2018-05-02 08:28:35 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 1.11.13
1.11.13:
Bugfixes
* Fixed a regression in Django 1.11.8 where altering a field with a unique \
constraint may drop and rebuild more foreign keys than necessary.
* Fixed crashes in django.contrib.admindocs when a view is a callable object, \
such as django.contrib.syndication.views.Feed.
* Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() \
after combining an annotated and unannotated queryset with union(), \
difference(), or intersection() crashed due to mismatching columns
|
2018-04-03 10:58:32 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 1.11.12
Django 1.11.12:
Bugfixes:
Fixed a regression in Django 1.11.8 where combining two annotated values_list() \
querysets with union(), difference(), or intersection() crashed due to \
mismatching columns.
Fixed a regression in Django 1.11 where an empty choice could be initially \
selected for the SelectMultiple and CheckboxSelectMultiple widgets
|
2018-03-06 21:04:06 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 1.11.11
1.11.11:
CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template \
filters
CVE-2018-7537: Denial-of-service possibility in truncatechars_html and \
truncatewords_html template filters
|
2018-02-02 08:55:34 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 1.11.10
1.11.10:
CVE-2018-6188: Information leakage in AuthenticationForm
A regression in Django 1.11.8 made AuthenticationForm run its \
confirm_login_allowed() method even if an incorrect password is entered. This \
can leak information about a user, depending on what messages \
confirm_login_allowed() raises. If confirm_login_allowed() isn’t overridden, \
an attacker enter an arbitrary username and see if that user has been set to \
is_active=False. If confirm_login_allowed() is overridden, more sensitive \
details could be leaked.
This issue is fixed with the caveat that AuthenticationForm can no longer raise \
the “This account is inactive.” error if the authentication backend rejects \
inactive users (the default authentication backend, ModelBackend, has done that \
since Django 1.10). This issue will be revisited for Django 2.1 as a fix to \
address the caveat will likely be too invasive for inclusion in older versions.
Bugfixes:
Fixed incorrect foreign key nullification if a model has two foreign keys to the \
same model and a target model is deleted.
Fixed a regression where contrib.auth.authenticate() crashes if an \
authentication backend doesn’t accept request and a later one does.
Fixed crash when entering an invalid uuid in ModelAdmin.raw_id_fields
|
2018-01-03 08:23:45 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 1.11.9
Bugfixes:
Fixed a regression in Django 1.11 that added newlines between MultiWidget’s \
subwidgets.
Fixed incorrect class-based model index name generation for models with quoted \
db_table.
Fixed incorrect foreign key constraint name for models with quoted db_table.
Fixed a regression in caching of a GenericForeignKey when the referenced model \
instance uses more than one level of multi-table inheritance.
|
2017-12-25 10:18:24 by Adam Ciarcinski | Files touched by this commit (1) |
Log message:
REPLACE_PYTHON does not need WRKSRC
|
2017-12-04 15:23:00 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
py-django: updated to 1.11.8
Django 1.11.8 fixes several bugs in 1.11.7:
* Reallowed, following a regression in Django 1.10, AuthenticationForm to raise \
the inactive user error when using ModelBackend.
* Added support for QuerySet.values() and values_list() for union(), \
difference(), and intersection() queries.
* Fixed incorrect index name truncation when using a namespaced db_table.
* Made QuerySet.iterator() use server-side cursors on PostgreSQL after values() \
and values_list().
* Fixed crash on SQLite and MySQL when ordering by a filtered subquery that uses \
nulls_first or nulls_last.
* Made query lookups for CICharField, CIEmailField, and CITextField use a citext \
cast.
* Fixed a regression in caching of a GenericForeignKey when the referenced model \
instance uses multi-table inheritance.
* Fixed “Cannot change column ‘x’: used in a foreign key constraint” \
crash on MySQL with a sequence of AlterField and/or RenameField operations in a \
migration
|
2017-11-02 10:38:43 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 1.11.7
1.11.7:
Bugfixes
* Prevented cache.get_or_set() from caching None if the default argument is a \
callable that returns None.
* Fixed the Basque DATE_FORMAT string.
* Made QuerySet.reverse() affect nulls_first and nulls_last.
* Fixed unquoted table names in Subquery SQL when using OuterRef
|
2017-10-06 10:52:59 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: update to 1.11.6
Bugfixes:
* Made the CharField form field convert whitespace-only values to the \
empty_value when strip is enabled.
* Fixed crash when using the name of a model’s autogenerated primary key (id) \
in an Index’s fields.
* Fixed a regression in Django 1.9 where a custom view error handler such as \
handler404 that accesses csrf_token could cause CSRF verification failures on \
other pages
|
2017-09-06 17:19:17 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
Django 1.11.5:
CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page¶
In older versions, HTML autoescaping was disabled in a portion of the template \
for the technical 500 debug page. Given the right circumstances, this allowed a \
cross-site scripting attack. This vulnerability shouldn’t affect most \
production sites since you shouldn’t run with DEBUG = True (which makes this \
page accessible) in your production settings.
Bugfixes:
Fixed GEOS version parsing if the version has a commit hash at the end (new in \
GEOS 3.6.2).
Added compatibility for cx_Oracle 6.
Fixed select widget rendering when option values are tuples.
Django 1.11 inadvertently changed the sequence and trigger naming scheme on \
Oracle. This causes errors on INSERTs for some tables if 'use_returning_into': \
False is in the OPTIONS part of DATABASES. The pre-1.11 naming scheme is now \
restored. Unfortunately, it necessarily requires an update to Oracle tables \
created with Django 1.11.[1-4]. Use the upgrade script in 28451 comment 8 to \
update sequence and trigger names to use the pre-1.11 naming scheme.
Added POST request support to LogoutView, for equivalence with the \
function-based logout() view.
Omitted pages_per_range from BrinIndex.deconstruct() if it’s None.
Fixed a regression where SelectDateWidget localized the years in the select box.
Fixed a regression in 1.11.4 where runserver crashed with non-Unicode system \
encodings on Python 2 + Windows.
Fixed a regression in Django 1.10 where changes to a ManyToManyField weren’t \
logged in the admin change history and prevented ManyToManyField initial data in \
model forms from being affected by subsequent model changes.
Fixed non-deterministic results or an AssertionError crash in some queries with \
multiple joins.
Fixed a regression in contrib.auth’s login() and logout() views where they \
ignored positional arguments
|