Subject: CVS commit: [pkgsrc-2019Q1] pkgsrc/www
From: Benny Siegert
Date: 2019-06-04 11:10:44
Message id: 20190604091044.C5D56FBF4@cvs.NetBSD.org

Log Message:
Pullup ticket #5976 - requested by adam
www/py-django: security fix
www/py-django2: security fix

Revisions pulled up:
- www/py-django/Makefile                                        1.106
- www/py-django/distinfo                                        1.85
- www/py-django2/Makefile                                       1.17
- www/py-django2/PLIST                                          1.6
- www/py-django2/distinfo                                       1.15

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Jun  3 12:33:00 UTC 2019

   Modified Files:
           pkgsrc/www/py-django: Makefile distinfo

   Log Message:
   py-django: updated to 1.11.21

   Django 1.11.21 release notes

   CVE-2019-12308: AdminURLFieldWidget XSS

   The clickable "Current URL" link generated by AdminURLFieldWidget \ 
displayed the provided value without validating it as a safe URL. Thus, an \ 
unvalidated value stored in the database, or a value provided as a URL query \ 
parameter payload, could result in an clickable JavaScript link.

   AdminURLFieldWidget now validates the provided value using URLValidator \ 
before displaying the clickable link. You may customise the validator by passing \ 
a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using \ 
formfield_overrides.

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Jun  3 12:39:46 UTC 2019

   Modified Files:
           pkgsrc/www/py-django2: Makefile PLIST distinfo

   Log Message:
   py-django2: updated to 2.2.2

   2.2.2:
   CVE-2019-12308: AdminURLFieldWidget XSS

   The clickable "Current URL" link generated by AdminURLFieldWidget \ 
displayed the provided value without validating it as a safe URL. Thus, an \ 
unvalidated value stored in the database, or a value provided as a URL query \ 
parameter payload, could result in an clickable JavaScript link.

   AdminURLFieldWidget now validates the provided value using URLValidator \ 
before displaying the clickable link. You may customise the validator by passing \ 
a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using \ 
ModelAdmin.formfield_overrides.

   2.2.1:
   Bugfixes

   Fixed a regression in Django 2.1 that caused the incorrect quoting of \ 
database user password when using dbshell on Oracle
   Added compatibility for psycopg2 2.8
   Fixed a regression in Django 2.2 that caused a crash when loading the \ 
template for the technical 500 debug page
   Fixed crash of ordering argument in ArrayAgg and StringAgg when it contains \ 
an expression with params
   Fixed a regression in Django 2.2 that caused a single instance fast-delete to \ 
not set the primary key to None
   Prevented makemigrations from generating infinite migrations for check \ 
constraints and partial indexes when condition contains a range object
   Reverted an optimization in Django 2.2
   Fixed a regression in Django 2.2 where Paginator crashes if object_list is a \ 
queryset ordered or aggregated over a nested JSONField key transform
   Fixed a regression in Django 2.2 where IntegerField validation of database \ 
limits crashes if limit_value attribute in a custom validator is callable
   Fixed a regression in Django 2.2 where SearchVector generates SQL that is not \ 
indexable
   Fixed a regression in Django 2.2 that caused an exception to be raised when a \ 
custom error handler could not be imported
   Relaxed the system check added in Django 2.2 for the admin app’s \ 
dependencies to reallow use of SessionMiddleware subclasses, rather than \ 
requiring django.contrib.sessions to be in INSTALLED_APPS
   Increased the default timeout when using Watchman to 5 seconds to prevent \ 
falling back to StatReloader on larger projects and made it customizable via the \ 
DJANGO_WATCHMAN_TIMEOUT environment variable
   Fixed a regression in Django 2.2 that caused a crash when migrating \ 
permissions for proxy models if the target permissions already existed. For \ 
example, when a permission had been created manually or a model had been \ 
migrated from concrete to proxy
   Fixed a regression in Django 2.2 that caused a crash of runserver when \ 
URLConf modules raised exceptions
   Fixed a regression in Django 2.2 where changes were not reliably detected by \ 
auto-reloader when using StatReloader
   Fixed a migration crash on Oracle and PostgreSQL when adding a check \ 
constraint with a contains, startswith, or endswith lookup (or their \ 
case-insensitive variant)
   Fixed a migration crash on Oracle and SQLite when adding a check constraint \ 
with condition contains | (OR) operator
    Django 2.2.2 release notesDjango 2.2 release notes

   2.2:
   This version has been designated as a long-term support (LTS) release, which \ 
means that security and data loss fixes will be applied for at least the next \ 
three years. It will also receive fixes for crashing bugs, major functionality \ 
bugs in newly-introduced features, and regressions from older versions of Django \ 
for the next eight months until December 2019.

   As always, the release notes cover the salmagundi of new features in detail, \ 
but a few highlights are:
   * HttpRequest.headers to allow simple access to a request’s headers.
   * Database-level constraints on models.
   * Watchman compatibility for runserver to improve the performance of watching \ 
a large number of files for changes.

Files:
RevisionActionfile
1.105.2.1modifypkgsrc/www/py-django/Makefile
1.84.2.1modifypkgsrc/www/py-django/distinfo
1.14.2.1modifypkgsrc/www/py-django2/Makefile
1.5.4.1modifypkgsrc/www/py-django2/PLIST
1.13.2.1modifypkgsrc/www/py-django2/distinfo