------------------------------------------------------------------- Tue Nov 24 13:17:12 UTC 2015 - bwiedemann@suse.com - add 0004-1.6.x-Fixed-a-settings-leak-possibility-in-the-date-.patch to prevent settings leak in date template filter (bnc#955412, CVE-2015-8213) ------------------------------------------------------------------- Mon Oct 12 12:49:26 UTC 2015 - bwiedemann@suse.com - add 0002-1.6.x-Fixed-19324-Avoided-creating-a-session-record-.patch to prevent Denial-of-service possibility by filling session store (bnc#937522, CVE-2015-5143) - add 0003-1.6.x-Prevented-newlines-from-being-accepted-in-some.patch to prevent Header injection possibility (bnc#937523, CVE-2015-5144) ------------------------------------------------------------------- Wed Sep 9 11:16:22 UTC 2015 - bwiedemann@suse.com - Add 0001-1.6.x-Fixed-DoS-possiblity-in-contrib.auth.views.log.patch (bnc#941587, CVE-2015-5963) ------------------------------------------------------------------- Fri Mar 20 13:06:02 UTC 2015 - bwiedemann@suse.com - update to 1.6.11 * Made is_safe_url() reject URLs that start with control characters to mitigate possible XSS attack via user-supplied redirect URLs (bnc#923176, CVE-2015-2317) * Fixed an infinite loop possibility in strip_tags() (bnc#923172, CVE-2015-2316) ------------------------------------------------------------------- Mon Jan 26 14:33:01 UTC 2015 - dmueller@suse.com - update to 1.6.10: * Content retrieved from the GeoIP library is now properly decoded from its default ``iso-8859-1`` encoding * Fixed ``AttributeError`` when using :meth:`~django.db.models.query.QuerySet.bulk_create` with ``ForeignObject`` * Fixed crash of ``QuerySet``\s that use ``F() + timedelta()`` when their query was compiled more once * Prevented custom ``widget`` class attribute of :class:`~django.forms.IntegerField` subclasses from being overwritten by the code in their ``__init__`` method * Improved :func:`~django.utils.html.strip_tags` accuracy (but it still cannot guarantee an HTML-safe result, as stated in the documentation). * Fixed a regression in the :mod:`django.contrib.gis` SQL compiler for non-concrete fields (`#22250 `_). * Fixed :attr:`ModelAdmin.preserve_filters ` when running a site with a URL prefix (`#21795 `_). * Fixed a crash in the ``find_command`` management utility when the ``PATH`` environment variable wasn't set * Fixed :djadmin:`changepassword` on Windows * Avoided shadowing deadlock exceptions on MySQL * Wrapped database exceptions in ``_set_autocommit`` * Fixed atomicity when closing a database connection or when the database server disconnects (`#21239 `_ and * Fixed regression in ``prefetch_related`` that caused the related objects query to include an unnecessary join * Added backwards compatibility support for the :mod:`django.contrib.messages` cookie format of Django 1.4 and earlier to facilitate upgrading to 1.6 from 1.4 * Restored the ability to :meth:`~django.core.urlresolvers.reverse` views created using :func:`functools.partial()` * Fixed the ``object_id`` of the ``LogEntry`` that's created after a user password change in the admin * Made the ``year_lookup_bounds_for_datetime_field`` Oracle backend method Python 3 compatible (`#22551 `_). * Fixed ``pgettext_lazy`` crash when receiving bytestring content on Python 2 * Fixed the SQL generated when filtering by a negated ``Q`` object that contains a ``F`` object. (`#22429 `_). * Avoided overwriting data fetched by ``select_related()`` in certain cases which could cause minor performance regressions * Corrected email and URL validation to reject a trailing dash * Prevented indexes on PostgreSQL virtual fields (:ticket:`22514`). * Prevented edge case where values of FK fields could be initialized with a wrong value when an inline model formset is created for a relationship defined to point to a field other than the PK (:ticket:`13794`). * Restored ``pre_delete`` signals for ``GenericRelation`` cascade deletion * Fixed transaction handling when specifying non-default database in ``createcachetable`` and ``flush`` (:ticket:`23089`). * Fixed the "ORA-01843: not a valid month" errors when using Unicode with older versions of Oracle server (:ticket:`20292`). * Restored bug fix for sending unicode email with Python 2.6.5 and below * Prevented ``UnicodeDecodeError`` in ``runserver`` with non-UTF-8 and non-English locale (:ticket:`23265`). * Fixed JavaScript errors while editing multi-geometry objects in the OpenLayers widget (:ticket:`23137`, :ticket:`23293`). * Prevented a crash on Python 3 with query strings containing unencoded non-ASCII characters (:ticket:`22996`). * Allowed inherited and m2m fields to be referenced in the admin * Fixed a crash when using ``QuerySet.defer()`` with ``select_related()`` * Allowed related many-to-many fields to be referenced in the admin * Allowed inline and hidden references to admin fields (:ticket:`23431`). * Fixed a regression with dynamically generated inlines and allowed field references in the admin (:ticket:`23754`). * WSGI header spoofing via underscore/dash conflation (bnc#913053, CVE-2015-0219) * Mitigated possible XSS attack via user-supplied redirect URLs * Denial-of-service attack against ``django.views.static.serve`` (bnc#913056, CVE-2015-0221) * Database denial-of-service with ``ModelMultipleChoiceField`` (bnc#913055, CVE-2015-0222) ------------------------------------------------------------------- Thu Jul 31 16:55:11 UTC 2014 - dimstar@opensuse.org - Rename rpmlintrc to %{name}-rpmlintrc. Follow the packaging guidelines. ------------------------------------------------------------------- Wed Jun 11 12:34:45 UTC 2014 - mcihar@suse.cz - Update to version 1.6.5, sercurity and important changes: + Unexpected code execution using reverse() + Caching of anonymous pages could reveal CSRF token + MySQL typecasting + select_for_update() requires a transaction + Issue: Caches may incorrectly be allowed to store and serve private data + Issue: Malformed redirect URLs from user input not correctly validated ------------------------------------------------------------------- Fri Feb 14 09:32:07 UTC 2014 - speilicke@suse.com - Fix update-alternatives ------------------------------------------------------------------- Fri Feb 7 08:30:04 UTC 2014 - speilicke@suse.com - Update to version 1.6.2: + Prevented the base geometry object of a prepared geometry to be garbage collected, which could lead to crash Django (#21662). + Fixed a crash when executing the changepassword command when the user object representation contained non-ASCII characters (#21627). + The collectstatic command will raise an error rather than default to using the current working directory if STATIC_ROOT is not set. Combined with the --clear option, the previous behavior could wipe anything below the current working directory (#21581). + Fixed mail encoding on Python 3.3.3+ (#21093). + Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False, the connection wasn’t in autocommit mode but Django pretended it was. + Fixed a regression in multiple-table inheritance exclude() queries (#21787). + Added missing items to django.utils.timezone.__all__ (#21880). + Fixed a field misalignment issue with select_related() and model inheritance (#21413). + Fixed join promotion for negated AND conditions (#21748). + Oracle database introspection now works with boolean and float fields (#19884). + Fixed an issue where lazy objects weren’t actually marked as safe when passed through mark_safe() and could end up being double-escaped (#21882). ------------------------------------------------------------------- Tue Feb 4 14:33:40 UTC 2014 - mcihar@suse.cz - Update to version 1.6.1: - Most bug fixes are minor; you can find a complete list in the Django 1.6.1 release notes. ------------------------------------------------------------------- Tue Nov 19 10:06:23 UTC 2013 - speilicke@suse.com - Update-alternatives also for bash-completion ------------------------------------------------------------------- Fri Nov 15 13:33:20 UTC 2013 - speilicke@suse.com - Only ghost /etc/alternatives on 12.3 or newer ------------------------------------------------------------------- Thu Nov 7 16:36:41 UTC 2013 - speilicke@suse.com - Require python-Pillow for image-related functionality - Package was renamed from python-django - Drop Django-1.2-completion-only-for-bash.patch: Useless ------------------------------------------------------------------- Tue Nov 5 03:27:13 UTC 2013 - alexandre@exatati.com.br - Update to version 1.6: - Please read the release notes https://docs.djangoproject.com/en/1.6/releases/1.6 - Removed Patch2 as it is no needed anymore: Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch ------------------------------------------------------------------- Tue Sep 17 12:37:53 UTC 2013 - speilicke@suse.com - Update to version 1.5.4: + Fixed denial-of-service via large passwords - Changes from version 1.5.3: + Fixed directory traversal with ssi template tag ------------------------------------------------------------------- Wed Aug 14 05:49:54 UTC 2013 - alexandre@exatati.com.br - Update to 1.5.2: - Security release, please check release notes for details: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued ------------------------------------------------------------------- Thu Mar 28 23:27:01 UTC 2013 - alexandre@exatati.com.br - Update to 1.5.1: - Memory leak fix, please read release announcement at https://www.djangoproject.com/weblog/2013/mar/28/django-151. ------------------------------------------------------------------- Tue Feb 26 19:49:02 UTC 2013 - alexandre@exatati.com.br - Update to 1.5: - Please read the release notes https://docs.djangoproject.com/en/1.5/releases/1.5 ------------------------------------------------------------------- Tue Dec 11 12:27:50 UTC 2012 - alexandre@exatati.com.br - Update to 1.4.3: - Security release: - Host header poisoning - Redirect poisoning - Please check release notes for details: https://www.djangoproject.com/weblog/2012/dec/10/security ------------------------------------------------------------------- Sat Oct 20 13:41:10 UTC 2012 - saschpe@suse.de - Add a symlink from /usr/bin/django-admin.py to /usr/bin/django-admin ------------------------------------------------------------------- Wed Oct 17 22:51:36 UTC 2012 - alexandre@exatati.com.br - Update to 1.4.2: - Security release: - Host header poisoning - Please check release notes for details: https://www.djangoproject.com/weblog/2012/oct/17/security ------------------------------------------------------------------- Mon Jul 30 21:38:31 UTC 2012 - alexandre@exatati.com.br - Update to 1.4.1: - Security release: - Cross-site scripting in authentication views - Denial-of-service in image validation - Denial-of-service via get_image_dimensions() - Please check release notes for details: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued ------------------------------------------------------------------- Tue Jun 19 11:27:33 UTC 2012 - saschpe@suse.de - Add patch to support CSRF_COOKIE_HTTPONLY config ------------------------------------------------------------------- Fri Mar 23 18:39:40 UTC 2012 - alexandre@exatati.com.br - Update to 1.4: - Please read the release notes https://docs.djangoproject.com/en/dev/releases/1.4 - Removed Patch2, it was merged on upstream, ------------------------------------------------------------------- Thu Nov 24 12:30:40 UTC 2011 - saschpe@suse.de - Set license to SDPX style (BSD-3-Clause) - Package AUTHORS, LICENE and README files - No CFLAGS for noarch package - Drop runtime dependency on gettext-tools ------------------------------------------------------------------- Sat Sep 10 12:05:07 UTC 2011 - alexandre@exatati.com.br - Update to 1.3.1 to fix security issues, please read https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued. ------------------------------------------------------------------- Thu Mar 31 15:09:16 UTC 2011 - alexandre@exatati.com.br - Fix build on SLES_9. ------------------------------------------------------------------- Wed Mar 23 11:39:53 UTC 2011 - alexandre@exatati.com.br - Update to 1.3 final; - Refresh patch empty-ip-2.diff. ------------------------------------------------------------------- Fri Mar 18 03:45:45 UTC 2011 - alexandre@exatati.com.br - Update to 1.3-rc1; - Regenerated spec file with py2pack; - No more need to fix wrong line endings; - Refresh patch empty-ip-2.diff with -p0. ------------------------------------------------------------------- Thu Mar 3 09:32:52 UTC 2011 - saschpe@suse.de - Spec file cleanup: * Removed empty lines, package authors from description * Cleanup duplicates * Corrected wrong file endings * Added zero-length rpmlint filter - Added AUTHORS, LICENSE and doc files ------------------------------------------------------------------- Wed Feb 9 03:37:29 UTC 2011 - alexandre@exatati.com.br - Update to 1.2.5: - This is a security update that fix: - Flaw in CSRF handling; - Potential XSS in file field rendering. ------------------------------------------------------------------- Thu Dec 23 10:20:03 UTC 2010 - alexandre@exatati.com.br - Update to 1.2.4: - Information leakage in Django administrative interface; - Denial-of-service attack in password-reset mechanism. - This is a mandatory security update. ------------------------------------------------------------------- Sat Sep 11 11:46:41 UTC 2010 - alexandre@exatati.com.br - Update to 1.2.3: - The patch applied for the security issue covered in Django 1.2.2 caused issues with non-ASCII responses using CSRF tokens. This has been remedied; - The patch also caused issues with some forms, most notably the user-editing