ALP-pool/python-Django
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 python-Django revision 07a0c96c91c540715f2c117e8a28f3b1

Browse Source
This commit is contained in:
Adrian Schröter
2025-03-14 14:17:38 +01:00
parent 572e03dca0
commit 75542dd270
19 changed files with 1541 additions and 328 deletions
Download Patch File Download Diff File Expand all files Collapse all files

182
python-Django.changes
View File

@@ -1,5 +1,33 @@
-------------------------------------------------------------------
Fri Jul 12 13:41:03 UTC 2024 - Nico Krapp <nico.krapp@suse.com>
Wed Jan 15 08:19:57 UTC 2025 - Markéta Machová <mmachova@suse.com>
- Add security patch CVE-2024-56374.patch (bsc#1235856)
-------------------------------------------------------------------
Mon Dec 9 09:49:50 UTC 2024 - Markéta Machová <mmachova@suse.com>
- Add security patches:
* CVE-2024-53907.patch (bsc#1234232)
* CVE-2024-53908.patch (bsc#1234231)
-------------------------------------------------------------------
Mon Sep 2 12:48:52 UTC 2024 - Markéta Machová <mmachova@suse.com>
- Add more security patches:
* CVE-2024-45230.patch (bsc#1229823)
* CVE-2024-45231.patch (bsc#1229824)
-------------------------------------------------------------------
Thu Aug 1 09:37:57 UTC 2024 - Markéta Machová <mmachova@suse.com>
- Add bunch of security patches:
* CVE-2024-42005.patch (bsc#1228629)
* CVE-2024-41989.patch (bsc#1228630)
* CVE-2024-41990.patch (bsc#1228631)
* CVE-2024-41991.patch (bsc#1228632)
-------------------------------------------------------------------
Fri Jul 12 12:40:47 UTC 2024 - Nico Krapp <nico.krapp@suse.com>
- Add CVE-2024-38875.patch (bsc#1227590)
* CVE-2024-38875: Potential denial-of-service attack via
@@ -12,12 +40,85 @@ Fri Jul 12 13:41:03 UTC 2024 - Nico Krapp <nico.krapp@suse.com>
django.core.files.storage.Storage.save()
- Add CVE-2024-39614.patch (bsc#1227595)
* CVE-2024-39614: Potential denial-of-service through
django.utils.translation.get_supported_language_variant()
django.utils.translation.get_supported_language_variant()
-------------------------------------------------------------------
Thu Feb 29 13:19:00 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
Thu Apr 18 06:39:36 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Add CVE-2024-27351.patch patch (CVE-2024-27351, bsc#1220358)
- Add fix-safemimetext-set_payload.patch, to support python 3.11.9+
(gh#django/django@b231bcd19e57, bsc#1222880)
-------------------------------------------------------------------
Mon Mar 4 14:05:28 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to 4.2.11 (CVE-2024-27351, bsc#1220358)
* CVE-2024-27351: Potential regular expression denial-of-service in
django.utils.text.Truncator.words()
* Fixed a regression in Django 4.2.10 where intcomma template filter
could return a leading comma for string representation of floats
- Remove python3122.patch, already upstream
-------------------------------------------------------------------
Fri Feb 9 10:18:37 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Add python3122.patch to fix tests with python 3.12.2
gh#django/django#17843
- Update to 4.2.10 (bsc#1219683, CVE-2024-24680):
- Django 4.2.10 fixes a security issue with severity "moderate" in
4.2.9.
CVE-2024-24680: Potential denial-of-service in intcomma template
filter The intcomma template filter was subject to a potential
denial-of-service attack when used with very long strings.
