File python-django.changes of Package python-django.openSUSE_13.1_Update
-------------------------------------------------------------------
Wed Nov 18 09:40:55 UTC 2015 - bwiedemann@suse.com
- add 0010-1.5.x-Fixed-a-settings-leak-possibility-in-the-date-.patch
to prevent settings leak in date template filter (bnc#955412, CVE-2015-8213)
-------------------------------------------------------------------
Mon Oct 12 12:49:26 UTC 2015 - bwiedemann@suse.com
- add 0009-1.5.x-Prevented-newlines-from-being-accepted-in-some.patch
to prevent Header injection possibility (bnc#937523, CVE-2015-5144)
- add 0008-1.5.x-Fixed-19324-Avoided-creating-a-session-record-.patch
to prevent Denial-of-service possibility by filling session store
(bnc#937522, CVE-2015-5143)
-------------------------------------------------------------------
Wed Sep 9 11:12:40 UTC 2015 - bwiedemann@suse.com
- Add 0007-1.6.x-Fixed-DoS-possiblity-in-contrib.auth.views.log.patch
(bnc#941587, CVE-2015-5963)
-------------------------------------------------------------------
Fri Mar 20 12:56:53 UTC 2015 - bwiedemann@suse.com
- Made is_safe_url() reject URLs that start with control characters
to mitigate possible XSS attack via user-supplied redirect URLs
(bnc#923176, CVE-2015-2317)
+ Add 0006-1.5.x-Made-is_safe_url-reject-URLs-that-start-with-c.patch
-------------------------------------------------------------------
Wed Jan 28 16:21:41 UTC 2015 - mjura@suse.com
- Method check_for_test_cookie is deprecated, bnc#914706
+ Add 0005-1.6.x-Method-check_for_test_cookie-is-deprecated.patch
-------------------------------------------------------------------
Fri Jan 23 08:41:48 UTC 2015 - bwiedemann@suse.com
- security fix backports
add 0001-1.5.x-Stripped-headers-containing-underscores-to-pre.patch (bnc#913053, CVE-2015-0219)
add 0002-1.5.x-Fixed-is_safe_url-to-handle-leading-whitespace.patch (bnc#913054, CVE-2015-0220)
add 0003-1.5.x-Prevented-views.static.serve-from-using-large-.patch (bnc#913056, CVE-2015-0221)
add 0004-1.5.x-Fixed-DoS-possibility-in-ModelMultipleChoiceFi.patch (bnc#913055, CVE-2015-0222)
-------------------------------------------------------------------
Wed Jan 21 09:57:12 UTC 2015 - bwiedemann@suse.com
- Update to version 1.5.12:
+ Fixed a regression with dynamically generated inlines and allowed field
references in the admin
+ Allowed related many-to-many fields to be referenced in the admin
+ Allowed inline and hidden references to admin fields
-------------------------------------------------------------------
Wed Sep 3 12:15:52 UTC 2014 - bwiedemann@suse.com
- Update to version 1.5.10:
+ Prevented reverse() from generating URLs pointing to other hosts
to prevent phishing attacks (bnc#893087, CVE-2014-0480)
+ Removed O(n) algorithm when uploading duplicate file names
to fix file upload denial of service (bnc#893088, CVE-2014-0481)
+ Modified RemoteUserMiddleware to logout on REMOTE_USE change
to prevent session hijacking (bnc#893089, CVE-2014-0482)
+ Prevented data leakage in contrib.admin via query string manipulation
(bnc#893090, CVE-2014-0483)
-------------------------------------------------------------------
Mon May 26 07:22:53 UTC 2014 - bwiedemann@suse.com
- Update to version 1.5.8:
+ Fixed: Caches may incorrectly be allowed to store and serve private data
(bnc#877993, CVE-2014-1418)
+ Fixed: Malformed redirect URLs from user input not correctly validated
(bnc#878641, CVE-2014-3730)
+ Fixed queries that may return unexpected results on MySQL
due to typecasting (bnc#874956, CVE-2014-0474)
+ Prevented leaking the CSRF token through caching
(bnc#874955, CVE-2014-0473)
+ Fixed a remote code execution vulnerabilty in URL reversing
(bnc#874950, CVE-2014-0472)
-------------------------------------------------------------------
Thu Oct 31 14:14:58 UTC 2013 - mcihar@suse.cz
- Update to version 1.5.5:
+ Readdressed denial-of-service via password hashers
+ Properly rotate CSRF token on login
-------------------------------------------------------------------
Tue Sep 17 12:37:53 UTC 2013 - speilicke@suse.com
- Update to version 1.5.4:
+ Fixed denial-of-service via large passwords
- Changes from version 1.5.3:
+ Fixed directory traversal with ssi template tag
-------------------------------------------------------------------
Wed Aug 14 05:49:54 UTC 2013 - alexandre@exatati.com.br
- Update to 1.5.2:
- Security release, please check release notes for details:
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
-------------------------------------------------------------------
Thu Mar 28 23:27:01 UTC 2013 - alexandre@exatati.com.br
- Update to 1.5.1:
- Memory leak fix, please read release announcement at
https://www.djangoproject.com/weblog/2013/mar/28/django-151.
-------------------------------------------------------------------
Tue Feb 26 19:49:02 UTC 2013 - alexandre@exatati.com.br
- Update to 1.5:
- Please read the release notes
https://docs.djangoproject.com/en/1.5/releases/1.5
-------------------------------------------------------------------
Tue Dec 11 12:27:50 UTC 2012 - alexandre@exatati.com.br
- Update to 1.4.3:
- Security release:
- Host header poisoning
- Redirect poisoning
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/dec/10/security
-------------------------------------------------------------------
Sat Oct 20 13:41:10 UTC 2012 - saschpe@suse.de
- Add a symlink from /usr/bin/django-admin.py to /usr/bin/django-admin
-------------------------------------------------------------------
Wed Oct 17 22:51:36 UTC 2012 - alexandre@exatati.com.br
- Update to 1.4.2:
- Security release:
- Host header poisoning
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/oct/17/security
-------------------------------------------------------------------
Mon Jul 30 21:38:31 UTC 2012 - alexandre@exatati.com.br
- Update to 1.4.1:
- Security release:
- Cross-site scripting in authentication views
- Denial-of-service in image validation
- Denial-of-service via get_image_dimensions()
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued
-------------------------------------------------------------------
Tue Jun 19 11:27:33 UTC 2012 - saschpe@suse.de
- Add patch to support CSRF_COOKIE_HTTPONLY config
-------------------------------------------------------------------
Fri Mar 23 18:39:40 UTC 2012 - alexandre@exatati.com.br
- Update to 1.4:
- Please read the release notes
https://docs.djangoproject.com/en/dev/releases/1.4
- Removed Patch2, it was merged on upstream,
-------------------------------------------------------------------
Thu Nov 24 12:30:40 UTC 2011 - saschpe@suse.de
- Set license to SDPX style (BSD-3-Clause)
- Package AUTHORS, LICENE and README files
- No CFLAGS for noarch package
- Drop runtime dependency on gettext-tools
-------------------------------------------------------------------
Sat Sep 10 12:05:07 UTC 2011 - alexandre@exatati.com.br
- Update to 1.3.1 to fix security issues, please read
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued.
-------------------------------------------------------------------
Thu Mar 31 15:09:16 UTC 2011 - alexandre@exatati.com.br
- Fix build on SLES_9.
-------------------------------------------------------------------
Wed Mar 23 11:39:53 UTC 2011 - alexandre@exatati.com.br
- Update to 1.3 final;
- Refresh patch empty-ip-2.diff.
-------------------------------------------------------------------
Fri Mar 18 03:45:45 UTC 2011 - alexandre@exatati.com.br
- Update to 1.3-rc1;
- Regenerated spec file with py2pack;
- No more need to fix wrong line endings;
- Refresh patch empty-ip-2.diff with -p0.
-------------------------------------------------------------------
Thu Mar 3 09:32:52 UTC 2011 - saschpe@suse.de
- Spec file cleanup:
* Removed empty lines, package authors from description
* Cleanup duplicates
* Corrected wrong file endings
* Added zero-length rpmlint filter
- Added AUTHORS, LICENSE and doc files
-------------------------------------------------------------------
Wed Feb 9 03:37:29 UTC 2011 - alexandre@exatati.com.br
- Update to 1.2.5:
- This is a security update that fix:
- Flaw in CSRF handling;
- Potential XSS in file field rendering.
-------------------------------------------------------------------
Thu Dec 23 10:20:03 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.4:
- Information leakage in Django administrative interface;
- Denial-of-service attack in password-reset mechanism.
- This is a mandatory security update.
-------------------------------------------------------------------
Sat Sep 11 11:46:41 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.3:
- The patch applied for the security issue covered in Django
1.2.2 caused issues with non-ASCII responses using CSRF
tokens. This has been remedied;
- The patch also caused issues with some forms, most notably
the user-editing forms in the Django administrative interface.
This has been remedied.
- The packaging manifest did not contain the full list of
required files. This has been remedied.
-------------------------------------------------------------------
Thu Sep 9 01:06:43 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.2.
- This is a ciritical security update fixing a default XSS bug!
-------------------------------------------------------------------
Fri Jul 9 11:27:26 UTC 2010 - jfunk@funktronics.ca
- Added patch to fix upstream bug 5622: Empty ipaddress raises an error
-------------------------------------------------------------------
Mon May 17 21:14:11 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.1.
-------------------------------------------------------------------
Mon May 17 18:35:20 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2.
-------------------------------------------------------------------
Thu May 6 13:46:03 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2-rc-1.
-------------------------------------------------------------------
Mon Apr 5 02:21:44 UTC 2010 - alexandre@exatati.com.br
- Spec file cleaned with spec-cleaner;
- Minor manual adjusts on spec file.
-------------------------------------------------------------------
Thu Mar 18 17:47:12 UTC 2010 - alexandre@exatati.com.br
- Moved autocomplete file path from /etc/profile.d to
/etc/bash_completion.d. Then it works with konsole too.
-------------------------------------------------------------------
Mon Mar 15 01:53:50 UTC 2010 - alexandre@exatati.com.br
- Update to 1.2-beta-1;
- Using -q option on prep section of spec file;
- Using INSTALLED_FILES instead of declaring files;
- Removed dummy changelog section of spec file;
- Update completion bash patch.
-------------------------------------------------------------------
Sun Oct 11 07:51:32 UTC 2009 - nix@opensuse.org
- Update to 1.1.1 due to security issue described at
http://www.djangoproject.com/weblog/2009/oct/09/security/
-------------------------------------------------------------------
Sat Oct 10 12:18:31 UTC 2009 - alexandre@exatati.com.br
- Removed old tarball file (Django-1.1.tar.bz2).
-------------------------------------------------------------------
Tue Aug 25 12:23:09 CEST 2009 - garloff@suse.de
- Fix python version check.
-------------------------------------------------------------------
Sat Aug 22 13:39:35 CEST 2009 - garloff@suse.de
- Don't require python-sqlite2 for python >= 2.6.
-------------------------------------------------------------------
Fri Aug 21 11:38:03 CEST 2009 - garloff@suse.de
- Build as noarch on factory.
-------------------------------------------------------------------
Wed Aug 19 17:40:46 CEST 2009 - poeml@suse.de
- don't run bash completion on shells other than bash. Avoiding
error messages produced at login when using other shells.
-------------------------------------------------------------------
Fri Aug 14 18:05:42 UTC 2009 - alexandre@exatati.com.br
- Added bash auto-complete to openSUSE.
-------------------------------------------------------------------
Wed Jul 29 00:00:00 CEST 2009 - listuser@peternixon.net
- update to version 1.1
- add python-django-rpmlintrc to quiet rpmlint complaints about -lang
-------------------------------------------------------------------
Wed Jul 1 19:04:26 CEST 2009 - poeml@suse.de
- add python-xml to the Requires (./manage.py syncdb crashes
otherwise)
-------------------------------------------------------------------
Sat Sep 13 00:00:00 UTC 2008 - listuser@peternixon.net
- update to version 1.0
- Fix build on SLES9
-------------------------------------------------------------------
Thu Sep 4 10:40:58 CEST 2008 - crrodriguez@suse.de
- update to version 1.0 final
-------------------------------------------------------------------
Wed May 14 00:00:00 UTC 2008 - listuser@peternixon.net
- update to version 0.96.2
-------------------------------------------------------------------
Thu Feb 21 00:00:00 UTC 2008 - jfunk@funktronics.ca
- The way simplejson is included in this package is not useful to other
packages. Removed from provides
-------------------------------------------------------------------
Fri Oct 26 20:20:08 UTC 2007 - crrodriguez@suse.de
- verion 0.96.1 fixes D.o.S attack in the i18n module
-------------------------------------------------------------------
Fri Mar 23 00:00:00 UTC 2007 - crrodriguez@suse.de
- update to version 0.96
see http://www.djangoproject.com/documentation/release_notes_0.96 for details
- this package provides python-simplejson too.
