File project.diff of Package python-Django1
--- CVE-2023-24580-DOS_file_upload.patch.orig
+++ CVE-2023-24580-DOS_file_upload.patch
@@ -70,7 +70,7 @@ Thanks to Jakob Ackermann for the report
request._mark_post_parse_error()
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
-@@ -14,6 +14,7 @@ import sys
+@@ -15,6 +15,7 @@ import sys
from django.conf import settings
from django.core.exceptions import (
RequestDataTooBig, SuspiciousMultipartForm, TooManyFieldsSent,
@@ -172,7 +172,7 @@ Thanks to Jakob Ackermann for the report
# This is a file, use the handler...
file_name = disposition.get('filename')
if file_name:
-@@ -273,8 +308,13 @@ class MultiPartParser(object):
+@@ -275,8 +310,13 @@ class MultiPartParser(object):
# Handle file upload completions on next iteration.
old_field_name = field_name
else:
@@ -379,4 +379,4 @@ Thanks to Jakob Ackermann for the report
+
class DataUploadMaxNumberOfFieldsFormPost(SimpleTestCase):
def setUp(self):
- payload = FakePayload("\r\n".join(['a=1&a=2;a=3', '']))
+ payload = FakePayload("\r\n".join(['a=1&a=2&a=3', '']))
--- CVE-2023-43665.patch.orig
+++ CVE-2023-43665.patch
@@ -2,7 +2,7 @@ Index: Django-1.11.29/django/utils/text.
===================================================================
--- Django-1.11.29.orig/django/utils/text.py
+++ Django-1.11.29/django/utils/text.py
-@@ -70,7 +70,14 @@ def wrap(text, width):
+@@ -71,7 +71,14 @@ def wrap(text, width):
class Truncator(SimpleLazyObject):
"""
An object used to truncate text, either by characters or words.
@@ -17,7 +17,7 @@ Index: Django-1.11.29/django/utils/text.
def __init__(self, text):
super(Truncator, self).__init__(lambda: force_text(text))
-@@ -171,6 +178,11 @@ class Truncator(SimpleLazyObject):
+@@ -172,6 +179,11 @@ class Truncator(SimpleLazyObject):
if words and length <= 0:
return ''
@@ -29,7 +29,7 @@ Index: Django-1.11.29/django/utils/text.
html4_singlets = (
'br', 'col', 'link', 'base', 'img',
'param', 'area', 'hr', 'input'
-@@ -220,10 +232,14 @@ class Truncator(SimpleLazyObject):
+@@ -221,10 +233,14 @@ class Truncator(SimpleLazyObject):
# Add it to the start of the open tags list
open_tags.insert(0, tagname)
@@ -55,9 +55,9 @@ Index: Django-1.11.29/tests/utils_tests/
import json
+from unittest.mock import patch
+ from django.core.exceptions import SuspiciousFileOperation
from django.test import SimpleTestCase
- from django.utils import six, text
-@@ -98,6 +99,23 @@ class TestUtilsText(SimpleTestCase):
+@@ -99,6 +100,23 @@ class TestUtilsText(SimpleTestCase):
truncator = text.Truncator(value)
self.assertEqual(expected if expected else value, truncator.chars(10, html=True))
@@ -81,7 +81,7 @@ Index: Django-1.11.29/tests/utils_tests/
def test_truncate_words(self):
truncator = text.Truncator('The quick brown fox jumped over the lazy dog.')
self.assertEqual('The quick brown fox jumped over the lazy dog.', truncator.words(10))
-@@ -107,6 +125,26 @@ class TestUtilsText(SimpleTestCase):
+@@ -108,6 +126,26 @@ class TestUtilsText(SimpleTestCase):
truncator = text.Truncator(lazystr('The quick brown fox jumped over the lazy dog.'))
self.assertEqual('The quick brown fox...', truncator.words(4))
--- CVE-2024-27351.patch.orig
+++ CVE-2024-27351.patch
@@ -1,8 +1,8 @@
-diff --git a/django/utils/text.py b/django/utils/text.py
-index f221747..dbf07cf 100644
+Index: Django-1.11.29/django/utils/text.py
+===================================================================
--- Django-1.11.29.orig/django/utils/text.py
+++ Django-1.11.29/django/utils/text.py
-@@ -26,8 +26,64 @@ def capfirst(x):
+@@ -27,8 +27,64 @@ def capfirst(x):
return x and force_text(x)[0].upper() + force_text(x)[1:]
@@ -69,11 +69,11 @@ index f221747..dbf07cf 100644
re_chars = re.compile(r'<[^>]+?>|(.)', re.S)
re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S)
re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines
-diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
-index bfc1b4e..df4c2fb 100644
+Index: Django-1.11.29/tests/utils_tests/test_text.py
+===================================================================
--- Django-1.11.29.orig/tests/utils_tests/test_text.py
+++ Django-1.11.29/tests/utils_tests/test_text.py
-@@ -158,6 +158,32 @@ class TestUtilsText(SimpleTestCase):
+@@ -197,6 +197,32 @@ class TestUtilsText(SimpleTestCase):
truncator = text.Truncator(value)
self.assertEqual(value, truncator.words(50, html=True))
--- python-Django1.changes.orig
+++ python-Django1.changes
@@ -1,4 +1,25 @@
-------------------------------------------------------------------
+Thu Jul 11 16:39:04 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- add CVE-2020-13254.patch
+ CVE-2020-13596.patch
+ CVE-2021-23336.patch
+ CVE-2021-28658.patch
+ CVE-2021-31542.patch
+ CVE-2021-3281.patch
+ CVE-2021-33203.patch
+ CVE-2021-33571.patch
+ CVE-2021-45115.patch
+ CVE-2021-45116.patch
+ CVE-2021-45452.patch
+ CVE-2022-22818.patch
+ CVE-2022-23833.patch
+ CVE-2022-28346.patch
+ CVE-2022-34265.patch
+ CVE-2023-41164.patch
+ CVE-2024-24680.patch
+
+-------------------------------------------------------------------
Thu Feb 29 16:06:26 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
- Add CVE-2024-27351.patch patch (CVE-2024-27351, bsc#1220358)
@@ -50,7 +71,7 @@ Wed Jan 15 14:55:09 UTC 2020 - Ondřej S
-------------------------------------------------------------------
Sun Dec 29 11:00:47 UTC 2019 - Ondřej Súkup <mimi.vx@gmail.com>
-- Update to 1.11.27
+- Update to 1.11.27
* CVE-2019-19844: Potential account hijack via password reset form (bsc#1159447)
* Fixed a data loss possibility in SplitArrayField.
@@ -147,7 +168,7 @@ Mon Dec 10 13:54:41 UTC 2018 - Ondřej S
- Update to 1.11.17
* Prevented repetitive calls to geos_version_tuple() in the WKBWriter class
- in an attempt to fix a random crash involving LooseVersion
+ in an attempt to fix a random crash involving LooseVersion
* Fixed a race condition in QuerySet.update_or_create() that could result
in data loss
@@ -600,8 +621,8 @@ Tue Apr 4 14:38:13 UTC 2017 - appleonke
- Update to 1.10.7
Bugfixes
- * Made admin’s RelatedFieldWidgetWrapper use the wrapped widget’s
- value_omitted_from_data() method (#27905)
+ * Made admin’s RelatedFieldWidgetWrapper use the wrapped widget’s
+ value_omitted_from_data() method (#27905)
* Fixed model form default fallback for SelectMultiple (#27993)
-------------------------------------------------------------------
@@ -609,15 +630,15 @@ Wed Mar 1 14:24:17 UTC 2017 - appleonke
- Update to 1.10.6
Bugfixes
- * Fixed ClearableFileInput’s “Clear” checkbox on model form fields where the
- model field has a default
- * Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than
+ * Fixed ClearableFileInput’s “Clear” checkbox on model form fields where the
+ model field has a default
+ * Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than
generating a bad request response
- * Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
- IntegerField from DateField
- * Fixed query expression date subtraction accuracy on PostgreSQL for differences
+ * Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
+ IntegerField from DateField
+ * Fixed query expression date subtraction accuracy on PostgreSQL for differences
large an a month
- * Fixed a GDALException raised by GDALClose on GDAL >= 2.0
+ * Fixed a GDALException raised by GDALClose on GDAL >= 2.0
-------------------------------------------------------------------
Tue Jan 31 14:00:11 UTC 2017 - michal@cihar.com
@@ -633,8 +654,8 @@ Fri Dec 2 10:17:25 UTC 2016 - appleonke
- Update to 1.9.12
Bugfixes
- * Quoted the Oracle test user’s password in queries to fix the “ORA-00922: missing
- or invalid option” error when the password starts with a number or
+ * Quoted the Oracle test user’s password in queries to fix the “ORA-00922: missing
+ or invalid option” error when the password starts with a number or
special character (#27420)
* DNS rebinding vulnerability when DEBUG=True
* CSRF protection bypass on a site with Google Analytics
@@ -643,7 +664,7 @@ Fri Dec 2 10:17:25 UTC 2016 - appleonke
Sat Sep 24 16:42:55 UTC 2016 - sbahling@suse.com
- Change Requires: python-Pillow to python-imaging for compatibility
- with SLE-12 which provides PIL instead of Pillow.
+ with SLE-12 which provides PIL instead of Pillow.
-------------------------------------------------------------------
Tue Aug 9 09:11:24 UTC 2016 - aplanas@suse.com
@@ -693,7 +714,7 @@ Tue May 3 08:23:48 UTC 2016 - aplanas@s
Bugfixes
* Added support for relative path redirects to the test client and
to SimpleTestCase.assertRedirects() because Django 1.9 no longer
- converts redirects to absolute URIs (#26428).
