Subject: CVS commit: pkgsrc/www/py-django
From: Adam Ciarcinski
Date: 2018-02-02 08:55:34
Message id: 20180202075534.F01F2FB40@cvs.NetBSD.org

Log Message:
py-django: updated to 1.11.10

1.11.10:

CVE-2018-6188: Information leakage in AuthenticationForm

A regression in Django 1.11.8 made AuthenticationForm run its \ 
confirm_login_allowed() method even if an incorrect password is entered. This \ 
can leak information about a user, depending on what messages \ 
confirm_login_allowed() raises. If confirm_login_allowed() isn’t overridden, \ 
an attacker enter an arbitrary username and see if that user has been set to \ 
is_active=False. If confirm_login_allowed() is overridden, more sensitive \ 
details could be leaked.

This issue is fixed with the caveat that AuthenticationForm can no longer raise \ 
the “This account is inactive.” error if the authentication backend rejects \ 
inactive users (the default authentication backend, ModelBackend, has done that \ 
since Django 1.10). This issue will be revisited for Django 2.1 as a fix to \ 
address the caveat will likely be too invasive for inclusion in older versions.

Bugfixes:
Fixed incorrect foreign key nullification if a model has two foreign keys to the \ 
same model and a target model is deleted.
Fixed a regression where contrib.auth.authenticate() crashes if an \ 
authentication backend doesn’t accept request and a later one does.
Fixed crash when entering an invalid uuid in ModelAdmin.raw_id_fields

Files:
RevisionActionfile
1.96modifypkgsrc/www/py-django/Makefile
1.75modifypkgsrc/www/py-django/distinfo