./www/py-django2, Django, a high-level Python Web framework

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.2.24, Package name: py39-django-2.2.24, Maintainer: joerg

Django is a high-level Python Web framework that encourages rapid development
and clean, pragmatic design. Django was designed to make common Web-development
tasks fast and easy.


Required to run:
[devel/py-setuptools] [time/py-pytz] [lang/python37]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 8995.504 KB

Version history: (Expand)


CVS history: (Expand)


   2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030)
Log message:
www: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts):
www/nghttp2/distinfo

Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz
   2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033)
Log message:
www: Remove SHA1 hashes for distfiles
   2021-06-05 09:24:55 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.24

Django 2.2.24 fixes two security issues in 2.2.23.

CVE-2021-33203: Potential directory traversal via admindocs

Staff members could use the admindocs TemplateDetailView view to check the \ 
existence of arbitrary files. Additionally, if (and only if) the default \ 
admindocs templates have been customized by the developers to also expose the \ 
file contents, then not only the existence but also the file contents would have \ 
been exposed.

As a mitigation, path sanitation is now applied and only files within the \ 
template root directories can be loaded.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since \ 
validators accepted leading zeros in IPv4 addresses¶

URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t \ 
prohibit leading zeros in octal literals. If you used such values you could \ 
suffer from indeterminate SSRF, RFI, and LFI attacks.

validate_ipv4_address() and validate_ipv46_address() validators were not \ 
affected on Python 3.9.5+.
   2021-05-14 20:53:07 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.23

Django 2.2.23 fixes a regression in 2.2.21.

Bugfixes

Fixed a regression in Django 2.2.21 where saving FileField would raise a \ 
SuspiciousFileOperation even when a custom upload_to returns a valid file path

Django 2.2.22 fixes a security issue in 2.2.21.

CVE-2021-32052: Header injection possibility since URLValidator accepted \ 
newlines in input on Python 3.9.5+

On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used \ 
values with newlines in HTTP response, you could suffer from header injection \ 
attacks. Django itself wasn’t vulnerable because HttpResponse prohibits \ 
newlines in HTTP headers.

Moreover, the URLField form field which uses URLValidator silently removes \ 
newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your \ 
data only existed if you are using this validator outside of the form fields.

This issue was introduced by the bpo-43882 fix.
   2021-05-05 09:04:18 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to t 2.2.21

Django 2.2.21 fixes a security issue in 2.2.20.
CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via \ 
uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now \ 
applied. Specifically, empty file names and paths with dot segments will be \ 
rejected.

Django 2.2.20
CVE-2021-28658: Potential directory-traversal via uploaded files
MultiPartParser allowed directory-traversal via uploaded files with suitably \ 
crafted file names.
Built-in upload handlers were not affected by this vulnerability.
   2021-03-01 13:44:07 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.19

Django 2.2.19 fixes a security issue in 2.2.18.

CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

Django contains a copy of urllib.parse.parse_qsl() which was added to backport \ 
some security fixes. A further security fix has been issued recently such that \ 
parse_qsl() no longer allows using ; as a query parameter separator by default. \ 
Django now includes this fix. See bpo-42967 for further details.
   2021-02-05 08:52:37 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.18

Django 2.2.18 fixes a security issue with severity “low” in 2.2.17.

CVE-2021-3281: Potential directory-traversal via archive.extract()

The django.utils.archive.extract() function, used by startapp --template and \ 
startproject --template, allowed directory-traversal via an archive with \ 
absolute paths or relative paths with dot segments.
   2020-11-02 12:09:35 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.17

Django 2.2.17 adds compatibility with Python 3.9.