------------------------------------------------------------------- Wed Jan 28 16:21:41 UTC 2015 - mjura@suse.com - Method check_for_test_cookie is deprecated, bnc#914706 + Add 0005-1.6.x-Method-check_for_test_cookie-is-deprecated.patch ------------------------------------------------------------------- Fri Jan 23 08:41:48 UTC 2015 - bwiedemann@suse.com - security fix backports add 0001-1.5.x-Stripped-headers-containing-underscores-to-pre.patch (bnc#913053, CVE-2015-0219) add 0002-1.5.x-Fixed-is_safe_url-to-handle-leading-whitespace.patch (bnc#913054, CVE-2015-0220) add 0003-1.5.x-Prevented-views.static.serve-from-using-large-.patch (bnc#913056, CVE-2015-0221) add 0004-1.5.x-Fixed-DoS-possibility-in-ModelMultipleChoiceFi.patch (bnc#913055, CVE-2015-0222) ------------------------------------------------------------------- Wed Jan 21 09:57:12 UTC 2015 - bwiedemann@suse.com - Update to version 1.5.12: + Fixed a regression with dynamically generated inlines and allowed field references in the admin + Allowed related many-to-many fields to be referenced in the admin + Allowed inline and hidden references to admin fields ------------------------------------------------------------------- Wed Sep 3 12:15:52 UTC 2014 - bwiedemann@suse.com - Update to version 1.5.10: + Prevented reverse() from generating URLs pointing to other hosts to prevent phishing attacks (bnc#893087, CVE-2014-0480) + Removed O(n) algorithm when uploading duplicate file names to fix file upload denial of service (bnc#893088, CVE-2014-0481) + Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent session hijacking (bnc#893089, CVE-2014-0482) + Prevented data leakage in contrib.admin via query string manipulation (bnc#893090, CVE-2014-0483) ------------------------------------------------------------------- Mon May 26 07:22:53 UTC 2014 - bwiedemann@suse.com - Update to version 1.5.8: + Fixed: Caches may incorrectly be allowed to store and serve private data (bnc#877993, CVE-2014-1418) + Fixed: Malformed redirect URLs from user input not correctly validated (bnc#878641, CVE-2014-3730) + Fixed queries that may return unexpected results on MySQL due to typecasting (bnc#874956, CVE-2014-0474) + Prevented leaking the CSRF token through caching (bnc#874955, CVE-2014-0473) + Fixed a remote code execution vulnerabilty in URL reversing (bnc#874950, CVE-2014-0472) + Properly rotate CSRF token on login ------------------------------------------------------------------- Tue Sep 17 12:37:53 UTC 2013 - speilicke@suse.com - Update to version 1.5.4: + Fixed denial-of-service via large passwords - Changes from version 1.5.3: + Fixed directory traversal with ssi template tag ------------------------------------------------------------------- Wed Aug 14 05:49:54 UTC 2013 - alexandre@exatati.com.br - Update to 1.5.2: - Security release, please check release notes for details: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued ------------------------------------------------------------------- Thu Mar 28 23:27:01 UTC 2013 - alexandre@exatati.com.br - Update to 1.5.1: - Memory leak fix, please read release announcement at https://www.djangoproject.com/weblog/2013/mar/28/django-151. ------------------------------------------------------------------- Tue Feb 26 19:49:02 UTC 2013 - alexandre@exatati.com.br - Update to 1.5: - Please read the release notes https://docs.djangoproject.com/en/1.5/releases/1.5 ------------------------------------------------------------------- Tue Dec 11 12:27:50 UTC 2012 - alexandre@exatati.com.br - Update to 1.4.3: - Security release: - Host header poisoning - Redirect poisoning - Please check release notes for details: https://www.djangoproject.com/weblog/2012/dec/10/security ------------------------------------------------------------------- Sat Oct 20 13:41:10 UTC 2012 - saschpe@suse.de - Add a symlink from /usr/bin/django-admin.py to /usr/bin/django-admin ------------------------------------------------------------------- Wed Oct 17 22:51:36 UTC 2012 - alexandre@exatati.com.br - Update to 1.4.2: - Security release: - Host header poisoning - Please check release notes for details: https://www.djangoproject.com/weblog/2012/oct/17/security ------------------------------------------------------------------- Mon Jul 30 21:38:31 UTC 2012 - alexandre@exatati.com.br - Update to 1.4.1: - Security release: - Cross-site scripting in authentication views - Denial-of-service in image validation - Denial-of-service via get_image_dimensions() - Please check release notes for details: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued ------------------------------------------------------------------- Tue Jun 19 11:27:33 UTC 2012 - saschpe@suse.de - Add patch to support CSRF_COOKIE_HTTPONLY config ------------------------------------------------------------------- Fri Mar 23 18:39:40 UTC 2012 - alexandre@exatati.com.br - Update to 1.4: - Please read the release notes https://docs.djangoproject.com/en/dev/releases/1.4 - Removed Patch2, it was merged on upstream, ------------------------------------------------------------------- Thu Nov 24 12:30:40 UTC 2011 - saschpe@suse.de - Set license to SDPX style (BSD-3-Clause) - Package AUTHORS, LICENE and README files - No CFLAGS for noarch package - Drop runtime dependency on gettext-tools ------------------------------------------------------------------- Sat Sep 10 12:05:07 UTC 2011 - alexandre@exatati.com.br - Update to 1.3.1 to fix security issues, please read https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued. ------------------------------------------------------------------- Thu Mar 31 15:09:16 UTC 2011 - alexandre@exatati.com.br - Fix build on SLES_9. ------------------------------------------------------------------- Wed Mar 23 11:39:53 UTC 2011 - alexandre@exatati.com.br - Update to 1.3 final; - Refresh patch empty-ip-2.diff. ------------------------------------------------------------------- Fri Mar 18 03:45:45 UTC 2011 - alexandre@exatati.com.br - Update to 1.3-rc1; - Regenerated spec file with py2pack; - No more need to fix wrong line endings; - Refresh patch empty-ip-2.diff with -p0. ------------------------------------------------------------------- Thu Mar 3 09:32:52 UTC 2011 - saschpe@suse.de - Spec file cleanup: * Removed empty lines, package authors from description * Cleanup duplicates * Corrected wrong file endings * Added zero-length rpmlint filter - Added AUTHORS, LICENSE and doc files ------------------------------------------------------------------- Wed Feb 9 03:37:29 UTC 2011 - alexandre@exatati.com.br - Update to 1.2.5: - This is a security update that fix: - Flaw in CSRF handling; - Potential XSS in file field rendering. ------------------------------------------------------------------- Thu Dec 23 10:20:03 UTC 2010 - alexandre@exatati.com.br - Update to 1.2.4: - Information leakage in Django administrative interface; - Denial-of-service attack in password-reset mechanism. - This is a mandatory security update. ------------------------------------------------------------------- Sat Sep 11 11:46:41 UTC 2010 - alexandre@exatati.com.br - Update to 1.2.3: - The patch applied for the security issue covered in Django 1.2.2 caused issues with non-ASCII responses using CSRF tokens. This has been remedied; - The patch also caused issues with some forms, most notably the user-editing forms in the Django administrative interface. This has been remedied. - The packaging manifest did not contain the full list of required files. This has been remedied. ------------------------------------------------------------------- Thu Sep 9 01:06:43 UTC 2010 - alexandre@exatati.com.br - Update to 1.2.2. - This is a ciritical security update fixing a default XSS bug! ------------------------------------------------------------------- Fri Jul 9 11:27:26 UTC 2010 - jfunk@funktronics.ca - Added patch to fix upstream bug 5622: Empty ipaddress raises an error ------------------------------------------------------------------- Mon May 17 21:14:11 UTC 2010 - alexandre@exatati.com.br - Update to 1.2.1. ------------------------------------------------------------------- Mon May 17 18:35:20 UTC 2010 - alexandre@exatati.com.br - Update to 1.2. ------------------------------------------------------------------- Thu May 6 13:46:03 UTC 2010 - alexandre@exatati.com.br - Update to 1.2-rc-1. ------------------------------------------------------------------- Mon Apr 5 02:21:44 UTC 2010 - alexandre@exatati.com.br - Spec file cleaned with spec-cleaner; - Minor manual adjusts on spec file. ------------------------------------------------------------------- Thu Mar 18 17:47:12 UTC 2010 - alexandre@exatati.com.br - Moved autocomplete file path from /etc/profile.d to /etc/bash_completion.d. Then it works with konsole too. ------------------------------------------------------------------- Mon Mar 15 01:53:50 UTC 2010 - alexandre@exatati.com.br - Update to 1.2-beta-1; - Using -q option on prep section of spec file; - Using INSTALLED_FILES instead of declaring files; - Removed dummy changelog section of spec file; - Update completion bash patch. ------------------------------------------------------------------- Sun Oct 11 07:51:32 UTC 2009 - nix@opensuse.org - Update to 1.1.1 due to security issue described at http://www.djangoproject.com/weblog/2009/oct/09/security/ ------------------------------------------------------------------- Sat Oct 10 12:18:31 UTC 2009 - alexandre@exatati.com.br - Removed old tarball file (Django-1.1.tar.bz2). ------------------------------------------------------------------- Tue Aug 25 12:23:09 CEST 2009 - garloff@suse.de - Fix python version check. ------------------------------------------------------------------- Sat Aug 22 13:39:35 CEST 2009 - garloff@suse.de - Don't require python-sqlite2 for python >= 2.6. ------------------------------------------------------------------- Fri Aug 21 11:38:03 CEST 2009 - garloff@suse.de - Build as noarch on factory. ------------------------------------------------------------------- Wed Aug 19 17:40:46 CEST 2009 - poeml@suse.de - don't run bash completion on shells other than bash. Avoiding error messages produced at login when using other shells. ------------------------------------------------------------------- Fri Aug 14 18:05:42 UTC 2009 - alexandre@exatati.com.br - Added bash auto-complete to openSUSE. ------------------------------------------------------------------- Wed Jul 29 00:00:00 CEST 2009 - listuser@peternixon.net - update to version 1.1 - add python-django-rpmlintrc to quiet rpmlint complaints about -lang ------------------------------------------------------------------- Wed Jul 1 19:04:26 CEST 2009 - poeml@suse.de - add python-xml to the Requires (./manage.py syncdb crashes otherwise) ------------------------------------------------------------------- Sat Sep 13 00:00:00 UTC 2008 - listuser@peternixon.net - update to version 1.0 - Fix build on SLES9 ------------------------------------------------------------------- Thu Sep 4 10:40:58 CEST 2008 - crrodriguez@suse.de - update to version 1.0 final ------------------------------------------------------------------- Wed May 14 00:00:00 UTC 2008 - listuser@peternixon.net - update to version 0.96.2 ------------------------------------------------------------------- Thu Feb 21 00:00:00 UTC 2008 - jfunk@funktronics.ca - The way simplejson is included in this package is not useful to other packages. Removed from provides ------------------------------------------------------------------- Fri Oct 26 20:20:08 UTC 2007 - crrodriguez@suse.de - verion 0.96.1 fixes D.o.S attack in the i18n module ------------------------------------------------------------------- Fri Mar 23 00:00:00 UTC 2007 - crrodriguez@suse.de - update to version 0.96 see http://www.djangoproject.com/documentation/release_notes_0.96 for details - this package provides python-simplejson too.