Denial-of-service possibility by filling session store
(bnc#937522, CVE-2015-5143)
- add 0003-1.6.x-Prevented-newlines-from-being-accepted-in-some.patch
to prevent Header injection possibility (bnc#937523, CVE-2015-5144)
-------------------------------------------------------------------
Wed Sep 9 11:16:22 UTC 2015 - bwiedemann@suse.com
- Add 0001-1.6.x-Fixed-DoS-possiblity-in-contrib.auth.views.log.patch
(bnc#941587, CVE-2015-5963)
-------------------------------------------------------------------
Fri Mar 20 13:06:02 UTC 2015 - bwiedemann@suse.com
- update to 1.6.11
* Made is_safe_url() reject URLs that start with control characters
to mitigate possible XSS attack via user-supplied redirect URLs
(bnc#923176, CVE-2015-2317)
* Fixed an infinite loop possibility in strip_tags()
(bnc#923172, CVE-2015-2316)
-------------------------------------------------------------------
Mon Jan 26 14:33:01 UTC 2015 - dmueller@suse.com
- update to 1.6.10:
* Content retrieved from the GeoIP library is now properly decoded from its
default ``iso-8859-1`` encoding
* Fixed ``AttributeError`` when using
:meth:`~django.db.models.query.QuerySet.bulk_create` with ``ForeignObject``
* Fixed crash of ``QuerySet``\s that use ``F() + timedelta()`` when their query
was compiled more once
* Prevented custom ``widget`` class attribute of
:class:`~django.forms.IntegerField` subclasses from being overwritten by the
code in their ``__init__`` method
* Improved :func:`~django.utils.html.strip_tags` accuracy (but it still cannot
guarantee an HTML-safe result, as stated in the documentation).
* Fixed a regression in the :mod:`django.contrib.gis` SQL compiler for
non-concrete fields (`#22250 <http://code.djangoproject.com/ticket/22250>`_).
* Fixed :attr:`ModelAdmin.preserve_filters
<django.contrib.admin.ModelAdmin.preserve_filters>` when running a site with
a URL prefix (`#21795 <http://code.djangoproject.com/ticket/21795>`_).
* Fixed a crash in the ``find_command`` management utility when the ``PATH``
environment variable wasn't set
* Fixed :djadmin:`changepassword` on Windows
* Avoided shadowing deadlock exceptions on MySQL
* Wrapped database exceptions in ``_set_autocommit``
* Fixed atomicity when closing a database connection or when the database server
disconnects (`#21239 <https://code.djangoproject.com/ticket/21239>`_ and
* Fixed regression in ``prefetch_related`` that caused the related objects
query to include an unnecessary join
* Added backwards compatibility support for the :mod:`django.contrib.messages`
cookie format of Django 1.4 and earlier to facilitate upgrading to 1.6 from
1.4
* Restored the ability to :meth:`~django.core.urlresolvers.reverse` views
created using :func:`functools.partial()`
* Fixed the ``object_id`` of the ``LogEntry`` that's created after a user
password change in the admin
* Made the ``year_lookup_bounds_for_datetime_field`` Oracle backend method
Python 3 compatible (`#22551 <http://code.djangoproject.com/ticket/22551>`_).
* Fixed ``pgettext_lazy`` crash when receiving bytestring content on Python 2
* Fixed the SQL generated when filtering by a negated ``Q`` object that contains
a ``F`` object. (`#22429 <http://code.djangoproject.com/ticket/22429>`_).
* Avoided overwriting data fetched by ``select_related()`` in certain cases
which could cause minor performance regressions
* Corrected email and URL validation to reject a trailing dash
* Prevented indexes on PostgreSQL virtual fields (:ticket:`22514`).
* Prevented edge case where values of FK fields could be initialized with a
wrong value when an inline model formset is created for a relationship
defined to point to a field other than the PK (:ticket:`13794`).
* Restored ``pre_delete`` signals for ``GenericRelation`` cascade deletion
* Fixed transaction handling when specifying non-default database in
``createcachetable`` and ``flush`` (:ticket:`23089`).
* Fixed the "ORA-01843: not a valid month" errors when using Unicode
with older versions of Oracle server (:ticket:`20292`).
* Restored bug fix for sending unicode email with Python 2.6.5 and below
* Prevented ``UnicodeDecodeError`` in ``runserver`` with non-UTF-8 and
non-English locale (:ticket:`23265`).
* Fixed JavaScript errors while editing multi-geometry objects in the OpenLayers
widget (:ticket:`23137`, :ticket:`23293`).
* Prevented a crash on Python 3 with query strings containing unencoded
non-ASCII characters (:ticket:`22996`).
* Allowed inherited and m2m fields to be referenced in the admin
* Fixed a crash when using ``QuerySet.defer()`` with ``select_related()``
* Allowed related many-to-many fields to be referenced in the admin
* Allowed inline and hidden references to admin fields (:ticket:`23431`).
* Fixed a regression with dynamically generated inlines and allowed field
references in the admin (:ticket:`23754`).
* WSGI header spoofing via underscore/dash conflation
(bnc#913053, CVE-2015-0219)
* Mitigated possible XSS attack via user-supplied redirect URLs
* Denial-of-service attack against ``django.views.static.serve``
(bnc#913056, CVE-2015-0221)
* Database denial-of-service with ``ModelMultipleChoiceField``
(bnc#913055, CVE-2015-0222)
-------------------------------------------------------------------
Thu Jul 31 16:55:11 UTC 2014 - dimstar@opensuse.org
- Rename rpmlintrc to %{name}-rpmlintrc.
Follow the packaging guidelines.
-------------------------------------------------------------------
Wed Jun 11 12:34:45 UTC 2014 - mcihar@suse.cz
- Update to version 1.6.5, sercurity and important changes:
+ Unexpected code execution using reverse()
+ Caching of anonymous pages could reveal CSRF token
+ MySQL typecasting
+ select_for_update() requires a transaction
+ Issue: Caches may incorrectly be allowed to store and serve private data
+ Issue: Malformed redirect URLs from user input not correctly validated
-------------------------------------------------------------------
Fri Feb 14 09:32:07 UTC 2014 - speilicke@suse.com
- Fix update-alternatives
-------------------------------------------------------------------
Fri Feb 7 08:30:04 UTC 2014 - speilicke@suse.com
- Update to version 1.6.2:
+ Prevented the base geometry object of a prepared geometry to be garbage
collected, which could lead to crash Django (#21662).
+ Fixed a crash when executing the changepassword command when the user
object representation contained non-ASCII characters (#21627).
+ The collectstatic command will raise an error rather than default to
using the current working directory if STATIC_ROOT is not set. Combined
with the --clear option, the previous behavior could wipe anything
below the current working directory (#21581).
+ Fixed mail encoding on Python 3.3.3+ (#21093).
+ Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False,
the connection wasn’t in autocommit mode but Django pretended it was.
+ Fixed a regression in multiple-table inheritance exclude() queries (#21787).
+ Added missing items to django.utils.timezone.__all__ (#21880).
+ Fixed a field misalignment issue with select_related() and model inheritance (#21413).
+ Fixed join promotion for negated AND conditions (#21748).
+ Oracle database introspection now works with boolean and float fields (#19884).
+ Fixed an issue where lazy objects weren’t actually marked as safe when
passed through mark_safe() and could end up being double-escaped (#21882).
-------------------------------------------------------------------
Tue Feb 4 14:33:40 UTC 2014 - mcihar@suse.cz
- Update to version 1.6.1:
- Most bug fixes are minor; you can find a complete list in the Django 1.6.1
release notes.
-------------------------------------------------------------------
Tue Nov 19 10:06:23 UTC 2013 - speilicke@suse.com
- Update-alternatives also for bash-completion
-------------------------------------------------------------------
Fri Nov 15 13:33:20 UTC 2013 - speilicke@suse.com
- Only ghost /etc/alternatives on 12.3 or newer
-------------------------------------------------------------------
Thu Nov 7 16:36:41 UTC 2013 - speilicke@suse.com
- Require python-Pillow for image-related functionality
- Package was renamed from python-django
- Drop Django-1.2-completion-only-for-bash.patch: Useless
-------------------------------------------------------------------
Tue Nov 5 03:27:13 UTC 2013 - alexandre@exatati.com.br
- Update to version 1.6:
- Please read the release notes
https://docs.djangoproject.com/en/1.6/releases/1.6
- Removed Patch2 as it is no needed anymore:
Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch
-------------------------------------------------------------------
Tue Sep 17 12:37:53 UTC 2013 - speilicke@suse.com
- Update to version 1.5.4:
+ Fixed denial-of-service via large passwords
- Changes from version 1.5.3:
+ Fixed directory traversal with ssi template tag
-------------------------------------------------------------------
Wed Aug 14 05:49:54 UTC 2013 - alexandre@exatati.com.br
- Update to 1.5.2:
- Security release, please check release notes for details:
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
-------------------------------------------------------------------
Thu Mar 28 23:27:01 UTC 2013 - alexandre@exatati.com.br
- Update to 1.5.1:
- Memory leak fix, please read release announcement at
https://www.djangoproject.com/weblog/2013/mar/28/django-151.
-------------------------------------------------------------------
Tue Feb 26 19:49:02 UTC 2013 - alexandre@exatati.com.br
- Update to 1.5:
- Please read the release notes
https://docs.djangoproject.com/en/1.5/releases/1.5
-------------------------------------------------------------------
Tue Dec 11 12:27:50 UTC 2012 - alexandre@exatati.com.br
- Update to 1.4.3:
- Security release:
- Host header poisoning
- Redirect poisoning
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/dec/10/security
-------------------------------------------------------------------
Sat Oct 20 13:41:10 UTC 2012 - saschpe@suse.de
- Add a symlink from /usr/bin/django-admin.py to /usr/bin/django-admin
-------------------------------------------------------------------
Wed Oct 17 22:51:36 UTC 2012 - alexandre@exatati.com.br
- Update to 1.4.2:
- Security release:
- Host header poisoning
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/oct/17/security
-------------------------------------------------------------------
Mon Jul 30 21:38:31 UTC 2012 - alexandre@exatati.com.br
- Update to 1.4.1:
- Security release:
- Cross-site scripting in authentication views
- Denial-of-service in image validation
- Denial-of-service via get_image_dimensions()
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued
-------------------------------------------------------------------
Tue Jun 19 11:27:33 UTC 2012 - saschpe@suse.de
- Add patch to support CSRF_COOKIE_HTTPONLY config
-------------------------------------------------------------------
Fri Mar 23 18:39:40 UTC 2012 - alexandre@exatati.com.br
- Update to 1.4:
- Please read the release notes
https://docs.djangoproject.com/en/dev/releases/1.4
- Removed Patch2, it was merged on upstream,
-------------------------------------------------------------------
Thu Nov 24 12:30:40 UTC 2011 - saschpe@suse.de
- Set license to SDPX style (BSD-3-Clause)
- Package AUTHORS, LICENE and README files
- No CFLAGS for noarch package
- Drop runtime dependency on gettext-tools
-------------------------------------------------------------------
Sat Sep 10 12:05:07 UTC 2011 - alexandre@exatati.com.br
- Update to 1.3.1 to fix security issues, please read
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued.
-------------------------------------------------------------------
Thu Mar 31 15:09:16 UTC 2011 - alexandre@exatati.com.br
- Fix build on SLES_9.
-------------------------------------------------------------------
Wed Mar 23 11:39:53 UTC 2011 - alexandre@exatati.com.br
- Update to 1.3 final;
- Refresh patch empty-ip-2.diff.
-------------------------------------------------------------------
Fri Mar 18 03:45:45 UTC 2011 - alexandre@exatati.com.br
- Update to 1.3-rc1;
- Regenerated spec file with py2pack;
- No more need to fix wrong line endings;
- Refresh patch empty-ip-2.diff with -p0.
-------------------------------------------------------------------
Thu Mar 3 09:32:52 UTC 2011 - saschpe@suse.de
- Spec file cleanup:
* Removed empty lines, package authors from description
* Cleanup duplicates
* Corrected wrong file endings
* Added zero-length rpmlint filter
- Added AUTHORS, LICENSE and doc files
-------------------------------------------------------------------
Wed Feb 9 03:37:29 UTC 2011 - alexandre@exatati.com.br
- Update to 1.2.5:
- This is a security update that fix:
- Flaw in CSRF handling;
- Potential XSS in file field rendering.
-------------------------------------------------------------------
Thu Dec 23 10:20:03 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.4:
- Information leakage in Django administrative interface;
- Denial-of-service attack in password-reset mechanism.
- This is a mandatory security update.
