Navigation:
Browse pkgsrc
(this page)
www py-djang..
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ]| 2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033) |
Log message: www: Remove SHA1 hashes for distfiles |
2021-10-05 20:33:49 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message: py-django3: updated to 3.2.8 Django 3.2.8 fixes two bugs in 3.2.7. Bugfixes Fixed a bug in Django 3.2 that caused incorrect links on read-only fields in the \ admin. Fixed a regression in Django 3.2 that caused incorrect selection of items across \ all pages when actions were placed both on the top and bottom of the admin \ change-list view. |
| 2021-08-02 22:33:58 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django3: updated to 3.2.6 Django 3.2.6 Bugfixes Fixed a regression in Django 3.2 that caused a crash validating "NaN" \ input with a forms.DecimalField when additional constraints, e.g. max_value, \ were specified. Fixed a bug in Django 3.2 where a system check would crash on a model with a \ reverse many-to-many relation inherited from a parent class. |
| 2021-07-06 07:57:43 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django3: updated to 3.2.5 Django 3.2.5 fixes a security issue with severity “high” and several bugs in \ 3.2.4. Also, the latest string translations from Transifex are incorporated. CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input Unsanitized user input passed to QuerySet.order_by() could bypass intended \ column reference validation in path marked for deprecation resulting in a \ potential SQL injection even if a deprecation warning is emitted. As a mitigation the strict column reference validation was restored for the \ duration of the deprecation period. This regression appeared in 3.1. The issue is not present in the main branch as the deprecated path has been removed. Bugfixes Fixed a regression in Django 3.2 that caused a crash of \ QuerySet.values_list(…, named=True) after prefetch_related(). Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when \ altering BinaryField, JSONField, or TextField to non-nullable. Fixed a regression in Django 3.2 that caused a migration crash on MySQL 8.0.13+ \ when adding nullable BinaryField, JSONField, or TextField with a default value. Fixed a bug in Django 3.2 where a system check would crash on a model with an \ invalid app_label |
| 2021-06-05 09:22:03 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django3: updated to 3.2.4 Django 3.2.4 fixes two security issues and several bugs in 3.2.3. CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView view to check the \ existence of arbitrary files. Additionally, if (and only if) the default \ admindocs templates have been customized by the developers to also expose the \ file contents, then not only the existence but also the file contents would have \ been exposed. As a mitigation, path sanitation is now applied and only files within the \ template root directories can be loaded. CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since \ validators accepted leading zeros in IPv4 addresses¶ URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t \ prohibit leading zeros in octal literals. If you used such values you could \ suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not \ affected on Python 3.9.5+. Bugfixes Fixed a bug in Django 3.2 where a final catch-all view in the admin didn’t \ respect the server-provided value of SCRIPT_NAME when redirecting \ unauthenticated users to the login page Fixed a bug in Django 3.2 where a system check would crash on an abstract model Prevented unnecessary initialization of unused caches following a regression in \ Django 3.2 Fixed a crash in Django 3.2 that could occur when running mod_wsgi with the \ recommended settings while the Windows colorama library was installed Fixed a bug in Django 3.2 that would trigger the auto-reloader for template \ changes when directory paths were specified with strings Fixed a regression in Django 3.2 that caused a crash of auto-reloader with \ AttributeError, e.g. inside a Conda environment Fixed a regression in Django 3.2 that caused a loss of precision for operations \ with DecimalField on MySQL |
| 2021-05-14 20:54:38 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django3: updated to 3.2.3 Django 3.2.3 fixes several bugs in 3.2.2. Bugfixes Prepared for mysqlclient > 2.0.3 support. Fixed a regression in Django 3.2 that caused the incorrect filtering of \ querysets combined with the | operator. Fixed a regression in Django 3.2.1 where saving FileField would raise a \ SuspiciousFileOperation even when a custom upload_to returns a valid file path. Django 3.2.2 fixes a security issue and a bug in 3.2.1. CVE-2021-32052: Header injection possibility since URLValidator accepted \ newlines in input on Python 3.9.5+ On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used \ values with newlines in HTTP response, you could suffer from header injection \ attacks. Django itself wasn’t vulnerable because HttpResponse prohibits \ newlines in HTTP headers. Moreover, the URLField form field which uses URLValidator silently removes \ newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your \ data only existed if you are using this validator outside of the form fields. This issue was introduced by the bpo-43882 fix. |
| 2021-05-05 09:06:30 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message: py-django3: updated to 3.2.1 Django 3.2.1 CVE-2021-31542: Potential directory-traversal via uploaded files MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via \ uploaded files with suitably crafted file names. In order to mitigate this risk, stricter basename and path sanitation is now \ applied. Specifically, empty file names and paths with dot segments will be \ rejected. Bugfixes Corrected detection of GDAL 3.2 on Windows. Fixed a bug in Django 3.2 where subclasses of BigAutoField and SmallAutoField \ were not allowed for the DEFAULT_AUTO_FIELD setting. Fixed a regression in Django 3.2 that caused a crash of \ QuerySet.values()/values_list() after QuerySet.union(), intersection(), and \ difference() when it was ordered by an unannotated field. Restored, following a regression in Django 3.2, displaying an exception message \ on the technical 404 debug page. Fixed a bug in Django 3.2 where a system check would crash on a reverse \ one-to-one relationships in CheckConstraint.check or UniqueConstraint.condition. Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields \ when searching against phrases with unbalanced quotes. Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the \ sitemap template if alternates were not defined. Fixed a regression in Django 3.2 that caused a crash when combining Q() objects \ which contains boolean expressions. Fixed a regression in Django 3.2 that caused a crash of QuerySet.update() on a \ queryset ordered by inherited or joined fields on MySQL and MariaDB. Fixed a regression in Django 3.2 that caused a crash when decoding a cookie \ value, used by django.contrib.messages.storage.cookie.CookieStorage, in the \ pre-Django 3.2 format. Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting \ multiple rows in the admin changelist. Fixed a bug in Django 3.2 where a system check would crash on the \ STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path). Fixed a long standing bug involving queryset bitwise combination when used with \ subqueries that began manifesting in Django 3.2, due to a separate fix using \ Exists to exclude() multi-valued relationships. Fixed a bug in Django 3.2 where variable lookup errors were logged when \ rendering some admin templates. Fixed a bug in Django 3.2 where an admin changelist would crash when deleting \ objects filtered against multi-valued relationships. The admin changelist now \ uses Exists() instead QuerySet.distinct() because calling delete() after \ distinct() is not allowed in Django 3.2 to address a data loss possibility. Fixed a regression in Django 3.2 where the calling process environment would not \ be passed to the dbshell command on PostgreSQL. Fixed a performance regression in Django 3.2 when building complex filters with \ subqueries. As a side-effect the private API to check django.db.sql.query.Query \ equality is removed. Django 3.2.0: Automatic AppConfig discovery simplifies configuration of pluggable applications. Customizing the type of auto-created primary keys begins a process of migrating \ to BigAutoField primary key fields by default. Functional indexes can now be created on expressions and database functions. |
| 2021-03-01 13:43:26 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django3: updated to 3.1.7 Django 3.1.7 fixes a security issue and a bug in 3.1.6. CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl() Django contains a copy of urllib.parse.parse_qsl() which was added to backport \ some security fixes. A further security fix has been issued recently such that \ parse_qsl() no longer allows using ; as a query parameter separator by default. \ Django now includes this fix. See bpo-42967 for further details. Bugfixes Fixed a regression in Django 3.1 that caused RuntimeError instead of connection \ errors when using only the 'postgres' database |
New packages: