From 64adc52e6eeab19510a0380d8f471757318da07155c98201dad582065c2645d6 Mon Sep 17 00:00:00 2001 From: Thomas Bechtold Date: Thu, 10 Jan 2019 12:17:53 +0000 Subject: [PATCH] =?UTF-8?q?-=20update=20to=202.1.5=20(CVE-2019-3498,=20bsc?= =?UTF-8?q?#1120932):=20=20=20*=20CVE-2019-3498:=20Content=20spoofing=20po?= =?UTF-8?q?ssibility=20in=20the=20default=20404=20page=20=20=20*=20=20Fixe?= =?UTF-8?q?d=20compatibility=20with=20mysqlclient=201.3.14=20(#30013).=20?= =?UTF-8?q?=20=20*=20=20Fixed=20a=20schema=20corruption=20issue=20on=20SQL?= =?UTF-8?q?ite=203.26+.=20You=20might=20have=20to=20drop=20=20=20=20=20and?= =?UTF-8?q?=20rebuild=20your=20SQLite=20database=20if=20you=20applied=20a?= =?UTF-8?q?=20migration=20while=20using=20=20=20=20=20an=20older=20version?= =?UTF-8?q?=20of=20Django=20with=20SQLite=203.26=20or=20later=20(#29182).?= =?UTF-8?q?=20=20=20*=20Prevented=20SQLite=20schema=20alterations=20while?= =?UTF-8?q?=20foreign=20key=20checks=20are=20enabled=20=20=20=20=20to=20av?= =?UTF-8?q?oid=20the=20possibility=20of=20schema=20corruption=20(#30023).?= =?UTF-8?q?=20=20=20*=20Fixed=20a=20regression=20in=20Django=202.1.4=20(wh?= =?UTF-8?q?ich=20enabled=20keep-alive=20connections)=20=20=20=20=20where?= =?UTF-8?q?=20request=20body=20data=20isn=E2=80=99t=20properly=20consumed?= =?UTF-8?q?=20for=20such=20=20=20=20=20connections=20(#30015).=20=20=20*?= =?UTF-8?q?=20Fixed=20a=20regression=20in=20Django=202.1.4=20where=20=20?= =?UTF-8?q?=20=20=20InlineModelAdmin.has=5Fchange=5Fpermission()=20is=20in?= =?UTF-8?q?correctly=20called=20with=20=20=20=20=20a=20non-None=20obj=20ar?= =?UTF-8?q?gument=20during=20an=20object=20add=20(#30050).?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=18 --- Django-2.1.4.tar.gz | 3 -- Django-2.1.4.tar.gz.asc | 62 ----------------------------------------- Django-2.1.5.tar.gz | 3 ++ Django-2.1.5.tar.gz.asc | 62 +++++++++++++++++++++++++++++++++++++++++ python-Django.changes | 18 ++++++++++++ python-Django.spec | 4 +-- 6 files changed, 85 insertions(+), 67 deletions(-) delete mode 100644 Django-2.1.4.tar.gz delete mode 100644 Django-2.1.4.tar.gz.asc create mode 100644 Django-2.1.5.tar.gz create mode 100644 Django-2.1.5.tar.gz.asc diff --git a/Django-2.1.4.tar.gz b/Django-2.1.4.tar.gz deleted file mode 100644 index 221bf27..0000000 --- a/Django-2.1.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:068d51054083d06ceb32ce02b7203f1854256047a0d58682677dd4f81bceabd7 -size 8611886 diff --git a/Django-2.1.4.tar.gz.asc b/Django-2.1.4.tar.gz.asc deleted file mode 100644 index 749ed21..0000000 --- a/Django-2.1.4.tar.gz.asc +++ /dev/null @@ -1,62 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA256 - -This file contains MD5, SHA1, and SHA256 checksums for the source-code -tarball and wheel files of Django 2.1.4, released December 3, 2018. - -To use this file, you will need a working install of PGP or other -compatible public-key encryption software. You will also need to have -the Django release manager's public key in your keyring; this key has -the ID ``E17DF5C82B4F9D00`` and can be imported from the MIT -keyserver. For example, if using the open-source GNU Privacy Guard -implementation of PGP: - - gpg --keyserver pgp.mit.edu --recv-key E17DF5C82B4F9D00 - -Once the key is imported, verify this file:: - - gpg --verify <> - -Once you have verified this file, you can use normal MD5, SHA1, or SHA256 -checksumming applications to generate the checksums of the Django -package and compare them to the checksums listed below. - -Release packages: -================= - -https://www.djangoproject.com/m/releases/2.1/Django-2.1.4-py3-none-any.whl -https://www.djangoproject.com/m/releases/2.1/Django-2.1.4.tar.gz - -MD5 checksums -============= - -96ce7a0bfe0237df2e16f3a6f82d9ea7 Django-2.1.4-py3-none-any.whl -3afc8bcec941e37221287f1a5323b1f1 Django-2.1.4.tar.gz - -SHA1 checksums -============== - -39a1cf838532be5f17ab62a535c1814a255da38d Django-2.1.4-py3-none-any.whl -bfb1a983bbefbd71ca60a1aff230101b10623f65 Django-2.1.4.tar.gz - -SHA256 checksums -================ - -55409a056b27e6d1246f19ede41c6c610e4cab549c005b62cbeefabc6433356b Django-2.1.4-py3-none-any.whl -068d51054083d06ceb32ce02b7203f1854256047a0d58682677dd4f81bceabd7 Django-2.1.4.tar.gz ------BEGIN PGP SIGNATURE----- - -iQIzBAEBCAAdFiEE/l+2OHah1xioxnVW4X31yCtPnQAFAlwFX0QACgkQ4X31yCtP -nQB3eQ//XbMWCaErssy+NjeAxcJKAkR6rIbChiqGiHdWw61EmX9JPyrzWkO4W22z -9yf8RE5w78FfRTyF0nvASNnXOPUxy3tKOsNJfJ29zY08gsOoYrn8td7qHQ0JmdJX -zsQCYLWF4okdVNkAnIuJHAHL+irWodxrQw1FjW0UK32YHvgsEoTj0unx10bbHnCR -znZY7dpZ1Lgd9ckAij7q++0l1EqtSszyNm+k6lr8da8VANT3dWRboxda+dr9B5a/ -yuB2xR3XJ1aJzhDdKjaUOI3SOw3Ev/4DT2g5CW4OMc/Mpb9U8JHiVIIpggrY+K5R -uH5LNczyQUGYS3tCFabHa3LEtmCdo0DjWgPW92LwA9YPs5kygFw2iwGbRVVHSA5b -jHiaD6x3W0JXJ9sKNA8cUlrV+GGGszevY4b6o3ofD3z3k0l5+NXqTTc7BRZlNVll -uNJjHN8gwml4XOxeKLIF8DWhCqkI22mLX5vWQun2CnMBvsLem6ZhoqD3BvLb2wkc -rkKw3ZscQcQNtghAi6lliNmt0WfYTuTqYSjvp9dXziLv2emAa2pUzUrM8UxWIT+l -KINkuUrDiXRhth3TKNljfPnjS4PKeefnrwoMEXISG+XWydsKVtYSj8AXMtxeI/A4 -ZBTZdLe/dfy8VqH+6kChd2U/LGdyjyl+8ackatR5TWJa3EGdOsY= -=st/2 ------END PGP SIGNATURE----- diff --git a/Django-2.1.5.tar.gz b/Django-2.1.5.tar.gz new file mode 100644 index 0000000..040582f --- /dev/null +++ b/Django-2.1.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d6393918da830530a9516bbbcbf7f1214c3d733738779f06b0f649f49cc698c3 +size 8612384 diff --git a/Django-2.1.5.tar.gz.asc b/Django-2.1.5.tar.gz.asc new file mode 100644 index 0000000..cf52aad --- /dev/null +++ b/Django-2.1.5.tar.gz.asc @@ -0,0 +1,62 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +This file contains MD5, SHA1, and SHA256 checksums for the source-code +tarball and wheel files of Django 2.1.5, released January 4, 2019. + +To use this file, you will need a working install of PGP or other +compatible public-key encryption software. You will also need to have +the Django release manager's public key in your keyring; this key has +the ID ``1E8ABDC773EDE252`` and can be imported from the MIT +keyserver. For example, if using the open-source GNU Privacy Guard +implementation of PGP: + + gpg --keyserver pgp.mit.edu --recv-key 1E8ABDC773EDE252 + +Once the key is imported, verify this file:: + + gpg --verify <> + +Once you have verified this file, you can use normal MD5, SHA1, or SHA256 +checksumming applications to generate the checksums of the Django +package and compare them to the checksums listed