Subject: CVS commit: pkgsrc/www/py-django3
From: Adam Ciarcinski
Date: 2020-06-03 17:29:36
Message id: 20200603152936.8D7E3FB27@cvs.NetBSD.org

Log Message:
py-django3: updated to 3.0.7

Django 3.0.7 fixes two security issues and several bugs in 3.0.6.

CVE-2020-13254: Potential data leakage via malformed memcached keys

In cases where a memcached backend does not perform key validation, passing \ 
malformed cache keys could result in a key collision, and potential data \ 
leakage. In order to avoid this vulnerability, key validation is added to the \ 
memcached cache backends.

CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget

Query parameters for the admin ForeignKeyRawIdWidget were not properly URL \ 
encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query \ 
parameters are correctly URL encoded.

Bugfixes

Fixed a regression in Django 3.0 by restoring the ability to use field lookups \ 
in Meta.ordering.
Fixed a regression in Django 3.0 where QuerySet.values() and values_list() \ 
crashed if a queryset contained an aggregation and a subquery annotation.
Fixed a regression in Django 3.0 where aggregates used wrong annotations when a \ 
queryset has multiple subqueries annotations.
Fixed a regression in Django 3.0 where QuerySet.values() and values_list() \ 
crashed if a queryset contained an aggregation and an Exists() annotation on \ 
Oracle.
Fixed a regression in Django 3.0 where all resolved Subquery() expressions were \ 
considered equal.
Fixed a regression in Django 3.0.5 that affected translation loading for apps \ 
providing translations for territorial language variants as well as a generic \ 
language, where the project has different plural equations for the language.
Tracking a jQuery security release, upgraded the version of jQuery used by the \ 
admin from 3.4.1 to 3.5.1.

Files:
RevisionActionfile
1.5modifypkgsrc/www/py-django3/Makefile
1.5modifypkgsrc/www/py-django3/distinfo