-------------------------------------------------------------------
Thu Jan 4 09:27:51 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to 4.2.9:
* Fixed a regression in Django 4.2.8 where admin fields on the same
line could overflow the page and become non-interactive
-------------------------------------------------------------------
Mon Dec 4 10:21:00 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to 4.2.8
* Fixed a regression in Django 4.2 that caused makemigrations
--check to stop displaying pending migrations
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.aggregate() with aggregates referencing other aggregates
or window functions through conditional expressions
* Fixed a regression in Django 4.2 that caused a crash when
annotating a QuerySet with a Window expressions composed of a
partition_by clause mixing field types and aggregation expressions
* Fixed a regression in Django 4.2 where the admins change list
page had misaligned pagination links and inputs when using
list_editable
* Fixed a regression in Django 4.2 where checkboxes in the admin
would be centered on narrower screen widths
* Fixed a regression in Django 4.2 that caused a crash of querysets
with aggregations on MariaDB when the ONLY_FULL_GROUP_BY SQL mode
was enabled
* Fixed a regression in Django 4.2 where the admins read-only
password widget and some help texts were incorrectly aligned at
tablet widths
* Fixed a regression in Django 4.2 that caused a migration crash on
SQLite when altering unsupported Meta.db_table_comment
-------------------------------------------------------------------
Mon Nov 27 12:20:48 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add dirty-hack-remove-assert.patch from fedora to fix
minor test failure with python 3.12
-------------------------------------------------------------------
Wed Nov 1 08:12:59 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to 4.2.7
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.aggregate() with aggregates referencing expressions
containing subqueries
* Restored, following a regression in Django 4.2, creating
varchar/text_pattern_ops indexes on CharField and TextField with
deterministic collations on PostgreSQL
-------------------------------------------------------------------
Mon Oct 16 08:33:05 UTC 2023 - Daniel Garcia Moreno <daniel.garcia@suse.com>
@@ -42,7 +143,7 @@ Mon Oct 16 08:33:05 UTC 2023 - Daniel Garcia Moreno <daniel.garcia@suse.com>
-------------------------------------------------------------------
Mon Sep 4 12:10:50 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to 4.2.5 (CVE-2023-41164)
- Update to 4.2.5 (CVE-2023-41164)
+ Bugfixes
* Fixed a regression in Django 4.2 that caused an incorrect
validation of CheckConstraints on __isnull lookups against
@@ -133,7 +234,8 @@ Tue Jun 6 06:35:28 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
Thu May 4 07:02:58 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to 4.2.1
+ CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
+ CVE-2023-31047: Potential bypass of validation when uploading
multiple files using one form field (bsc#1210866)
+ Bugfixes
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.defer() when deferring fields by attribute names
@@ -173,7 +275,7 @@ Thu May 4 07:02:58 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
-------------------------------------------------------------------
Thu Apr 6 06:38:13 UTC 2023 - David Anes <david.anes@suse.com>
- Update minimal dependency versions.
- Update minimal dependency versions.
-------------------------------------------------------------------
Tue Apr 4 07:19:56 UTC 2023 - David Anes <david.anes@suse.com>
@@ -213,7 +315,7 @@ Wed Feb 1 12:48:49 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
Mon Jan 2 19:07:30 UTC 2023 - David Anes <david.anes@suse.com>
- Update to 4.1.5:
+ Fixed a long standing bug in the __len lookup for ArrayField
+ Fixed a long standing bug in the __len lookup for ArrayField
that caused a crash of model validation on Meta.constraints.
- Update keyring file.
@@ -476,14 +578,14 @@ Tue Dec 7 14:09:24 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
deprecated and will be removed in Django 5.0.
- The new *expressions positional argument of
UniqueConstraint() enables creating functional unique
constraints on expressions and database functions.
constraints on expressions and database functions.
- The new scrypt password hasher is more secure and recommended
over PBKDF2. However, its not the default as it requires
OpenSSL 1.1+ and more memory.
- Redis cache backend
- Template based form rendering. Forms, Formsets, and ErrorList
are now rendered using the template engine to enhance
customization.
customization.
-------------------------------------------------------------------
Tue Nov 2 12:45:45 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
@@ -592,7 +694,7 @@ Thu May 6 08:54:41 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
Wed May 5 17:25:18 UTC 2021 - Ben Greiner <code@bnavigator.de>
- Keep rpm runtime requirements in sync. Downstream packages often
read the egg-info and fail if they are not fulfilled.
read the egg-info and fail if they are not fulfilled.
