Path to this page:
Subject: CVS commit: [pkgsrc-2019Q1] pkgsrc/www
From: Benny Siegert
Date: 2019-06-04 11:10:44
Message id: 20190604091044.C5D56FBF4@cvs.NetBSD.org
Log Message:
Pullup ticket #5976 - requested by adam
www/py-django: security fix
www/py-django2: security fix
Revisions pulled up:
- www/py-django/Makefile 1.106
- www/py-django/distinfo 1.85
- www/py-django2/Makefile 1.17
- www/py-django2/PLIST 1.6
- www/py-django2/distinfo 1.15
---
Module Name: pkgsrc
Committed By: adam
Date: Mon Jun 3 12:33:00 UTC 2019
Modified Files:
pkgsrc/www/py-django: Makefile distinfo
Log Message:
py-django: updated to 1.11.21
Django 1.11.21 release notes
CVE-2019-12308: AdminURLFieldWidget XSS
The clickable "Current URL" link generated by AdminURLFieldWidget \
displayed the provided value without validating it as a safe URL. Thus, an \
unvalidated value stored in the database, or a value provided as a URL query \
parameter payload, could result in an clickable JavaScript link.
AdminURLFieldWidget now validates the provided value using URLValidator \
before displaying the clickable link. You may customise the validator by passing \
a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using \
formfield_overrides.
---
Module Name: pkgsrc
Committed By: adam
Date: Mon Jun 3 12:39:46 UTC 2019
Modified Files:
pkgsrc/www/py-django2: Makefile PLIST distinfo
Log Message:
py-django2: updated to 2.2.2
2.2.2:
CVE-2019-12308: AdminURLFieldWidget XSS
The clickable "Current URL" link generated by AdminURLFieldWidget \
displayed the provided value without validating it as a safe URL. Thus, an \
unvalidated value stored in the database, or a value provided as a URL query \
parameter payload, could result in an clickable JavaScript link.
AdminURLFieldWidget now validates the provided value using URLValidator \
before displaying the clickable link. You may customise the validator by passing \
a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using \
ModelAdmin.formfield_overrides.
2.2.1:
Bugfixes
Fixed a regression in Django 2.1 that caused the incorrect quoting of \
database user password when using dbshell on Oracle
Added compatibility for psycopg2 2.8
Fixed a regression in Django 2.2 that caused a crash when loading the \
template for the technical 500 debug page
Fixed crash of ordering argument in ArrayAgg and StringAgg when it contains \
an expression with params
Fixed a regression in Django 2.2 that caused a single instance fast-delete to \
not set the primary key to None
Prevented makemigrations from generating infinite migrations for check \
constraints and partial indexes when condition contains a range object
Reverted an optimization in Django 2.2
Fixed a regression in Django 2.2 where Paginator crashes if object_list is a \
queryset ordered or aggregated over a nested JSONField key transform
Fixed a regression in Django 2.2 where IntegerField validation of database \
limits crashes if limit_value attribute in a custom validator is callable
Fixed a regression in Django 2.2 where SearchVector generates SQL that is not \
indexable
Fixed a regression in Django 2.2 that caused an exception to be raised when a \
custom error handler could not be imported
Relaxed the system check added in Django 2.2 for the admin app’s \
dependencies to reallow use of SessionMiddleware subclasses, rather than \
requiring django.contrib.sessions to be in INSTALLED_APPS
Increased the default timeout when using Watchman to 5 seconds to prevent \
falling back to StatReloader on larger projects and made it customizable via the \
DJANGO_WATCHMAN_TIMEOUT environment variable
Fixed a regression in Django 2.2 that caused a crash when migrating \
permissions for proxy models if the target permissions already existed. For \
example, when a permission had been created manually or a model had been \
migrated from concrete to proxy
Fixed a regression in Django 2.2 that caused a crash of runserver when \
URLConf modules raised exceptions
Fixed a regression in Django 2.2 where changes were not reliably detected by \
auto-reloader when using StatReloader
Fixed a migration crash on Oracle and PostgreSQL when adding a check \
constraint with a contains, startswith, or endswith lookup (or their \
case-insensitive variant)
Fixed a migration crash on Oracle and SQLite when adding a check constraint \
with condition contains | (OR) operator
Django 2.2.2 release notesDjango 2.2 release notes
2.2:
This version has been designated as a long-term support (LTS) release, which \
means that security and data loss fixes will be applied for at least the next \
three years. It will also receive fixes for crashing bugs, major functionality \
bugs in newly-introduced features, and regressions from older versions of Django \
for the next eight months until December 2019.
As always, the release notes cover the salmagundi of new features in detail, \
but a few highlights are:
* HttpRequest.headers to allow simple access to a request’s headers.
* Database-level constraints on models.
* Watchman compatibility for runserver to improve the performance of watching \
a large number of files for changes.
Files: