The NetBSD Project

CVS log for pkgsrc/www/py-django/Makefile

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / www / py-django

Request diff between arbitrary revisions


Keyword substitution: kv
Default branch: MAIN


Revision 1.136: download - view: text, markup, annotated - select for diffs
Mon Nov 11 07:29:17 2024 UTC (17 hours, 8 minutes ago) by wiz
Branches: MAIN
CVS tags: HEAD
Diff to: previous 1.135: preferred, colored
Changes since revision 1.135: +1 -2 lines
py-*: remove unused tool dependency

py-setuptools includes the py-wheel functionality nowadays

Revision 1.135: download - view: text, markup, annotated - select for diffs
Tue Nov 5 08:35:58 2024 UTC (6 days, 16 hours ago) by adam
Branches: MAIN
Diff to: previous 1.134: preferred, colored
Changes since revision 1.134: +2 -2 lines
py-django: updated to 5.1.3

Django 5.1.3 fixes several bugs in 5.1.2 and adds compatibility with Python 3.13.

Bugfixes

Fixed a bug in Django 5.1 where DomainNameValidator accepted any input value that contained a valid domain name, rather than only input values that were a valid domain name

Fixed a regression in Django 5.1 that prevented the use of DB-IP databases with GeoIP2

Fixed a regression in Django 5.1 where non-ASCII fieldset names were not displayed when rendering admin fieldsets

Revision 1.134: download - view: text, markup, annotated - select for diffs
Mon Oct 14 06:46:05 2024 UTC (4 weeks ago) by wiz
Branches: MAIN
Diff to: previous 1.133: preferred, colored
Changes since revision 1.133: +2 -2 lines
*: clean-up after python38 removal

Revision 1.133: download - view: text, markup, annotated - select for diffs
Tue Oct 8 17:42:20 2024 UTC (4 weeks, 6 days ago) by adam
Branches: MAIN
Diff to: previous 1.132: preferred, colored
Changes since revision 1.132: +2 -2 lines
py-django: updated to 5.1.2

5.1.2

Fixed a regression in Django 5.1 that caused a crash when using the PostgreSQL lookup trigram_similar on output fields from Concat
Fixed a regression in Django 5.1 that caused a crash of JSONObject() when using server-side binding with PostgreSQL 16+
Fixed a regression in Django 5.1 that made selected items in multi-select widgets indistinguishable from non-selected items in the admin dark theme

Revision 1.132: download - view: text, markup, annotated - select for diffs
Fri Sep 6 07:08:44 2024 UTC (2 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2024Q3-base, pkgsrc-2024Q3
Diff to: previous 1.131: preferred, colored
Changes since revision 1.131: +4 -4 lines
py-django: updated to 5.1.1

Django 5.1.1 fixes one security issue with severity “moderate”, one security issue with severity “low”, and several bugs in 5.1.

CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize()

urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

CVE-2024-45231: Potential user email enumeration via response status on password reset

Due to unhandled email sending failures, the PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger.

Bugfixes

Fixed a regression in Django 5.1 that caused a crash of Window() when passing an empty sequence to the order_by parameter, and a crash of Prefetch() for a sliced queryset without ordering.
Fixed a regression in Django 5.1 where a new usable_password field was included in BaseUserCreationForm (and children). A new AdminUserCreationForm including this field was added, isolating the feature to the admin where it was intended.
Adjusted the deprecation warning stacklevel in Model.save() and Model.asave() to correctly point to the offending call site.
Adjusted the deprecation warning stacklevel when using OS_OPEN_FLAGS in FileSystemStorage to correctly point to the offending call site.
Adjusted the deprecation warning stacklevel in FieldCacheMixin.get_cache_name() to correctly point to the offending call site.
Restored, following a regression in Django 5.1, the ability to override the timezone and role setting behavior used within the init_connection_state method of the PostgreSQL backend.
Fixed a bug in Django 5.1 where variable lookup errors were logged when rendering admin fieldsets.

Revision 1.131: download - view: text, markup, annotated - select for diffs
Tue Aug 6 20:14:10 2024 UTC (3 months ago) by adam
Branches: MAIN
Diff to: previous 1.130: preferred, colored
Changes since revision 1.130: +2 -2 lines
py-django: updated to 5.0.8

Django 5.0.8 fixes three security issues with severity “moderate”, one security issue with severity “high”, and several bugs in 5.0.7.

CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()

If floatformat received a string representation of a number in scientific notation with a large exponent, it could lead to significant memory consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize()

urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget

urlize, urlizetrunc, and AdminURLFieldWidget were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()

QuerySet.values() and values_list() methods on models with a JSONField were subject to SQL injection in column aliases, via a crafted JSON object key as a passed *arg.

Bugfixes

Added missing validation for UniqueConstraint(nulls_distinct=False) when using *expressions
Fixed a regression in Django 5.0 where ModelAdmin.action_checkbox could break the admin changelist HTML page when rendering a model instance with a __html__ method
Fixed a crash when creating a model with a Field.db_default and a Meta.constraints constraint composed of __endswith, __startswith, or __contains lookups
Fixed a regression in Django 5.0.7 that caused a crash in LocaleMiddleware when processing a language code over 500 characters
Fixed a bug in Django 5.0 that caused a system check crash when ModelAdmin.date_hierarchy was a GeneratedField with an output_field of DateField or DateTimeField
Fixed a bug in Django 5.0 which caused constraint validation to either crash or incorrectly raise validation errors for constraints referring to fields using Field.db_default
Fixed a crash in Django 5.0 when saving a model containing a FileField with a db_default set

Revision 1.130: download - view: text, markup, annotated - select for diffs
Thu Jul 11 18:51:35 2024 UTC (4 months ago) by adam
Branches: MAIN
Diff to: previous 1.129: preferred, colored
Changes since revision 1.129: +2 -2 lines
py-django: updated to 5.0.7

Django 5.0.7 fixes two security issues with severity “moderate”, two security issues with severity “low”, and one bug in 5.0.6.

CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize()

urlize and urlizetrunc were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords

The authenticate() method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via Storage.save()

Derived classes of the Storage base class which override generate_filename() without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via certain inputs when calling save().

Built-in Storage sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant()

get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

To mitigate this vulnerability, the language code provided to get_supported_language_variant() is now parsed up to a maximum length of 500 characters.

When the language code is over 500 characters, a ValueError will now be raised if strict is True, or if there is no generic variant and strict is False.

Bugfixes

Fixed a bug in Django 5.0 that caused a crash of Model.full_clean() on unsaved model instances with a GeneratedField and certain defined Meta.constraints.

Revision 1.129: download - view: text, markup, annotated - select for diffs
Tue May 7 18:16:55 2024 UTC (6 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2024Q2-base, pkgsrc-2024Q2
Diff to: previous 1.128: preferred, colored
Changes since revision 1.128: +2 -4 lines
py-django: updated to 5.0.6

Django 5.0.6 fixes a packaging error in 5.0.5.

Revision 1.128: download - view: text, markup, annotated - select for diffs
Tue May 7 03:55:16 2024 UTC (6 months ago) by adam
Branches: MAIN
Diff to: previous 1.127: preferred, colored
Changes since revision 1.127: +4 -2 lines
py-django: updated to 5.0.5

Django 5.0.5 fixes several bugs in 5.0.4.

Fixed a bug in Django 5.0 that caused a crash of Model.save() when creating an instance of a model with a GeneratedField and providing a primary key
Fixed a compatibility issue encountered in Python 3.11.9+ and 3.12.3+ when validating email max line lengths with content decoded using the surrogateescape error handling scheme
Fixed a bug in Django 5.0 that caused a crash when applying migrations including alterations to GeneratedField such as setting db_index=True on SQLite
Allowed importing aprefetch_related_objects from django.db.models
Fixed a bug in Django 5.0 that caused a migration crash when a GeneratedField was added before any of the referenced fields from its expression definition
Fixed a bug in Django 5.0 that caused a migration crash when altering a GeneratedField referencing a renamed field
Fixed a bug in Django 5.0 where the querysets argument of GenericPrefetch was not required

Revision 1.127: download - view: text, markup, annotated - select for diffs
Fri Apr 5 10:40:17 2024 UTC (7 months, 1 week ago) by adam
Branches: MAIN
Diff to: previous 1.126: preferred, colored
Changes since revision 1.126: +2 -2 lines
py-django: updated to 5.0.4

Django 5.0.4 fixes several bugs in 5.0.3.

Bugfixes

Fixed a bug in Django 5.0 that caused a crash of Model.full_clean() on fields with expressions in db_default. As a consequence, Model.full_clean() no longer validates for empty values in fields with db_default
Fixed a regression in Django 5.0 where the AdminFileWidget could be rendered with two id attributes on the “Clear” checkbox
Fixed a bug in Django 5.0 that caused a migration crash on PostgreSQL 15+ when adding a partial UniqueConstraint with nulls_distinct
Fixed a crash in Django 5.0 when performing queries involving table aliases and lookups on a GeneratedField of the aliased table
Fixed a bug in Django 5.0 that caused a migration crash when adding a GeneratedField relying on the __contains or __icontains lookups or using a Value containing a "%"

Revision 1.126: download - view: text, markup, annotated - select for diffs
Mon Mar 4 15:49:51 2024 UTC (8 months, 1 week ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2024Q1-base, pkgsrc-2024Q1
Diff to: previous 1.125: preferred, colored
Changes since revision 1.125: +2 -2 lines
py-django: updated to 5.0.3

Django 5.0.3 fixes a security issue with severity “moderate” and several bugs in 5.0.2.

CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()

django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).

Bugfixes

Fixed a regression in Django 5.0.2 where intcomma template filter could return a leading comma for string representation of floats.
Fixed a bug in Django 5.0 that caused a crash of Signal.asend() and asend_robust() when all receivers were asynchronous functions.
Fixed a regression in Django 5.0.1 where ModelAdmin.lookup_allowed() would prevent filtering against foreign keys using lookups like __isnull when the field was not included in ModelAdmin.list_filter.
Fixed a regression in Django 5.0 that caused a crash of @sensitive_variables and @sensitive_post_parameters decorators on functions loaded from .pyc files.
Fixed a regression in Django 5.0 that caused a crash when reloading a test database and a base queryset for a base manager used prefetch_related().
Fixed a bug in Django 5.0 where facet filters in the admin would crash on a SimpleListFilter using a queryset without primary keys.

Revision 1.125: download - view: text, markup, annotated - select for diffs
Thu Feb 8 22:43:53 2024 UTC (9 months ago) by adam
Branches: MAIN
Diff to: previous 1.124: preferred, colored
Changes since revision 1.124: +4 -9 lines
py-django: updated to 5.0.2

Django 5.0.2 fixes a security issue with severity “moderate” and several bugs in 5.0.1. Also, the latest string translations from Transifex are incorporated.

CVE-2024-24680: Potential denial-of-service in intcomma template filter

The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

Bugfixes

Reallowed, following a regression in Django 5.0.1, filtering against local foreign keys not included in ModelAdmin.list_filter
Fixed a regression in Django 5.0 where links in the admin had an incorrect color
Fixed a bug in Django 5.0 that caused a crash of Model.full_clean() on models with a GeneratedField
Fixed a regression in Django 5.0 that caused a crash of FilteredRelation() with querysets as right-hand sides
Fixed a regression in Django 5.0 that caused a crash of the dumpdata management command when a base queryset used prefetch_related()
Fixed a regression in Django 5.0 that caused the request_finished signal to sometimes not be fired when running Django through an ASGI server, resulting in potential resource leaks
Fixed a bug in Django 5.0 that caused a migration crash on MySQL when adding a BinaryField, TextField, JSONField, or GeometryField with a db_default
Fixed a bug in Django 5.0 that caused a migration crash on models with a literal db_default of a complex type such as dict instance of a JSONField. Running makemigrations might generate no-op AlterField operations for fields using db_default

Revision 1.124: download - view: text, markup, annotated - select for diffs
Tue Jan 9 12:56:11 2024 UTC (10 months ago) by adam
Branches: MAIN
Diff to: previous 1.123: preferred, colored
Changes since revision 1.123: +2 -2 lines
py-django: updated to 4.2.9

4.2.9
Bugfixes
Fixed a regression in Django 4.2.8 where admin fields on the same line could overflow the page and become non-interactive

Revision 1.123: download - view: text, markup, annotated - select for diffs
Mon Dec 4 17:25:15 2023 UTC (11 months, 1 week ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2023Q4-base, pkgsrc-2023Q4
Diff to: previous 1.122: preferred, colored
Changes since revision 1.122: +2 -4 lines
py-django: updated to 4.2.8

Django 4.2.8 fixes several bugs in 4.2.7 and adds compatibility with Python 3.12.

Bugfixes

Fixed a regression in Django 4.2 that caused makemigrations --check to stop displaying pending migrations
Fixed a regression in Django 4.2 that caused a crash of QuerySet.aggregate() with aggregates referencing other aggregates or window functions through conditional expressions
Fixed a regression in Django 4.2 that caused a crash when annotating a QuerySet with a Window expressions composed of a partition_by clause mixing field types and aggregation expressions
Fixed a regression in Django 4.2 where the admin’s change list page had misaligned pagination links and inputs when using list_editable
Fixed a regression in Django 4.2 where checkboxes in the admin would be centered on narrower screen widths
Fixed a regression in Django 4.2 that caused a crash of querysets with aggregations on MariaDB when the ONLY_FULL_GROUP_BY SQL mode was enabled
Fixed a regression in Django 4.2 where the admin’s read-only password widget and some help texts were incorrectly aligned at tablet widths
Fixed a regression in Django 4.2 that caused a migration crash on SQLite when altering unsupported Meta.db_table_comment

Revision 1.122: download - view: text, markup, annotated - select for diffs
Wed Nov 1 20:14:51 2023 UTC (12 months, 1 week ago) by adam
Branches: MAIN
Diff to: previous 1.121: preferred, colored
Changes since revision 1.121: +5 -3 lines
py-django: updated to 4.2.7

4.2.7

CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows

Revision 1.121: download - view: text, markup, annotated - select for diffs
Wed Oct 4 21:37:14 2023 UTC (13 months, 1 week ago) by adam
Branches: MAIN
Diff to: previous 1.120: preferred, colored
Changes since revision 1.120: +15 -9 lines
py-django: added version 4.2.6

What’s new in Django 4.2

Psycopg 3 support
Comments on columns and tables
Mitigation for the BREACH attack
In-memory file storage
Custom file storages

Revision 1.120
Thu Jul 13 10:05:32 2023 UTC (16 months ago) by wiz
Branches: MAIN
FILE REMOVED
Changes since revision 1.119: +1 -1 lines
py-django, py-django14, py-django2: remove old django versions

Unsupported upstream (support ended 2020, 2013, 2022 resp.)

As proposed on pkgsrc-users on July 3.

Revision 1.119: download - view: text, markup, annotated - select for diffs
Wed Nov 9 13:14:17 2022 UTC (2 years ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2023Q2-base, pkgsrc-2023Q2, pkgsrc-2023Q1-base, pkgsrc-2023Q1, pkgsrc-2022Q4-base, pkgsrc-2022Q4
Diff to: previous 1.118: preferred, colored
Changes since revision 1.118: +2 -2 lines
Reset MAINTAINER

Revision 1.118: download - view: text, markup, annotated - select for diffs
Wed Jan 5 15:51:59 2022 UTC (2 years, 10 months ago) by wiz
Branches: MAIN
CVS tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3, pkgsrc-2022Q2-base, pkgsrc-2022Q2, pkgsrc-2022Q1-base, pkgsrc-2022Q1
Diff to: previous 1.117: preferred, colored
Changes since revision 1.117: +1 -2 lines
py-django*: switch to USE_PKG_RESOURCES

Revision 1.117: download - view: text, markup, annotated - select for diffs
Wed Jan 5 15:41:29 2022 UTC (2 years, 10 months ago) by wiz
Branches: MAIN
Diff to: previous 1.116: preferred, colored
Changes since revision 1.116: +4 -2 lines
python: egg.mk: add USE_PKG_RESOURCES flag

This flag should be set for packages that import pkg_resources
and thus need setuptools after the build step.

Set this flag for packages that need it and bump PKGREVISION.

Revision 1.116: download - view: text, markup, annotated - select for diffs
Wed Jan 5 10:09:53 2022 UTC (2 years, 10 months ago) by wiz
Branches: MAIN
Diff to: previous 1.115: preferred, colored
Changes since revision 1.115: +3 -2 lines
py-django*: add dependency on py-setuptools

These use pkg_resources.

Noted by joerg.

Bump PKGREVISION.

Revision 1.115: download - view: text, markup, annotated - select for diffs
Tue Jan 4 20:55:17 2022 UTC (2 years, 10 months ago) by wiz
Branches: MAIN
Diff to: previous 1.114: preferred, colored
Changes since revision 1.114: +2 -1 lines
*: bump PKGREVISION for egg.mk users

They now have a tool dependency on py-setuptools instead of a DEPENDS

Revision 1.114: download - view: text, markup, annotated - select for diffs
Thu Mar 12 16:22:38 2020 UTC (4 years, 8 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2021Q4-base, pkgsrc-2021Q4, pkgsrc-2021Q3-base, pkgsrc-2021Q3, pkgsrc-2021Q2-base, pkgsrc-2021Q2, pkgsrc-2021Q1-base, pkgsrc-2021Q1, pkgsrc-2020Q4-base, pkgsrc-2020Q4, pkgsrc-2020Q3-base, pkgsrc-2020Q3, pkgsrc-2020Q2-base, pkgsrc-2020Q2, pkgsrc-2020Q1-base, pkgsrc-2020Q1
Diff to: previous 1.113: preferred, colored
Changes since revision 1.113: +2 -2 lines
py-django: updated to 1.11.29

Django 1.11.29 fixes a security issue in 1.11.28.

CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle

GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance.

Revision 1.113: download - view: text, markup, annotated - select for diffs
Tue Feb 4 17:23:11 2020 UTC (4 years, 9 months ago) by adam
Branches: MAIN
Diff to: previous 1.112: preferred, colored
Changes since revision 1.112: +2 -2 lines
py-django: updated to 1.11.28

Django 1.11.28 fixes a security issue:
CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)
StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.

Revision 1.112: download - view: text, markup, annotated - select for diffs
Thu Dec 19 13:39:50 2019 UTC (4 years, 10 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Diff to: previous 1.111: preferred, colored
Changes since revision 1.111: +2 -2 lines
py-django: updated to 1.11.27

Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.

CVE-2019-19844: Potential account hijack via password reset form

By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.

In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address.

Bugfixes
* Fixed a data loss possibility in SplitArrayField. When using with ArrayField(BooleanField()), all values after the first True value were marked as checked instead of preserving passed values

Revision 1.111: download - view: text, markup, annotated - select for diffs
Tue Nov 5 07:40:16 2019 UTC (5 years ago) by adam
Branches: MAIN
Diff to: previous 1.110: preferred, colored
Changes since revision 1.110: +2 -2 lines
py-django: updated to 1.11.26

Django 1.11.26:
Fixed a crash when using a contains, contained_by, has_key, has_keys, or has_any_keys lookup on JSONField, if the right or left hand side of an expression is a key transform.

Revision 1.110: download - view: text, markup, annotated - select for diffs
Tue Oct 1 17:56:03 2019 UTC (5 years, 1 month ago) by adam
Branches: MAIN
Diff to: previous 1.109: preferred, colored
Changes since revision 1.109: +2 -2 lines
py-django: updated to 1.11.25

Django 1.11.25:
Fixed a crash when filtering with a Subquery() annotation of a queryset containing JSONField or HStoreField

Revision 1.109: download - view: text, markup, annotated - select for diffs
Wed Sep 4 08:31:06 2019 UTC (5 years, 2 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Diff to: previous 1.108: preferred, colored
Changes since revision 1.108: +2 -2 lines
py-django: updated to 1.11.24

Django 1.11.24 fixes a regression in 1.11.23.

Bugfixes
Fixed crash of KeyTransform() for JSONField and HStoreField when using on expressions with params

Revision 1.108: download - view: text, markup, annotated - select for diffs
Tue Aug 6 09:30:46 2019 UTC (5 years, 3 months ago) by adam
Branches: MAIN
Diff to: previous 1.107: preferred, colored
Changes since revision 1.107: +2 -2 lines
py-django: updated to 1.11.23

Django 1.11.23:
* CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator
* CVE-2019-14233: Denial-of-service possibility in strip_tags()
* CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField
* CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()

Revision 1.107: download - view: text, markup, annotated - select for diffs
Mon Jul 1 18:23:52 2019 UTC (5 years, 4 months ago) by adam
Branches: MAIN
Diff to: previous 1.106: preferred, colored
Changes since revision 1.106: +2 -2 lines
py-django: updated to 1.11.22

Django 1.11.22:
Fix CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS

Revision 1.105.2.1: download - view: text, markup, annotated - select for diffs
Tue Jun 4 09:10:44 2019 UTC (5 years, 5 months ago) by bsiegert
Branches: pkgsrc-2019Q1
Diff to: previous 1.105: preferred, colored; next MAIN 1.106: preferred, colored
Changes since revision 1.105: +4 -4 lines
Pullup ticket #5976 - requested by adam
www/py-django: security fix
www/py-django2: security fix

Revisions pulled up:
- www/py-django/Makefile                                        1.106
- www/py-django/distinfo                                        1.85
- www/py-django2/Makefile                                       1.17
- www/py-django2/PLIST                                          1.6
- www/py-django2/distinfo                                       1.15

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Jun  3 12:33:00 UTC 2019

   Modified Files:
           pkgsrc/www/py-django: Makefile distinfo

   Log Message:
   py-django: updated to 1.11.21

   Django 1.11.21 release notes

   CVE-2019-12308: AdminURLFieldWidget XSS

   The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

   AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using formfield_overrides.