-------------------------------------------------------------------
Wed May 5 08:44:30 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
@@ -650,7 +752,7 @@ Tue Apr 6 09:27:50 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
+ Customizing type of auto-created primary keys
+ Functional indexes
+ pymemcache support
+ New decorators for the admin site
+ New decorators for the admin site
+ For a complete description of new features check:
https://github.com/django/django/blob/main/docs/releases/3.2.txt
- Update PYTHOPATH to include the local tests
@@ -729,13 +831,13 @@ Wed Sep 9 14:14:08 UTC 2020 - Marketa Calabkova <mcalabkova@suse.com>
- Update to 3.1.1
* CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
* CVE-2020-24584: Permission escalation in intermediate-level directories of the file
* CVE-2020-24584: Permission escalation in intermediate-level directories of the file
system cache on Python 3.7+
* Fixed a data loss possibility in the select_for_update(). When using related fields
* Fixed a data loss possibility in the select_for_update(). When using related fields
pointing to a proxy model in the of argument, the corresponding model was not locked
* Fixed a regression in Django 3.1 that caused a crash when decoding an invalid session data
* Fixed __in lookup on key transforms for JSONField with MariaDB, MySQL, Oracle, and SQLite
* Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator
* Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator
and settings.py
-------------------------------------------------------------------
@@ -774,7 +876,7 @@ Wed Jul 8 11:52:27 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
a filterable attribute to be used as the right-hand side in queryset filters
* Fixed a regression in Django 3.0.2 that caused a migration crash
on PostgreSQL when adding a foreign key to a model with a namespaced db_table
* Added compatibility for cx_Oracle 8
* Added compatibility for cx_Oracle 8
-------------------------------------------------------------------
Thu Jun 4 14:35:25 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
@@ -785,7 +887,7 @@ Thu Jun 4 14:35:25 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
memcached keys
* boo#1172167 - CVE-2020-13596: Possible XSS via admin
ForeignKeyRawIdWidget
* many other bugfixes
* many other bugfixes
-------------------------------------------------------------------
Thu Apr 30 05:14:28 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
@@ -796,7 +898,7 @@ Thu Apr 30 05:14:28 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
-------------------------------------------------------------------
Thu Apr 23 16:58:12 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- Update to 3.0.5
- Update to 3.0.5
https://docs.djangoproject.com/en/3.0/releases/3.0.5/
https://docs.djangoproject.com/en/3.0/releases/3.0.4/
https://docs.djangoproject.com/en/3.0/releases/3.0.3/
@@ -1041,14 +1143,14 @@ Mon Dec 10 11:52:42 UTC 2018 - Ondřej Súkup <mimi.vx@gmail.com>
* Fixed admin view-only change form crash when using ModelAdmin.prepopulated_fields
* Fixed “Please correct the errors below” error message when editing an object
in the admin if the user only has the “view” permission on inlines
* Fixed a regression in Django 2.0 where combining Q objects with __in lookups
* Fixed a regression in Django 2.0 where combining Q objects with __in lookups
and lists crashed
* Fixed a regression in Django 2.0 where test databases arent reused
with manage.py test --keepdb on MySQL
* Fixed a regression where cached foreign keys that use to_field were
incorrectly cleared in Model.save()
* Fixed a regression in Django 2.0 where FileSystemStorage crashes
with FileExistsError if concurrent saves try to create the same directory
with FileExistsError if concurrent saves try to create the same directory
-------------------------------------------------------------------
Thu Oct 4 13:13:00 UTC 2018 - Alberto Planas Dominguez <aplanas@suse.com>
@@ -1324,7 +1426,7 @@ Tue Dec 12 21:12:18 UTC 2017 - mimi.vx@gmail.com
* Removed support for bytestrings in some places
* Dropped support for Oracle 11.2
- Please read Release Notes - https://docs.djangoproject.com/en/2.0/releases/2.0/
-------------------------------------------------------------------
Tue Dec 12 05:16:57 UTC 2017 - tbechtold@suse.com
@@ -1698,8 +1800,8 @@ Tue Apr 4 14:38:13 UTC 2017 - appleonkel@opensuse.org
- Update to 1.10.7
Bugfixes
* Made admins RelatedFieldWidgetWrapper use the wrapped widgets
value_omitted_from_data() method (#27905)
* Made admins RelatedFieldWidgetWrapper use the wrapped widgets
value_omitted_from_data() method (#27905)
* Fixed model form default fallback for SelectMultiple (#27993)
-------------------------------------------------------------------
@@ -1707,15 +1809,15 @@ Wed Mar 1 14:24:17 UTC 2017 - appleonkel@opensuse.org
- Update to 1.10.6
Bugfixes
* Fixed ClearableFileInputs “Clear” checkbox on model form fields where the
model field has a default
* Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than
* Fixed ClearableFileInputs “Clear” checkbox on model form fields where the
model field has a default
* Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than
generating a bad request response
* Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
IntegerField from DateField
* Fixed query expression date subtraction accuracy on PostgreSQL for differences
* Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
IntegerField from DateField
* Fixed query expression date subtraction accuracy on PostgreSQL for differences
large an a month
* Fixed a GDALException raised by GDALClose on GDAL >= 2.0
* Fixed a GDALException raised by GDALClose on GDAL >= 2.0
-------------------------------------------------------------------
Tue Jan 31 14:00:11 UTC 2017 - michal@cihar.com
@@ -1731,8 +1833,8 @@ Fri Dec 2 10:17:25 UTC 2016 - appleonkel@opensuse.org
- Update to 1.9.12
Bugfixes
* Quoted the Oracle test users password in queries to fix the “ORA-00922: missing
or invalid option” error when the password starts with a number or
* Quoted the Oracle test users password in queries to fix the “ORA-00922: missing
or invalid option” error when the password starts with a number or
special character (#27420)
* DNS rebinding vulnerability when DEBUG=True
* CSRF protection bypass on a site with Google Analytics
@@ -1741,7 +1843,7 @@ Fri Dec 2 10:17:25 UTC 2016 - appleonkel@opensuse.org
Sat Sep 24 16:42:55 UTC 2016 - sbahling@suse.com
- Change Requires: python-Pillow to python-imaging for compatibility
with SLE-12 which provides PIL instead of Pillow.
with SLE-12 which provides PIL instead of Pillow.
-------------------------------------------------------------------
Tue Aug 9 09:11:24 UTC 2016 - aplanas@suse.com
@@ -1791,7 +1893,7 @@ Tue May 3 08:23:48 UTC 2016 - aplanas@suse.com
Bugfixes
* Added support for relative path redirects to the test client and
to SimpleTestCase.assertRedirects() because Django 1.9 no longer
converts redirects to absolute URIs (#26428).
converts redirects to absolute URIs (#26428).
* Fixed TimeField microseconds round-tripping on MySQL and SQLite
(#26498).
* Prevented makemigrations from generating infinite migrations for a
@@ -1804,7 +1906,7 @@ Tue May 3 08:23:48 UTC 2016 - aplanas@suse.com
of GenericIPAddressField on SQLite and MySQL (#26557).
* Fixed a makemessages regression where temporary .py extensions
were leaked in source file paths (#26341).
-------------------------------------------------------------------
Sun May 1 12:29:52 UTC 2016 - michael@stroeder.com
@@ -1901,12 +2003,12 @@ Wed Jan 27 15:25:25 UTC 2016 - aplanas@suse.com
(#25894).
* ...
* https://docs.djangoproject.com/en/1.9/releases/1.9.1/
-------------------------------------------------------------------
Wed Dec 2 15:14:05 UTC 2015 - aplanas@suse.com
- update to 1.9 (CVE-2016-7401, CVE-2015-8213)
* https://docs.djangoproject.com/en/1.9/releases/1.9/
* https://docs.djangoproject.com/en/1.9/releases/1.9/
* Performing actions after a transaction commit
* Password validation
* Permission mixins for class-based views
@@ -2061,12 +2163,12 @@ Wed Jan 14 07:57:46 UTC 2015 - mcihar@suse.cz
affect users who have subclassed
django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default
value.
* Fixed a crash in the CSRF middleware when handling non-ASCII referer
* Fixed a crash in the CSRF middleware when handling non-ASCII referer
header (#23815).
* Fixed a crash in the django.contrib.auth.redirect_to_login view when
* Fixed a crash in the django.contrib.auth.redirect_to_login view when
passing a reverse_lazy() result on Python 3 (#24097).
* Added correct formats for Greek (el) (#23967).
* Fixed a migration crash when unapplying a migration where multiple
* Fixed a migration crash when unapplying a migration where multiple
operations interact with the same model (#24110).
-------------------------------------------------------------------