-------------------------------------------------------------------
Sat Sep 11 11:46:41 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.3:
- The patch applied for the security issue covered in Django
1.2.2 caused issues with non-ASCII responses using CSRF
tokens. This has been remedied;
- The patch also caused issues with some forms, most notably
the user-editing forms in the Django administrative interface.
This has been remedied.
- The packaging manifest did not contain the full list of
required files. This has been remedied.
-------------------------------------------------------------------
Thu Sep 9 01:06:43 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.2.
- This is a ciritical security update fixing a default XSS bug!
-------------------------------------------------------------------
Fri Jul 9 11:27:26 UTC 2010 - jfunk@funktronics.ca
- Added patch to fix upstream bug 5622: Empty ipaddress raises an error
-------------------------------------------------------------------
Mon May 17 21:14:11 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.1.
-------------------------------------------------------------------
Mon May 17 18:35:20 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.
-------------------------------------------------------------------
Thu May 6 13:46:03 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2-rc-1.
-------------------------------------------------------------------
Mon Apr 5 02:21:44 UTC 2010 - alexandre@exatati.com.br
- Spec file cleaned with spec-cleaner;
- Minor manual adjusts on spec file.
-------------------------------------------------------------------
Thu Mar 18 17:47:12 UTC 2010 - alexandre@exatati.com.br
- Moved autocomplete file path from /etc/profile.d to
/etc/bash_completion.d. Then it works with konsole too.
-------------------------------------------------------------------
Mon Mar 15 01:53:50 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2-beta-1;
- Using -q option on prep section of spec file;
- Using INSTALLED_FILES instead of declaring files;
- Removed dummy changelog section of spec file;
- Update completion bash patch.
-------------------------------------------------------------------
Sun Oct 11 07:51:32 UTC 2009 - nix@opensuse.org
- Update to 1.1.1 due to security issue described at
http://www.djangoproject.com/weblog/2009/oct/09/security/
-------------------------------------------------------------------
Sat Oct 10 12:18:31 UTC 2009 - alexandre@exatati.com.br
- Removed old tarball file (Django-1.1.tar.bz2).
-------------------------------------------------------------------
Tue Aug 25 12:23:09 CEST 2009 - garloff@suse.de
- Fix python version check.
-------------------------------------------------------------------
Sat Aug 22 13:39:35 CEST 2009 - garloff@suse.de
- Don't require python-sqlite2 for python >= 2.6.
-------------------------------------------------------------------
Fri Aug 21 11:38:03 CEST 2009 - garloff@suse.de
- Build as noarch on factory.
-------------------------------------------------------------------
Wed Aug 19 17:40:46 CEST 2009 - poeml@suse.de
- don't run bash completion on shells other than bash. Avoiding
error messages produced at login when using other shells.
-------------------------------------------------------------------
Fri Aug 14 18:05:42 UTC 2009 - alexandre@exatati.com.br
- Added bash auto-complete to openSUSE.
-------------------------------------------------------------------
Wed Jul 29 00:00:00 CEST 2009 - listuser@peternixon.net
- update to version 1.1
- add python-django-rpmlintrc to quiet rpmlint complaints about -lang
-------------------------------------------------------------------
Wed Jul 1 19:04:26 CEST 2009 - poeml@suse.de
- add python-xml to the Requires (./manage.py syncdb crashes
otherwise)
-------------------------------------------------------------------
Sat Sep 13 00:00:00 UTC 2008 - listuser@peternixon.net
- update to version 1.0
- Fix build on SLES9
-------------------------------------------------------------------
Thu Sep 4 10:40:58 CEST 2008 - crrodriguez@suse.de
- update to version 1.0 final
-------------------------------------------------------------------
Wed May 14 00:00:00 UTC 2008 - listuser@peternixon.net
- update to version 0.96.2
-------------------------------------------------------------------
Thu Feb 21 00:00:00 UTC 2008 - jfunk@funktronics.ca
- The way simplejson is included in this package is not useful to other
packages. Removed from provides
-------------------------------------------------------------------
Fri Oct 26 20:20:08 UTC 2007 - crrodriguez@suse.de
- verion 0.96.1 fixes D.o.S attack in the i18n module
-------------------------------------------------------------------
Fri Mar 23 00:00:00 UTC 2007 - crrodriguez@suse.de
- update to version 0.96
see http://www.djangoproject.com/documentation/release_notes_0.96 for details
- this package provides python-simplejson too.