forms in the Django administrative interface. This has been remedied. - The packaging manifest did not contain the full list of required files. This has been remedied. ------------------------------------------------------------------- Thu Sep 9 01:06:43 UTC 2010 - alexandre@exatati.com.br - Update to 1.2.2. - This is a ciritical security update fixing a default XSS bug! ------------------------------------------------------------------- Fri Jul 9 11:27:26 UTC 2010 - jfunk@funktronics.ca - Added patch to fix upstream bug 5622: Empty ipaddress raises an error ------------------------------------------------------------------- Mon May 17 21:14:11 UTC 2010 - alexandre@exatati.com.br - Update to 1.2.1. ------------------------------------------------------------------- Mon May 17 18:35:20 UTC 2010 - alexandre@exatati.com.br - Update to 1.2. ------------------------------------------------------------------- Thu May 6 13:46:03 UTC 2010 - alexandre@exatati.com.br - Update to 1.2-rc-1. ------------------------------------------------------------------- Mon Apr 5 02:21:44 UTC 2010 - alexandre@exatati.com.br - Spec file cleaned with spec-cleaner; - Minor manual adjusts on spec file. ------------------------------------------------------------------- Thu Mar 18 17:47:12 UTC 2010 - alexandre@exatati.com.br - Moved autocomplete file path from /etc/profile.d to /etc/bash_completion.d. Then it works with konsole too. ------------------------------------------------------------------- Mon Mar 15 01:53:50 UTC 2010 - alexandre@exatati.com.br - Update to 1.2-beta-1; - Using -q option on prep section of spec file; - Using INSTALLED_FILES instead of declaring files; - Removed dummy changelog section of spec file; - Update completion bash patch. ------------------------------------------------------------------- Sun Oct 11 07:51:32 UTC 2009 - nix@opensuse.org - Update to 1.1.1 due to security issue described at http://www.djangoproject.com/weblog/2009/oct/09/security/ ------------------------------------------------------------------- Sat Oct 10 12:18:31 UTC 2009 - alexandre@exatati.com.br - Removed old tarball file (Django-1.1.tar.bz2). ------------------------------------------------------------------- Tue Aug 25 12:23:09 CEST 2009 - garloff@suse.de - Fix python version check. ------------------------------------------------------------------- Sat Aug 22 13:39:35 CEST 2009 - garloff@suse.de - Don't require python-sqlite2 for python >= 2.6. ------------------------------------------------------------------- Fri Aug 21 11:38:03 CEST 2009 - garloff@suse.de - Build as noarch on factory. ------------------------------------------------------------------- Wed Aug 19 17:40:46 CEST 2009 - poeml@suse.de - don't run bash completion on shells other than bash. Avoiding error messages produced at login when using other shells. ------------------------------------------------------------------- Fri Aug 14 18:05:42 UTC 2009 - alexandre@exatati.com.br - Added bash auto-complete to openSUSE. ------------------------------------------------------------------- Wed Jul 29 00:00:00 CEST 2009 - listuser@peternixon.net - update to version 1.1 - add python-django-rpmlintrc to quiet rpmlint complaints about -lang ------------------------------------------------------------------- Wed Jul 1 19:04:26 CEST 2009 - poeml@suse.de - add python-xml to the Requires (./manage.py syncdb crashes otherwise) ------------------------------------------------------------------- Sat Sep 13 00:00:00 UTC 2008 - listuser@peternixon.net - update to version 1.0 - Fix build on SLES9 ------------------------------------------------------------------- Thu Sep 4 10:40:58 CEST 2008 - crrodriguez@suse.de - update to version 1.0 final ------------------------------------------------------------------- Wed May 14 00:00:00 UTC 2008 - listuser@peternixon.net - update to version 0.96.2 ------------------------------------------------------------------- Thu Feb 21 00:00:00 UTC 2008 - jfunk@funktronics.ca - The way simplejson is included in this package is not useful to other packages. Removed from provides ------------------------------------------------------------------- Fri Oct 26 20:20:08 UTC 2007 - crrodriguez@suse.de - verion 0.96.1 fixes D.o.S attack in the i18n module ------------------------------------------------------------------- Fri Mar 23 00:00:00 UTC 2007 - crrodriguez@suse.de - update to version 0.96 see http://www.djangoproject.com/documentation/release_notes_0.96 for details - this package provides python-simplejson too.