below. + +Release packages: +================= + +https://www.djangoproject.com/m/releases/2.1/Django-2.1.5.tar.gz +https://www.djangoproject.com/m/releases/2.1/Django-2.1.5-py3-none-any.whl + +MD5 checksums +============= + +9309c48c8b92503b8969a7603a97e2a1 Django-2.1.5.tar.gz +90ac057753cff4d5b154ef4ca3d0e1e6 Django-2.1.5-py3-none-any.whl + +SHA1 checksums +============== + +67297b08e31b9f4562bb6813cc28b897fdcc49a5 Django-2.1.5.tar.gz +ea100ac61c5b6288bef71488e4f5b287f3b99478 Django-2.1.5-py3-none-any.whl + +SHA256 checksums +================ + +d6393918da830530a9516bbbcbf7f1214c3d733738779f06b0f649f49cc698c3 Django-2.1.5.tar.gz +a32c22af23634e1d11425574dce756098e015a165be02e4690179889b207c7a8 Django-2.1.5-py3-none-any.whl +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCAAdFiEENS9UlZg+ZfEFUeKFHoq9x3Pt4lIFAlwvY8cACgkQHoq9x3Pt +4lLGShAAnGQDupqHxDdseKMuewzIaSKIzJqjbHwHA6L+56GVsgi+d4MMKr9x89sg +HCP+5GCyUw0Tsm949FOY1lgcRnbhnhHW4YcwWbQgo05Qp0gGrNqMD1sP2l3uW82S +eKMtYD1+0QP/7YXqtILzIYKTaHpw7NXHCHEsI7tTAoeXhj2VUu2L7o2D47OOX+8G +B8nG8qTenCbCQUYRyuODKlal6OweEdkQZITFjWsVTmnh4idw91eymcrLCf7VPLq2 +am+SdYZ6US8p9+vjoBodPKGFOnRJ7fc2f6vWuu3W4X7mA3Qkzzq/rLdNRuulm62X +LEiKiD5n8BQJXUK1dSgQz2t+aJR7VxUD7icpJA8AhrS0kJoBo5mcxO53JPK083CC +1AaC3PI6JUM7/ZTuLP40He2nQxZ0W9OAchxSRAbNqCcqtJSJalCD4HBRqYQQH3eI +OaKZmBnkGVjO/Yq92u/51TtT7aQuh3zm+u41C89hEnVOf5AGrEd6K4wGdTj4pFxj +81Vi+UKtYoRp7DsExXPLCFA0zfM7yVi6oN4OYWntwGqBFKy5kHI0kjiptHLgzhyS +zR2Vyc/ifSrN5FOeh/2AkfxqHY8vDEDCf/YQegZiO7mQUYm/wKHjtmgEQB64WeHx +TGZjZ1xKbZvPR7hSgQragmvvVAhkCYSwu2fTUxwJs1zEIpBSxFk= +=0YGP +-----END PGP SIGNATURE----- diff --git a/python-Django.changes b/python-Django.changes index 6d322f8..a199808 100644 --- a/python-Django.changes +++ b/python-Django.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Thu Jan 10 12:09:43 UTC 2019 - Thomas Bechtold + +- update to 2.1.5 (CVE-2019-3498, bsc#1120932): + * CVE-2019-3498: Content spoofing possibility in the default 404 page + * Fixed compatibility with mysqlclient 1.3.14 (#30013). + * Fixed a schema corruption issue on SQLite 3.26+. You might have to drop + and rebuild your SQLite database if you applied a migration while using + an older version of Django with SQLite 3.26 or later (#29182). + * Prevented SQLite schema alterations while foreign key checks are enabled + to avoid the possibility of schema corruption (#30023). + * Fixed a regression in Django 2.1.4 (which enabled keep-alive connections) + where request body data isn’t properly consumed for such + connections (#30015). + * Fixed a regression in Django 2.1.4 where + InlineModelAdmin.has_change_permission() is incorrectly called with + a non-None obj argument during an object add (#30050). + ------------------------------------------------------------------- Mon Dec 10 11:52:42 UTC 2018 - Ondřej Súkup diff --git a/python-Django.spec b/python-Django.spec index f718da9..2d0ef14 100644 --- a/python-Django.spec +++ b/python-Django.spec @@ -1,7 +1,7 @@ # # spec file for package python-Django # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define skip_python2 1 Name: python-Django -Version: 2.1.4 +Version: 2.1.5 Release: 0 Summary: A high-level Python Web framework License: BSD-3-Clause