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Jun  3 12:39:46 UTC 2019

   Modified Files:
           pkgsrc/www/py-django2: Makefile PLIST distinfo

   Log Message:
   py-django2: updated to 2.2.2

   2.2.2:
   CVE-2019-12308: AdminURLFieldWidget XSS

   The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

   AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.

   2.2.1:
   Bugfixes

   Fixed a regression in Django 2.1 that caused the incorrect quoting of database user password when using dbshell on Oracle
   Added compatibility for psycopg2 2.8
   Fixed a regression in Django 2.2 that caused a crash when loading the template for the technical 500 debug page
   Fixed crash of ordering argument in ArrayAgg and StringAgg when it contains an expression with params
   Fixed a regression in Django 2.2 that caused a single instance fast-delete to not set the primary key to None
   Prevented makemigrations from generating infinite migrations for check constraints and partial indexes when condition contains a range object
   Reverted an optimization in Django 2.2
   Fixed a regression in Django 2.2 where Paginator crashes if object_list is a queryset ordered or aggregated over a nested JSONField key transform
   Fixed a regression in Django 2.2 where IntegerField validation of database limits crashes if limit_value attribute in a custom validator is callable
   Fixed a regression in Django 2.2 where SearchVector generates SQL that is not indexable
   Fixed a regression in Django 2.2 that caused an exception to be raised when a custom error handler could not be imported
   Relaxed the system check added in Django 2.2 for the admin app’s dependencies to reallow use of SessionMiddleware subclasses, rather than requiring django.contrib.sessions to be in INSTALLED_APPS
   Increased the default timeout when using Watchman to 5 seconds to prevent falling back to StatReloader on larger projects and made it customizable via the DJANGO_WATCHMAN_TIMEOUT environment variable
   Fixed a regression in Django 2.2 that caused a crash when migrating permissions for proxy models if the target permissions already existed. For example, when a permission had been created manually or a model had been migrated from concrete to proxy
   Fixed a regression in Django 2.2 that caused a crash of runserver when URLConf modules raised exceptions
   Fixed a regression in Django 2.2 where changes were not reliably detected by auto-reloader when using StatReloader
   Fixed a migration crash on Oracle and PostgreSQL when adding a check constraint with a contains, startswith, or endswith lookup (or their case-insensitive variant)
   Fixed a migration crash on Oracle and SQLite when adding a check constraint with condition contains | (OR) operator
    Django 2.2.2 release notesDjango 2.2 release notes

   2.2:
   This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2019.

   As always, the release notes cover the salmagundi of new features in detail, but a few highlights are:
   * HttpRequest.headers to allow simple access to a request’s headers.
   * Database-level constraints on models.
   * Watchman compatibility for runserver to improve the performance of watching a large number of files for changes.

Revision 1.106: download - view: text, markup, annotated - select for diffs
Mon Jun 3 12:33:00 2019 UTC (5 years, 5 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Diff to: previous 1.105: preferred, colored
Changes since revision 1.105: +4 -4 lines
py-django: updated to 1.11.21

Django 1.11.21 release notes

CVE-2019-12308: AdminURLFieldWidget XSS

The clickable “Current URL” link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using formfield_overrides.

Revision 1.105: download - view: text, markup, annotated - select for diffs
Tue Feb 12 13:11:56 2019 UTC (5 years, 9 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2019Q1-base
Branch point for: pkgsrc-2019Q1
Diff to: previous 1.104: preferred, colored
Changes since revision 1.104: +2 -2 lines
py-django: updated to 1.11.20

1.11.20:
Bugfixes
Corrected packaging error from 1.11.19

1.11.19:
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() – used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters – received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using scientific notation.

Revision 1.104: download - view: text, markup, annotated - select for diffs
Fri Jan 4 22:07:35 2019 UTC (5 years, 10 months ago) by adam
Branches: MAIN
Diff to: previous 1.103: preferred, colored
Changes since revision 1.103: +2 -2 lines
py-django: updated to 1.11.18

Django 1.11.18 fixes a security issue in 1.11.17.
CVE-2019-3498: Content spoofing possibility in the default 404 page

Revision 1.103: download - view: text, markup, annotated - select for diffs
Mon Dec 3 18:59:35 2018 UTC (5 years, 11 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2018Q4-base, pkgsrc-2018Q4
Diff to: previous 1.102: preferred, colored
Changes since revision 1.102: +4 -7 lines
py-django: updated to 1.11.17

Django 1.11.17 fixes several bugs in 1.11.16 and adds compatibility with Python 3.7.

Bugfixes:
Prevented repetitive calls to geos_version_tuple() in the WKBWriter class in an attempt to fix a random crash involving LooseVersion since Django 1.11.14.

Revision 1.102: download - view: text, markup, annotated - select for diffs
Tue Oct 2 08:06:44 2018 UTC (6 years, 1 month ago) by adam
Branches: MAIN
Diff to: previous 1.101: preferred, colored
Changes since revision 1.101: +2 -2 lines
py-django: updated to 1.11.16

Django 1.11.16:
Fixed a race condition in QuerySet.update_or_create() that could result in data loss

Revision 1.101: download - view: text, markup, annotated - select for diffs
Thu Aug 2 14:02:21 2018 UTC (6 years, 3 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3
Diff to: previous 1.100: preferred, colored
Changes since revision 1.100: +2 -2 lines
py-django: updated to 1.11.5

1.11.5:
Fix CVE-2018-14574: Open redirect possibility in CommonMiddleware

If the CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.

