Navigation:
Browse pkgsrc
(this page) 2020-03-12 17:21:02 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message: py-django2: updated to 2.2.11 Django 2.2.11 fixes a security issue and a data loss bug in 2.2.10. CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions \ and aggregates on Oracle GIS functions and aggregates on Oracle were subject to SQL injection, using a \ suitably crafted tolerance. Bugfixes Fixed a data loss possibility in the select_for_update(). When using related \ fields or parent link fields with Multi-table inheritance in the of argument, \ the corresponding models were not locked |
| 2020-02-04 18:25:05 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.10 Django 2.2.10 fixes a security issue: CVE-2020-7471: Potential SQL injection via StringAgg(delimiter) StringAgg aggregation function was subject to SQL injection, using a suitably \ crafted delimiter. |
| 2019-12-19 14:40:36 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.9 Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8. CVE-2019-19844: Potential account hijack via password reset form By submitting a suitably crafted email address making use of Unicode characters, \ that compared equal to an existing user email when lower-cased for comparison, \ an attacker could be sent a password reset token for the matched account. In order to avoid this vulnerability, password reset requests now compare the \ submitted email using the stricter, recommended algorithm for case-insensitive \ comparison of two identifiers from Unicode Technical Report 36, section \ 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to \ the email address on record rather than the submitted address. Bugfixes * Fixed a data loss possibility in SplitArrayField. When using with \ ArrayField(BooleanField()), all values after the first True value were marked as \ checked instead of preserving passed values |
| 2019-12-02 12:46:56 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.8 2.2.8: * CVE-2019-19118: Privilege escalation in the Django admin. * Fixed a data loss possibility in the admin changelist view when a custom \ formset’s prefix contains regular expression special characters, e.g. ‘$’. * Fixed a regression in Django 2.2.1 that caused a crash when migrating \ permissions for proxy models with a multiple database setup if the default entry \ was empty. * Fixed a data loss possibility in the select_for_update(). When using 'self' in \ the of argument with multi-table inheritance, a parent model was locked instead \ of the queryset’s model |
| 2019-11-05 08:44:24 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.7 Django 2.2.7: Fixed a crash when using a contains, contained_by, has_key, has_keys, or \ has_any_keys lookup on JSONField, if the right or left hand side of an \ expression is a key transform. Prevented migrate --plan from showing that RunPython operations are irreversible \ when reverse_code callables don’t have docstrings or when showing a forward \ migration plan. Fixed migrations crash on PostgreSQL when adding an Index with fields ordering \ and opclasses. Restored the ability to override get_FOO_display(). |
| 2019-10-01 19:58:37 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.6 Django 2.2.6: Fixed migrations crash on SQLite when altering a model containing partial indexes. Fixed a regression in Django 2.2.4 that caused a crash when filtering with a \ Subquery() annotation of a queryset containing JSONField or HStoreField. |
| 2019-09-04 10:31:45 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.5 Django 2.2.5 fixes several bugs in 2.2.4. Bugfixes Relaxed the system check added in Django 2.2 for models to reallow use of the \ same db_table by multiple models when database routers are installed. Fixed crash of KeyTransform() for JSONField and HStoreField when using on \ expressions with params. Fixed a regression in Django 2.2 where ModelAdmin.list_filter choices to foreign \ objects don’t respect a model’s Meta.ordering. Fixed a race condition in loading URLconf module that could cause a crash of \ auto-reloader on Python 3.5 and below |
| 2019-08-06 11:33:00 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django2: updated to 2.2.4
Django 2.2.4:
* CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator
* CVE-2019-14233: Denial-of-service possibility in strip_tags()
* CVE-2019-14234: SQL injection possibility in key and index lookups for \
JSONField/HStoreField
* CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
* Fixed a regression in Django 2.2 when ordering a QuerySet.union(), \
intersection(), or difference() by a field type present more than once results \
in the wrong ordering being used
* Fixed a migration crash on PostgreSQL when adding a check constraint with a \
contains lookup on DateRangeField or DateTimeRangeField, if the right hand side \
of an expression is the same type
* Fixed a regression in Django 2.2 where auto-reloader crashes if a file path \
contains nulls characters ('\x00')
* Fixed a regression in Django 2.2 where auto-reloader crashes if a translation \
directory cannot be resolved
|
| 2019-07-01 20:26:22 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message: py-django2: updated to 2.2.3 Django 2.2.3 Fix CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS Fixed a regression in Django 2.2 where Avg, StdDev, and Variance crash with \ filter argument Fixed a regression in Django 2.2.2 where auto-reloader crashes with \ AttributeError, e.g. when using ipdb |
| 2019-06-03 14:39:46 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message: py-django2: updated to 2.2.2 2.2.2: CVE-2019-12308: AdminURLFieldWidget XSS The clickable "Current URL" link generated by AdminURLFieldWidget \ displayed the provided value without validating it as a safe URL. Thus, an \ unvalidated value stored in the database, or a value provided as a URL query \ parameter payload, could result in an clickable JavaScript link. AdminURLFieldWidget now validates the provided value using URLValidator before \ displaying the clickable link. You may customise the validator by passing a \ validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using \ ModelAdmin.formfield_overrides. 2.2.1: Bugfixes Fixed a regression in Django 2.1 that caused the incorrect quoting of database \ user password when using dbshell on Oracle Added compatibility for psycopg2 2.8 Fixed a regression in Django 2.2 that caused a crash when loading the template \ for the technical 500 debug page Fixed crash of ordering argument in ArrayAgg and StringAgg when it contains an \ expression with params Fixed a regression in Django 2.2 that caused a single instance fast-delete to \ not set the primary key to None Prevented makemigrations from generating infinite migrations for check \ constraints and partial indexes when condition contains a range object Reverted an optimization in Django 2.2 Fixed a regression in Django 2.2 where Paginator crashes if object_list is a \ queryset ordered or aggregated over a nested JSONField key transform Fixed a regression in Django 2.2 where IntegerField validation of database \ limits crashes if limit_value attribute in a custom validator is callable Fixed a regression in Django 2.2 where SearchVector generates SQL that is not \ indexable Fixed a regression in Django 2.2 that caused an exception to be raised when a \ custom error handler could not be imported Relaxed the system check added in Django 2.2 for the admin app’s dependencies \ to reallow use of SessionMiddleware subclasses, rather than requiring \ django.contrib.sessions to be in INSTALLED_APPS Increased the default timeout when using Watchman to 5 seconds to prevent \ falling back to StatReloader on larger projects and made it customizable via the \ DJANGO_WATCHMAN_TIMEOUT environment variable Fixed a regression in Django 2.2 that caused a crash when migrating permissions \ for proxy models if the target permissions already existed. For example, when a \ permission had been created manually or a model had been migrated from concrete \ to proxy Fixed a regression in Django 2.2 that caused a crash of runserver when URLConf \ modules raised exceptions Fixed a regression in Django 2.2 where changes were not reliably detected by \ auto-reloader when using StatReloader Fixed a migration crash on Oracle and PostgreSQL when adding a check constraint \ with a contains, startswith, or endswith lookup (or their case-insensitive \ variant) Fixed a migration crash on Oracle and SQLite when adding a check constraint with \ condition contains | (OR) operator Django 2.2.2 release notesDjango 2.2 release notes 2.2: This version has been designated as a long-term support (LTS) release, which \ means that security and data loss fixes will be applied for at least the next \ three years. It will also receive fixes for crashing bugs, major functionality \ bugs in newly-introduced features, and regressions from older versions of Django \ for the next eight months until December 2019. As always, the release notes cover the salmagundi of new features in detail, but \ a few highlights are: * HttpRequest.headers to allow simple access to a request’s headers. * Database-level constraints on models. * Watchman compatibility for runserver to improve the performance of watching a \ large number of files for changes. |
New packages: