From 1a863ea358dbf6f6e1cbc18b73984a6abc808583a56333d12c4f15f9f32958bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 2 Dec 2019 11:27:04 +0000 Subject: [PATCH] Accepting request 752866 from home:aplanas:branches:devel:languages:python:django MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update to 2.2.8 * CVE-2019-19118: Privilege escalation in the Django admin (boo#1157705) * Fixed a data loss possibility in the admin changelist view when a custom formset’s prefix contains regular expression special characters, e.g. '$' * Fixed a regression in Django 2.2.1 that caused a crash when migrating permissions for proxy models with a multiple database setup if the default entry was empty * Fixed a data loss possibility in the select_for_update(). When using 'self' in the of argument with multi-table inheritance, a parent model was locked instead of the queryset’s model - Add patch fix-selenium-test.patch to fix a test when selenium is missing OBS-URL: https://build.opensuse.org/request/show/752866 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=45 --- Django-2.2.7.tar.gz | 3 -- Django-2.2.7.tar.gz.asc | 63 ----------------------------------------- Django-2.2.8.tar.gz | 3 ++ Django-2.2.8.tar.gz.asc | 62 ++++++++++++++++++++++++++++++++++++++++ fix-selenium-test.patch | 19 +++++++++++++ python-Django.changes | 17 +++++++++++ python-Django.spec | 6 ++-- 7 files changed, 105 insertions(+), 68 deletions(-) delete mode 100644 Django-2.2.7.tar.gz delete mode 100644 Django-2.2.7.tar.gz.asc create mode 100644 Django-2.2.8.tar.gz create mode 100644 Django-2.2.8.tar.gz.asc create mode 100644 fix-selenium-test.patch diff --git a/Django-2.2.7.tar.gz b/Django-2.2.7.tar.gz deleted file mode 100644 index c3bf76d..0000000 --- a/Django-2.2.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:16040e1288c6c9f68c6da2fe75ebde83c0a158f6f5d54f4c5177b0c1478c5b86 -size 8999415 diff --git a/Django-2.2.7.tar.gz.asc b/Django-2.2.7.tar.gz.asc deleted file mode 100644 index ac1bb3d..0000000 --- a/Django-2.2.7.tar.gz.asc +++ /dev/null @@ -1,63 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA256 - -This file contains MD5, SHA1, and SHA256 checksums for the source-code -tarball and wheel files of Django 2.2.7, released November 4, 2019. - -To use this file, you will need a working install of PGP or other -compatible public-key encryption software. You will also need to have -the Django release manager's public key in your keyring; this key has -the ID ``2EF56372BA48CD1B`` and can be imported from the MIT -keyserver. For example, if using the open-source GNU Privacy Guard -implementation of PGP: - - gpg --keyserver pgp.mit.edu --recv-key 2EF56372BA48CD1B - -Once the key is imported, verify this file:: - - gpg --verify <> - -Once you have verified this file, you can use normal MD5, SHA1, or SHA256 -checksumming applications to generate the checksums of the Django -package and compare them to the checksums listed below. - -Release packages: -================= - -https://www.djangoproject.com/m/releases/2.2/Django-2.2.7-py3-none-any.whl -https://www.djangoproject.com/m/releases/2.2/Django-2.2.7.tar.gz - -MD5 checksums -============= - -501704dd5d29b597763a8e9dd7737f6b Django-2.2.7-py3-none-any.whl -b0833024aac4c8240467e4dc91a12e9b Django-2.2.7.tar.gz - -SHA1 checksums -============== - -40fc8e32c8d002cf44d9abebe57c24019fcda3ba Django-2.2.7-py3-none-any.whl -ef69a17d8547070880aba9171f2471eb4b921fed Django-2.2.7.tar.gz - -SHA256 checksums -================ - -89c2007ca4fa5b351a51a279eccff298520783b713bf28efb89dfb81c80ea49b Django-2.2.7-py3-none-any.whl -16040e1288c6c9f68c6da2fe75ebde83c0a158f6f5d54f4c5177b0c1478c5b86 Django-2.2.7.tar.gz ------BEGIN PGP SIGNATURE----- - -iQJPBAEBCAA5FiEEq7LCqM0B8WE2GLcNLvVjcrpIzRsFAl2/2JUbHGZlbGlzaWFr -Lm1hcml1c3pAZ21haWwuY29tAAoJEC71Y3K6SM0bzCIQAKaFzUHrxUJeFrgrkcUZ -LvCa3IjyuDJlHWzavSSjf7ZXQR3de52VUDtNwdD5yByMQpn/s/UWqKlKu8c7fh2V -+xagzCXYAbYbFyjoinZiZib7SPAffDITyFyy3FgxHNMS/g7pmuBPxic4oYyL0poP -OA1H26x4TpOWDCRLh9FncTWIkJusSekqsjjDKbfRr9GvkbAR9ueRfOFZn96PuOTF -JUcpkbntdZzVChl90LHDMuJywSURChcoOci66fmaMXMoTblbBpdX1gTwNJeW4//d -WZb3LMbB9vq41XEnjttlcYXHrWNqsDSqkOB6kqa+dh6TLe0mmDpiphnDotHCHL6V -1PII9yVLUZ1l6vL36iXoWQaOPIeLbtRDYzk/IURY3QKE69FGxTOsVqbwMnS5jJvn -maOGtaYch/NWnRHVMoIO5+bh9SRkS+1wO3a6EFzl69TuVW5fm6vqfuDnknd24UEA -6UCsWhEQoG9ot6AyTXDTARQVrE5K2ujDheMiNXKqbAv+QUcjf3BzECdwBGC9LvAi -j3FkXTJ/Q1XUQaYZRJsELRNMs5DOrBTZ8/6EEVuP6gOQosbHaCzlcyGxqF6JpcYy -NOxAmKDVyvBS/N5WsgAQCVO7jeV7ytUN7rgUtruKW7GMUhUqq1h+Mg1QFy53lqip -U4wWM0jrmAxNBCw3hbqiaQQZ -=xLL3 ------END PGP SIGNATURE----- diff --git a/Django-2.2.8.tar.gz b/Django-2.2.8.tar.gz new file mode 100644 index 0000000..05d4f44 --- /dev/null +++ b/Django-2.2.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a4ad4f6f9c6a4b7af7e2deec8d0cbff28501852e5010d6c2dc695d3d1fae7ca0 +size 8870662 diff --git a/Django-2.2.8.tar.gz.asc b/Django-2.2.8.tar.gz.asc new file mode 100644 index 0000000..dfd1456 --- /dev/null +++ b/Django-2.2.8.tar.gz.asc @@ -0,0 +1,62 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +This file contains MD5, SHA1, and SHA256 checksums for the source-code +tarball and wheel files of Django 2.2.8, released December 2, 2019. + +To use this file, you will need a working install of PGP or other +compatible public-key encryption software. You will also need to have +the Django release manager's public key in your keyring; this key has +the ID ``E17DF5C82B4F9D00`` and can be imported from the MIT +keyserver. For example, if using the open-source GNU Privacy Guard +implementation of PGP: + + gpg --keyserver pgp.mit.edu --recv-key E17DF5C82B4F9D00 + +Once the key is imported, verify this file:: + + gpg --verify <> + +Once you have verified this file, you can use normal MD5, SHA1, or SHA256 +checksumming applications to generate the checksums of the Django +package and compare them to the checksums listed below. + +Release packages: +================= + +https://www.djangoproject.com/m/releases/2.2/Django-2.2.8-py3-none-any.whl +https://www.djangoproject.com/m/releases/2.2/Django-2.2.8.tar.gz + +MD5 checksums +============= + +2dd61e8dfadc3754e35f927d4142fc0f Django-2.2.8-py3-none-any.whl +57d965818410a4e00e2267eef66aa9c9 Django-2.2.8.tar.gz + +SHA1 checksums +============== + +ad9d4b417d4b99ec19548d7339b345d807de5000 Django-2.2.8-py3-none-any.whl +0a631fe2237fea6a60cdd5d02b618632b6e49a1b Django-2.2.8.tar.gz + +SHA256 checksums +================ + +fa98ec9cc9bf5d72a08ebf3654a9452e761fbb8566e3f80de199cbc15477e891 Django-2.2.8-py3-none-any.whl +a4ad4f6f9c6a4b7af7e2deec8d0cbff28501852e5010d6c2dc695d3d1fae7ca0 Django-2.2.8.tar.gz +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCAAdFiEE/l+2OHah1xioxnVW4X31yCtPnQAFAl3ky/QACgkQ4X31yCtP +nQBi8w//S+ZVGHyo35gekAy3j11PmUuiD2nhGlrmfZgiBsAepcxIpXH/ZYS+OWUY +ZYdyUYb9308YGiKzkOxOMmsqrZeEwzImQcf844MCbQcFkPe0NWc9FZ/RphCaStVN +pxoGHZOfV6bOyLVJO8jV4YqDl/MBWdvtFDMhrrJlZSmgmVDAfpSV+BFUmoFaiC2i +vd1fKKVLxTVZrr6L6ov0h8JM2gMPVoGp4P/WDofk1LuWRKLZmwtrp7PRdBeyf5jO +itoQD00qAt2IsdaXYuPkaCMdQWzCJDGiFFUjcRkzdZtLaKugTnuHMol9/lCcXkW1 +NL//xq+rh8YfyTkNk4rDHuu98urPz46z1kgvNOSJlgpTf4RWjk/va1s+/Cc28QSa +KVA4CcD+2+we781USYJG0B10+OsgzWbPV+50IOejVqrhj5QCSa6LRG37hp6iJThp ++2ZqM8DthouFdjliT1W3pEzcyII/nWqIibyWo7zMrQQk5N9f5E628KHIFlOeB7+8 +pinSTmfUpTS5leVBRIzc2LhdE9WYoPaFdQOm2AD7vHDIwYxy5l9uStyN25xi+Jp1 +EvsFmIKj9COc21L4nDujpgKdLJ0eiGAL6fJ6UQydvMaBsdbPXO8kTk/lXooQx1X/ +LhbnxqLG1Yzh9bxNHCGOGPDnWswGeTFNpAhRwtryCBASeItQzAE= +=xo2Q +-----END PGP SIGNATURE----- diff --git a/fix-selenium-test.patch b/fix-selenium-test.patch new file mode 100644 index 0000000..8bb478c --- /dev/null +++ b/fix-selenium-test.patch @@ -0,0 +1,19 @@ +Index: Django-2.2.8/tests/admin_inlines/tests.py +=================================================================== +--- Django-2.2.8.orig/tests/admin_inlines/tests.py ++++ Django-2.2.8/tests/admin_inlines/tests.py +@@ -1,5 +1,3 @@ +-from selenium.common.exceptions import NoSuchElementException +- + from django.contrib.admin import ModelAdmin, TabularInline + from django.contrib.admin.helpers import InlineAdminForm + from django.contrib.admin.tests import AdminSeleniumTestCase +@@ -1050,6 +1048,8 @@ class SeleniumTests(AdminSeleniumTestCas + self.assertEqual(Profile.objects.all().count(), 3) + + def test_add_inline_link_absent_for_view_only_parent_model(self): ++ from selenium.common.exceptions import NoSuchElementException ++ + user = User.objects.create_user('testing', password='password', is_staff=True) + user.user_permissions.add( + Permission.objects.get(codename='view_poll', content_type=ContentType.objects.get_for_model(Poll)) diff --git a/python-Django.changes b/python-Django.changes index 58e57af..ccf26cb 100644 --- a/python-Django.changes +++ b/python-Django.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Dec 2 09:45:57 UTC 2019 - Alberto Planas Dominguez + +- Update to 2.2.8 + * CVE-2019-19118: Privilege escalation in the Django admin (boo#1157705) + * Fixed a data loss possibility in the admin changelist view when a + custom formset’s prefix contains regular expression special + characters, e.g. '$' + * Fixed a regression in Django 2.2.1 that caused a crash when + migrating permissions for proxy models with a multiple database + setup if the default entry was empty + * Fixed a data loss possibility in the select_for_update(). When + using 'self' in the of argument with multi-table inheritance, a + parent model was locked instead of the queryset’s model +- Add patch fix-selenium-test.patch to fix a test when selenium is + missing + ------------------------------------------------------------------- Fri Nov 15 10:53:24 UTC 2019 - Tomáš Chvátal diff --git a/python-Django.spec b/python-Django.spec index 31d2c17..89aacb8 100644 --- a/python-Django.spec +++ b/python-Django.spec @@ -1,7 +1,7 @@ # # spec file for package python-Django # -# Copyright (c) 2019 SUSE LLC. +# Copyright (c) 2019 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ %bcond_with memcached Name: python-Django # We want support LTS versions of Django - odd numbered 2.2 -> 2.4 -> 2.6 -> 3.0 etc -Version: 2.2.7 +Version: 2.2.8 Release: 0 Summary: A high-level Python Web framework License: BSD-3-Clause @@ -34,6 +34,7 @@ Source2: %{name}.keyring Source99: python-Django-rpmlintrc Patch0: i18n_test.patch Patch1: test_clear_site_cache-sort.patch +Patch2: fix-selenium-test.patch BuildRequires: %{python_module Jinja2 >= 2.9.2} BuildRequires: %{python_module Pillow} BuildRequires: %{python_module PyYAML} @@ -98,6 +99,7 @@ echo "`grep -e '^[0-9a-f]\{64\} Django-%{version}.tar.gz' %{SOURCE1} | cut -c1- %setup -q -n Django-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 chmod a-x django/contrib/admin/static/admin/js/vendor/xregexp/xregexp.js %build