CommonMiddleware now escapes leading slashes to prevent redirects to other domains.

Revision 1.100: download - view: text, markup, annotated - select for diffs
Tue Jul 3 06:42:27 2018 UTC (6 years, 4 months ago) by adam
Branches: MAIN
Diff to: previous 1.99: preferred, colored
Changes since revision 1.99: +5 -2 lines
py-django: updated to 1.11.4

Django 1.11.14:

Bugfixes:
Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+.
Fixed a regression in Django 1.10 that could result in large memory usage when making edits using ModelAdmin.list_editable

Revision 1.99: download - view: text, markup, annotated - select for diffs
Wed May 2 06:28:35 2018 UTC (6 years, 6 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Diff to: previous 1.98: preferred, colored
Changes since revision 1.98: +2 -2 lines
py-django: updated to 1.11.13

1.11.13:
Bugfixes
* Fixed a regression in Django 1.11.8 where altering a field with a unique constraint may drop and rebuild more foreign keys than necessary.
* Fixed crashes in django.contrib.admindocs when a view is a callable object, such as django.contrib.syndication.views.Feed.
* Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection() crashed due to mismatching columns

Revision 1.98: download - view: text, markup, annotated - select for diffs
Tue Apr 3 08:58:32 2018 UTC (6 years, 7 months ago) by adam
Branches: MAIN
Diff to: previous 1.97: preferred, colored
Changes since revision 1.97: +2 -2 lines
py-django: updated to 1.11.12

Django 1.11.12:
Bugfixes:
Fixed a regression in Django 1.11.8 where combining two annotated values_list() querysets with union(), difference(), or intersection() crashed due to mismatching columns.
Fixed a regression in Django 1.11 where an empty choice could be initially selected for the SelectMultiple and CheckboxSelectMultiple widgets

Revision 1.97: download - view: text, markup, annotated - select for diffs
Tue Mar 6 20:04:06 2018 UTC (6 years, 8 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1
Diff to: previous 1.96: preferred, colored
Changes since revision 1.96: +2 -2 lines
py-django: updated to 1.11.11

1.11.11:
CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters
CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters

Revision 1.96: download - view: text, markup, annotated - select for diffs
Fri Feb 2 07:55:34 2018 UTC (6 years, 9 months ago) by adam
Branches: MAIN
Diff to: previous 1.95: preferred, colored
Changes since revision 1.95: +4 -4 lines
py-django: updated to 1.11.10

1.11.10:

CVE-2018-6188: Information leakage in AuthenticationForm

A regression in Django 1.11.8 made AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn’t overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked.

This issue is fixed with the caveat that AuthenticationForm can no longer raise the “This account is inactive.” error if the authentication backend rejects inactive users (the default authentication backend, ModelBackend, has done that since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address the caveat will likely be too invasive for inclusion in older versions.

Bugfixes:
Fixed incorrect foreign key nullification if a model has two foreign keys to the same model and a target model is deleted.
Fixed a regression where contrib.auth.authenticate() crashes if an authentication backend doesn’t accept request and a later one does.
Fixed crash when entering an invalid uuid in ModelAdmin.raw_id_fields

Revision 1.95: download - view: text, markup, annotated - select for diffs
Wed Jan 3 07:23:45 2018 UTC (6 years, 10 months ago) by adam
Branches: MAIN
Diff to: previous 1.94: preferred, colored
Changes since revision 1.94: +2 -2 lines
py-django: updated to 1.11.9

Bugfixes:
Fixed a regression in Django 1.11 that added newlines between MultiWidget’s subwidgets.
Fixed incorrect class-based model index name generation for models with quoted db_table.
Fixed incorrect foreign key constraint name for models with quoted db_table.
Fixed a regression in caching of a GenericForeignKey when the referenced model instance uses more than one level of multi-table inheritance.

Revision 1.94: download - view: text, markup, annotated - select for diffs
Mon Dec 25 09:18:24 2017 UTC (6 years, 10 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2017Q4-base, pkgsrc-2017Q4
Diff to: previous 1.93: preferred, colored
Changes since revision 1.93: +6 -5 lines
REPLACE_PYTHON does not need WRKSRC

Revision 1.93: download - view: text, markup, annotated - select for diffs
Mon Dec 4 14:23:00 2017 UTC (6 years, 11 months ago) by adam
Branches: MAIN
Diff to: previous 1.92: preferred, colored
Changes since revision 1.92: +2 -2 lines
py-django: updated to 1.11.8

Django 1.11.8 fixes several bugs in 1.11.7:
* Reallowed, following a regression in Django 1.10, AuthenticationForm to raise the inactive user error when using ModelBackend.
* Added support for QuerySet.values() and values_list() for union(), difference(), and intersection() queries.
* Fixed incorrect index name truncation when using a namespaced db_table.
* Made QuerySet.iterator() use server-side cursors on PostgreSQL after values() and values_list().
* Fixed crash on SQLite and MySQL when ordering by a filtered subquery that uses nulls_first or nulls_last.
* Made query lookups for CICharField, CIEmailField, and CITextField use a citext cast.
* Fixed a regression in caching of a GenericForeignKey when the referenced model instance uses multi-table inheritance.
* Fixed “Cannot change column ‘x’: used in a foreign key constraint” crash on MySQL with a sequence of AlterField and/or RenameField operations in a migration

