2009
python-django (1.0.2-1+lenny2) stable-security; urgency=high
* Add patch to fix remote denial of service by exploiting pathological
performance of regular expressions (Closes: #550457)
Upstream writes:
SECURITY ALERT: Corrected regular expressions for URL and email fields.
Certain email addresses/URLs could trigger a catastrophic backtracking
situation, causing 100% CPU and server overload. If deliberately triggered, this
could be the basis of a denial-of-service attack.
<http://www.djangoproject.com/weblog/2009/oct/09/security/>;
-- Chris Lamb <lamby@debian.org> Sat, 10 Oct 2009 10:33:24 +0100
python-django (1.0.2-1+lenny1) stable-proposed-updates; urgency=low
* Add patch to fix issue with a maliciously crafted URL gaining access to
any file on the filesystem (Closes: #539134)
Upstream writes:
Django includes a lightweight, WSGI-based web server for use in
learning Django and in testing new applications during early stages of
development. For sake of convenience, this web server automatically
maps certain URLs corresponding to the static media files used by the
Django administrative application.
The handler which maps these URLs did not properly check the requested
URL to verify that it corresponds to a static media file used by
Django. As such, a carefully-crafted URL can cause the development
server to serve any file to which it has read access.
<http://www.djangoproject.com/weblog/2009/jul/28/security/>;
-- Chris Lamb <lamby@debian.org> Thu, 30 Jul 2009 17:43:56 +0200
2008
python-django (1.0.2-1) unstable; urgency=low
[ Chris Lamb ] * New upstream bugfix release. Closes: #505783 * Add myself to Uploaders with ACK from Brett. [ David Spreen ] * Remove python-pysqlite2 from Recommends because Python 2.5 includes sqlite library used by Django. Closes: 497886 [ Sandro Tosi ] * debian/control - switch Vcs-Browser field to viewsvn
-- Chris Lamb <lamby@debian.org> Wed, 19 Nov 2008 21:31:00 +0000
python-django (1.0-1) unstable; urgency=low
[ David Spreen ]
* New _stable_ upstream release.
[ Raphael Hertzog ]
* This version fixes the latest security issue:
http://www.djangoproject.com/weblog/2008/sep/02/security/
Closes: #497765
* Don't include source files of documentation in the binary package,
keep only the HTML version.
* Updated README.Debian with information about the switch from 0.96 to
1.0.
* Remove execute right on /etc/bash_completion.d/django_bash_completion
* Add debian/patches/04_hyphen-manpage.diff to fix a lintian message
(hyphen-used-as-minus-sign usr/share/man/man1/django-admin.1.gz:156).
* Don't compress javascript files.
* Add libjs-jquery to Recommends since it's used by the HTML
documentation.
-- Raphael Hertzog <hertzog@debian.org> Thu, 04 Sep 2008 08:33:32 +0200
python-django (1.0~beta2+ds-1) unstable; urgency=low
* Bumping up upstream version to push sources into unstable.
(Thanks to Raphael Hertzog).
-- David Spreen <netzwurm@debian.org> Sat, 30 Aug 2008 20:56:09 -0700
python-django (1.0~beta2-3) unstable; urgency=low
[ David Spreen ]
* Updated the copyright information to include copyright and
licenses for individual contributions.
* Added the documentation to the main python-django package:
* debian/python-django.install
- Added installation of html documentation.
* debian/python-django.doc-base
- Added.
* debian/control
- Added Build-Depends-Indep on python-sphinx and libjs-jquery.
* debian/rules
- Readded code to build documentation.
- Readded code to link to libjs-jquery.
* debian/NEWS
- Fixed format.
- Added more comprehensive list of changes and references to
local documentation as well as the wiki pages for
backwards-incompatible changes.
* debian/python-django.docs
- Removed docs/*.txt since those are templates for the
generated docs now included with doc-base.
-- David Spreen <netzwurm@debian.org> Fri, 29 Aug 2008 09:20:45 -0700
python-django (1.0~beta2-2) unstable; urgency=low
[ David Spreen ]
* Removed all -doc related files temporarily to push beta2 into
unstable for extensive testing. The -doc package will be
readded once this package is in unstable as recommended in
http://lists.debian.org/debian-release/2008/08/msg01475.html.
* debian/python-django-doc.install
- Removed.
* debian/python-django-doc.doc-base
- Removed.
* debian/python-django-doc.examples
- Moved to python-django.examples.
* debian/rules
- Removed python-doc related build and post-installation.
* debian/control
- Removed binary package python-django-doc.
- Removed Build-Depends-Indep on python-sphinx and libjs-jquery.
* debian/python-django.install:
- Removed multiple package related issues.
-- David Spreen <netzwurm@debian.org> Thu, 28 Aug 2008 20:15:21 -0700
python-django (1.0~beta2-1) experimental; urgency=low
[ David Spreen ]
* The `hooray for the documentation' release!
* New upstream beta release.
* debian/control
- Updated standards version.
- Added python-sphinx and libjs-jquery.
- Added python-django-doc package depending on libjs-jquery.
* debian/docs
- Moved to debian/python-django.docs.
* debian/install
- Moved to debian/python-django.install.
* debian/manpages
- Moved to debian/python-django.manpages.
* debian/examples
- Moved to debian/python-django-doc.examples
* debian/README.Debian
- Moved to debian/python-django.README.Debian
* debian/python-django-doc.doc-base:
- Added doc-base file for the documentation.
* debian/python-django-doc.install:
- Added install file for sphinx generated documentation.
* debian/rules:
- Added code to generate documentation with sphinx and
replace convenience file of jquery.js with the respective
symlink to libjs-jquery.
-- David Spreen <netzwurm@debian.org> Thu, 28 Aug 2008 10:22:29 -0700
python-django (1.0~beta1-1) experimental; urgency=low
[ David Spreen ] * New upstream beta release. Closes: #492956 * debian/control: Added myself to Uploaders field. * debian/watch: Added mangling for filename and version. Old watch file would name the download 'tarball'. Also added mangling to handle alpha and beta versioning. * Drop debian/patches/01_add_shebang.diff as this has been fixed upstream. * Drop debian/patches/02_bash_completion.diff as this has been committed upstream http://code.djangoproject.com/ticket/7268. * debian/control: Added python-flup to the Suggest field. Closes: #488123 * debian/patches/03_manpage.diff: Adapted patch to new upstream version. [ Jan Dittberner ] * add debian/watch file.
-- David Spreen <netzwurm@debian.org> Fri, 15 Aug 2008 16:05:07 -0700
python-django (0.97~svn7534-1) experimental; urgency=low
* New upstream snapshot. Closes: #409565, #481051 - Include an XSS security fix (CVE-2008-2302). Closes: #481164 * Drop debian/patches/04_pg_version_fix.diff as another fix has been committed upstream (see http://code.djangoproject.com/ticket/6433 and http://code.djangoproject.com/changeset/7415). * Add some headers to the remaining patches.
-- Raphael Hertzog <hertzog@debian.org> Mon, 19 May 2008 23:41:50 +0200
python-django (0.97~svn7189-1) experimental; urgency=low
* New upstream snapshot including bash completion fix
Closes: #450913
-- Brett Parker <iDunno@sommitrealweird.co.uk> Sun, 02 Mar 2008 12:59:03 +0000
python-django (0.97~svn7047-2) experimental; urgency=low
[ Brett Parker ]
* Patch for postgresql version issue with 8.3 beta/rc releases
Closes: #462058
[ Raphael Hertzog ]
* Updated Standards-Version to 3.7.3.
* Adjusted build-dependency on python-setuptools to strip the -1 part.
-- Brett Parker <iDunno@sommitrealweird.co.uk> Wed, 6 Feb 2008 15:15:37 +0000
python-django (0.97~svn7047-1) experimental; urgency=low
* New upstream snapshot (rev 7047)
- tarball prepared by Gabriel Falcão Gonçalves de Moura
<gabriel@guake-terminal.org>
-- Gustavo Noronha Silva <kov@debian.org> Tue, 29 Jan 2008 10:54:47 -0200
python-django (0.97~svn6996-1) experimental; urgency=low
* New upstream snapshot * debian/control: - added myself to Uploaders
-- Gustavo Noronha Silva <kov@debian.org> Sat, 05 Jan 2008 20:53:23 -0200
2007
python-django (0.97~svn6668-2) UNRELEASED; urgency=low
[ Raphael Hertzog ]
* Install examples with dh_installexamples instead of dh_installdocs
(change done by Ubuntu) as empty files are kept.
[ Sandro Tosi ]
* debian/control
- uniforming Vcs-Browser field
-- Raphael Hertzog <hertzog@debian.org> Mon, 17 Dec 2007 09:09:16 +0100
python-django (0.97~svn6668-1) experimental; urgency=low
* New SVN snapshot (rev 6668)
- Auth system delegations
- Apps can now have thier own management commands
- Fix for CVE-2007-5712 remote denial of service
Closes: #448838
* Fix missing upstream info in changelog
Closes: #450659
-- Brett Parker <iDunno@sommitrealweird.co.uk> Sun, 11 Nov 2007 10:15:55 +0000
python-django (0.96+svn6373-1) experimental; urgency=low
[ Raphael Hertzog ] * New SVN snapshot (rev 6373, a few days after the last Django sprint). * Note: The version 0.96+svn6034-1 never got uploaded. * Rename XS-Vcs* fields to Vcs-* since they are now supported by dpkg. [ Piotr Ożarowski ] * XS-Vcs-Browser and Homepage fields added
-- Raphael Hertzog <hertzog@debian.org> Thu, 04 Oct 2007 14:59:01 +0200
python-django (0.96+svn6034-1) experimental; urgency=low
[ Brett Parker]
* New SVN snapshot (rev 6034).