+ converts redirects to absolute URIs (#26428).
* Fixed TimeField microseconds round-tripping on MySQL and SQLite
(#26498).
* Prevented makemigrations from generating infinite migrations for a
@@ -706,7 +727,7 @@ Tue May 3 08:23:48 UTC 2016 - aplanas@s
of GenericIPAddressField on SQLite and MySQL (#26557).
* Fixed a makemessages regression where temporary .py extensions
were leaked in source file paths (#26341).
-
+
-------------------------------------------------------------------
Sun May 1 12:29:52 UTC 2016 - michael@stroeder.com
@@ -803,12 +824,12 @@ Wed Jan 27 15:25:25 UTC 2016 - aplanas@s
(#25894).
* ...
* https://docs.djangoproject.com/en/1.9/releases/1.9.1/
-
+
-------------------------------------------------------------------
Wed Dec 2 15:14:05 UTC 2015 - aplanas@suse.com
- update to 1.9 (CVE-2016-7401, CVE-2015-8213)
- * https://docs.djangoproject.com/en/1.9/releases/1.9/
+ * https://docs.djangoproject.com/en/1.9/releases/1.9/
* Performing actions after a transaction commit
* Password validation
* Permission mixins for class-based views
@@ -963,12 +984,12 @@ Wed Jan 14 07:57:46 UTC 2015 - mcihar@su
affect users who have subclassed
django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default
value.
- * Fixed a crash in the CSRF middleware when handling non-ASCII referer
+ * Fixed a crash in the CSRF middleware when handling non-ASCII referer
header (#23815).
- * Fixed a crash in the django.contrib.auth.redirect_to_login view when
+ * Fixed a crash in the django.contrib.auth.redirect_to_login view when
passing a reverse_lazy() result on Python 3 (#24097).
* Added correct formats for Greek (el) (#23967).
- * Fixed a migration crash when unapplying a migration where multiple
+ * Fixed a migration crash when unapplying a migration where multiple
operations interact with the same model (#24110).
-------------------------------------------------------------------
--- python-Django1.spec.orig
+++ python-Django1.spec
@@ -34,20 +34,37 @@ Source99: python-Django1-rpmlintrc
Patch0: django-sqlite-326.patch
# PATCH-FIX-OPENSUSE bmwiedemann -- fix tests after 2028 - merged in Django master only
Patch2: fix2028.patch
+Patch3: CVE-2020-13596.patch
+Patch4: CVE-2020-13254.patch
+Patch5: CVE-2021-3281.patch
+Patch6: CVE-2021-23336.patch
+Patch7: CVE-2021-28658.patch
+Patch8: CVE-2021-31542.patch
# PATCH-FIX-UPSTREAM CVE_2021_32052.patch
-Patch3: CVE_2021_32052.patch
+Patch9: CVE_2021_32052.patch
+Patch10: CVE-2021-33203.patch
+Patch11: CVE-2021-33571.patch
+Patch12: CVE-2021-45116.patch
+Patch13: CVE-2021-45115.patch
+Patch14: CVE-2021-45452.patch
+Patch15: CVE-2022-22818.patch
+Patch16: CVE-2022-23833.patch
+Patch17: CVE-2022-28346.patch
+Patch18: CVE-2022-34265.patch
# PATCH-FIX-UPSTREAM CVE-2023-24580-DOS_file_upload.patch bsc#1208082 mcepl@suse.com
# prevent DOS in file uploads
-Patch4: CVE-2023-24580-DOS_file_upload.patch
+Patch19: CVE-2023-24580-DOS_file_upload.patch
# PATCH-FIX-SLE test_custom_fields.patch mcepl@suse.com
# to make inspectdb.tests.InspectDBTestCase.test_custom_fields pass
-Patch5: test_custom_fields.patch
+Patch20: test_custom_fields.patch
# PATCH-FIX-UPSTREAM fix-cve-2023-36053.patch bsc#1212742
-Patch6: fix-cve-2023-36053.patch
+Patch21: fix-cve-2023-36053.patch
+Patch22: CVE-2023-41164.patch
# PATCH-FIX-UPSTREAM CVE-2023-43665.patch bsc#1215978
-Patch7: CVE-2023-43665.patch
+Patch23: CVE-2023-43665.patch
+Patch24: CVE-2024-24680.patch
# PATCH-FIX-UPSTREAM CVE-2024-27351.patch bsc#1220358
-Patch8: CVE-2024-27351.patch
+Patch25: CVE-2024-27351.patch
BuildRequires: %{python_module Jinja2 >= 2.9.2}
BuildRequires: %{python_module Pillow}
BuildRequires: %{python_module PyYAML}