* validate and runserver commands now display the number of errors
(returning back to previous functionality).
* Small documentation fixes
* assertRedirects handling for paths with get data
* start{project,app} no make sure files created are writable
* Add man page for django-admin to the debian package
-- Brett Parker <iDunno@sommitrealweird.co.uk> Sat, 8 Sep 2007 10:37:00 +0100
python-django (0.96+svn6020-1) experimental; urgency=low
* New SVN snapshot (rev 6020).
-- Raphael Hertzog <hertzog@debian.org> Sun, 26 Aug 2007 18:16:08 +0200
python-django (0.96+svn5779-1) experimental; urgency=low
* SVN snapshot (rev 5779) packaged to experimental as many interesting
Django applications rely on newer unreleased features.
-- Raphael Hertzog <hertzog@debian.org> Tue, 31 Jul 2007 13:40:18 +0200
python-django (0.96-1) unstable; urgency=low
[ Brett Parker ]
* New upstream release - introduces some backwards incompatible changes, see
README.Debian or the backwards incompatible changes page at
http://code.djangoproject.com/wiki/BackwardsIncompatibleChanges
* Add documentation from upstream to /usr/share/doc/python-django
Closes: #411249
* Install the bash completion file from extras in to
/etc/bash_completion.d/django_bash_completion
Closes: #414399
* Egg support dropped as it's been dropped by upstream.
-- Brett Parker <iDunno@sommitrealweird.co.uk> Sun, 25 Mar 2007 19:18:39 +0100
python-django (0.95.1-1) unstable; urgency=low
[ Brett Parker ]
* New upstream minor release for security bugs:
- http://www.djangoproject.com/weblog/2007/jan/21/0951/
- Fixes a small security vulnerability in the script Django's
internationalization system uses to compile translation files
(changeset 4360 in the "0.95-bugfixes" branch).
- fix for a bug in Django's authentication middleware which could cause
apparent "caching" of a logged-in user (changeset 4361).
- patch which disables debugging mode in the flup FastCGI package Django
uses to launch its FastCGI server, which prevents tracebacks from
bubbling up during production use (changeset 4363).
Closes: #407786, #407607
* Sets Recommends to python-psycopg and moves other database engines to
the Suggests field.
[ Raphael Hertzog ]
* Use python-pysqlite2 as default database engine in Recommends. Others are
in Suggests. Closes: #403761
* Add python-psycopg2 in Suggests. Closes: #407489
-- Raphael Hertzog <hertzog@debian.org> Sun, 21 Jan 2007 17:45:50 +0100
2006
python-django (0.95-3) unstable; urgency=low
* Integrate 2 upstream changesets:
- http://code.djangoproject.com/changeset/3754 as
debian/patches/04_sec_fix_auth.diff
Fixes a possible case of mis-authentication due to bad caching.
Closes: #407521
- http://code.djangoproject.com/changeset/3592 as
debian/patches/03_sec_fix_compile-messages.diff
Fixes an (unlikely) arbitrary command execution if the user is blindly
running compile-messages.py on a untrusted set of *.po files.
Closes: #407519
-- Raphael Hertzog <hertzog@debian.org> Sat, 16 Dec 2006 15:13:29 +0100
python-django (0.95-2) unstable; urgency=low
[ Piotr Ozarowski ]
* Added XS-Vcs-Svn field
[ Brett Parker ]
* Made manage.py get a shebang with the version of python
used when running django-admin (closes: #401616)
* Created a convenience /usr/lib/python-django/bin symlink.
[ Raphael Hertzog ]
* Adapted Brett's work to better fit my views of the packaging.
-- Raphael Hertzog <hertzog@debian.org> Sat, 16 Dec 2006 11:03:20 +0100
python-django (0.95-1) unstable; urgency=low
[ Brett Parker ]
* 0.95 release - initial packaging
[ Raphael Hertzog ]
* Fix recommends: s/python-sqlite/python-pysqlite2/
* Add debian/pyversions to ensure that we have at least python 2.3 (and to
work around bug #391689 of python-support).
-- Raphael Hertzog <hertzog@debian.org> Mon, 9 Oct 2006 12:10:27 +0200