Revision 1.92: download - view: text, markup, annotated - select for diffs
Thu Nov 2 09:38:43 2017 UTC (7 years ago) by adam
Branches: MAIN
Diff to: previous 1.91: preferred, colored
Changes since revision 1.91: +2 -2 lines
py-django: updated to 1.11.7

1.11.7:
Bugfixes
* Prevented cache.get_or_set() from caching None if the default argument is a callable that returns None.
* Fixed the Basque DATE_FORMAT string.
* Made QuerySet.reverse() affect nulls_first and nulls_last.
* Fixed unquoted table names in Subquery SQL when using OuterRef

Revision 1.91: download - view: text, markup, annotated - select for diffs
Fri Oct 6 08:52:58 2017 UTC (7 years, 1 month ago) by adam
Branches: MAIN
Diff to: previous 1.90: preferred, colored
Changes since revision 1.90: +2 -2 lines
py-django: update to 1.11.6

Bugfixes:
* Made the CharField form field convert whitespace-only values to the empty_value when strip is enabled.
* Fixed crash when using the name of a model’s autogenerated primary key (id) in an Index’s fields.
* Fixed a regression in Django 1.9 where a custom view error handler such as handler404 that accesses csrf_token could cause CSRF verification failures on other pages

Revision 1.90: download - view: text, markup, annotated - select for diffs
Wed Sep 6 15:19:17 2017 UTC (7 years, 2 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3
Diff to: previous 1.89: preferred, colored
Changes since revision 1.89: +2 -2 lines
Django 1.11.5:

CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page¶

In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn’t affect most production sites since you shouldn’t run with DEBUG = True (which makes this page accessible) in your production settings.

Bugfixes:

Fixed GEOS version parsing if the version has a commit hash at the end (new in GEOS 3.6.2).
Added compatibility for cx_Oracle 6.
Fixed select widget rendering when option values are tuples.
Django 1.11 inadvertently changed the sequence and trigger naming scheme on Oracle. This causes errors on INSERTs for some tables if 'use_returning_into': False is in the OPTIONS part of DATABASES. The pre-1.11 naming scheme is now restored. Unfortunately, it necessarily requires an update to Oracle tables created with Django 1.11.[1-4]. Use the upgrade script in 28451 comment 8 to update sequence and trigger names to use the pre-1.11 naming scheme.
Added POST request support to LogoutView, for equivalence with the function-based logout() view.
Omitted pages_per_range from BrinIndex.deconstruct() if it’s None.
Fixed a regression where SelectDateWidget localized the years in the select box.
Fixed a regression in 1.11.4 where runserver crashed with non-Unicode system encodings on Python 2 + Windows.
Fixed a regression in Django 1.10 where changes to a ManyToManyField weren’t logged in the admin change history and prevented ManyToManyField initial data in model forms from being affected by subsequent model changes.
Fixed non-deterministic results or an AssertionError crash in some queries with multiple joins.
Fixed a regression in contrib.auth’s login() and logout() views where they ignored positional arguments

Revision 1.89: download - view: text, markup, annotated - select for diffs
Mon Sep 4 18:08:30 2017 UTC (7 years, 2 months ago) by wiz
Branches: MAIN
Diff to: previous 1.88: preferred, colored
Changes since revision 1.88: +3 -3 lines
Follow some redirects.

Revision 1.88: download - view: text, markup, annotated - select for diffs
Wed Aug 2 10:45:09 2017 UTC (7 years, 3 months ago) by adam
Branches: MAIN
Diff to: previous 1.87: preferred, colored
Changes since revision 1.87: +5 -6 lines
Django 1.11.4:

Bugfixes:

Fixed a regression in 1.11.3 on Python 2 where non-ASCII format values for date/time widgets results in an empty value in the widget’s HTML.
Fixed QuerySet.union() and difference() when combining with a queryset raising EmptyResultSet.
Fixed a regression in pickling of LazyObject on Python 2 when the wrapped object doesn’t have __reduce__().
Fixed crash in runserver’s autoreload with Python 2 on Windows with non-str environment variables.
Corrected Field.has_changed() to return False for disabled form fields: BooleanField, MultipleChoiceField, MultiValueField, FileField, ModelChoiceField, and ModelMultipleChoiceField.
Fixed QuerySet.count() for union(), difference(), and intersection() queries..
Fixed ClearableFileInput rendering as a subwidget of MultiWidget. Custom clearable_file_input.html widget templates will need to adapt for the fact that context values checkbox_name, checkbox_id, is_initial, input_text, initial_text, and clear_checkbox_label are now attributes of widget rather than appearing in the top-level context.
Fixed queryset crash when using a GenericRelation to a proxy model

Revision 1.87: download - view: text, markup, annotated - select for diffs
Mon Jul 3 11:10:41 2017 UTC (7 years, 4 months ago) by adam
Branches: MAIN
Diff to: previous 1.86: preferred, colored
Changes since revision 1.86: +2 -2 lines
Changes 1.11.3:

Bugfixes

Removed an incorrect deprecation warning about a missing renderer argument if a Widget.render() method accepts **kwargs.
Fixed a regression causing Model.__init__() to crash if a field has an instance only descriptor.
Fixed an incorrect DisallowedModelAdminLookup exception when using a nested reverse relation in list_filter.
Fixed admin’s FieldListFilter.get_queryset() crash on invalid input.
Fixed invalid HTML for a required AdminFileWidget.
Fixed model initialization to set the name of class-based model indexes for models that only inherit models.Model.
Fixed crash in admin’s inlines when a model has an inherited non-editable primary key.
Fixed QuerySet.union(), intersection(), and difference() when combining with an EmptyQuerySet.
Prevented Paginator’s unordered object list warning from evaluating a QuerySet.
Fixed the value of redirect_field_name in LoginView’s template context. It’s now an empty string (as it is for the original function-based login() view) if the corresponding parameter isn’t sent in a request (in particular, when the login page is accessed directly).
Prevented attribute values in the django/forms/widgets/attrs.html template from being localized so that numeric attributes (e.g. max and min) of NumberInput work correctly.
Removed casting of the option value to a string in the template context of the CheckboxSelectMultiple, NullBooleanSelect, RadioSelect, SelectMultiple, and Select widgets. In Django 1.11.1, casting was added in Python to avoid localization of numeric values in Django templates, but this made some use cases more difficult. Casting is now done in the template using the |stringformat:'s' filter.
Prevented a primary key alteration from adding a foreign key constraint if db_constraint=False.
Fixed UnboundLocalError crash in RenameField with nonexistent field.
Fixed a regression preventing a model field’s limit_choices_to from being evaluated when a ModelForm is instantiated.

Revision 1.86: download - view: text, markup, annotated - select for diffs
Fri Jun 2 07:19:55 2017 UTC (7 years, 5 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Diff to: previous 1.85: preferred, colored
Changes since revision 1.85: +2 -2 lines
Django 1.11.2 release notes

Django 1.11.2 adds a minor feature and fixes several bugs in 1.11.1. Also, the latest string translations from Transifex are incorporated.

Minor feature:
* The new LiveServerTestCase.port attribute reallows the use case of binding to a specific port following the bind to port zero change in Django 1.11.

Bugfixes:
* Added detection for GDAL 2.1 and 2.0, and removed detection for unsupported versions 1.7 and 1.8.
* Changed contrib.gis to raise ImproperlyConfigured rather than GDALException if gdal isn’t installed, to allow third-party apps to catch that exception.
* Fixed django.utils.http.is_safe_url() crash on invalid IPv6 URLs.
* Fixed regression causing pickling of model fields to crash.
* Fixed django.contrib.auth.authenticate() when multiple authentication backends don’t accept a positional request argument.
* Fixed introspection of index field ordering on PostgreSQL.
* Fixed a regression where Model._state.adding wasn’t set correctly on multi-table inheritance parent models after saving a child model.
* Allowed DjangoJSONEncoder to serialize django.utils.deprecation.CallableBool.
* Relaxed the validation added in Django 1.11 of the fields in the defaults argument of QuerySet.get_or_create() and update_or_create() to reallow settable model properties.
* Fixed MultipleObjectMixin.paginate_queryset() crash on Python 2 if the InvalidPage message contains non-ASCII.
* Prevented Subquery from adding an unnecessary CAST which resulted in invalid SQL.
* Corrected detection of GDAL 2.1 on Windows.
* Made date-based generic views return a 404 rather than crash when given an out of range date.
* Fixed a regression where file_move_safe() crashed when moving files to a CIFS mount.
* Moved the ImageField file extension validation added in Django 1.11 from the model field to the form field to reallow the use case of storing images without an extension

Revision 1.85: download - view: text, markup, annotated - select for diffs
Mon May 8 04:58:58 2017 UTC (7 years, 6 months ago) by adam
Branches: MAIN
Diff to: previous 1.84: preferred, colored
Changes since revision 1.84: +3 -3 lines
Changes 1.11.1:

Allowed disabling server-side cursors on PostgreSQL

Bugfixes:
Made migrations respect Index’s name argument. If you created a named index with Django 1.11, makemigrations will create a migration to recreate the index with the correct name.
Fixed a crash when using a __icontains lookup on a ArrayField.
Fixed a crash when using a two-tuple in EmailMessage’s attachments argument.
Fixed QuerySet.filter() crash when it references the name of a OneToOneField primary key.
Fixed empty POST data table appearing instead of “No POST data” in HTML debug page.
Restored BoundFields without any choices evaluating to True.
Prevented SessionBase.cycle_key() from losing session data if _session_cache isn’t populated.
Fixed layout of ReadOnlyPasswordHashWidget (used in the admin’s user change page).
Allowed prefetch calls on managers with custom ModelIterable subclasses.
Fixed change password link in the contrib.auth admin for el, es_MX, and pt translations.
Restored the output of the class attribute in the <ul> of widgets that use the multiple_input.html template. This fixes ModelAdmin.radio_fields with admin.HORIZONTAL.
Fixed crash in BaseGeometryWidget.subwidgets().
Fixed exception reraising in ORM query execution when cursor.execute() fails and the subsequent cursor.close() also fails.
Fixed a regression where CheckboxSelectMultiple, NullBooleanSelect, RadioSelect, SelectMultiple, and Select localized option values.
Corrected the stack level of unordered queryset pagination warnings.
Fixed a regression causing incorrect queries for __in subquery lookups when models use ForeignKey.to_field.
Fixed crash when overriding the template of django.views.static.directory_index().
Fixed a regression in formset min_num validation with unchanged forms that have initial data.
Prepared for cx_Oracle 6.0 support.
Updated the contrib.postgres SplitArrayWidget to use template-based widget rendering.
Fixed crash in BaseGeometryWidget.get_context() when overriding existing attrs.
Prevented AddIndex and RemoveIndex from mutating model state.
Prevented migrations from dropping database indexes from Meta.indexes when changing Field.db_index to False.
Fixed a regression in choice ordering in form fields with grouped and non-grouped options.
Fixed crash in BaseInlineFormSet._construct_form() when using save_as_new.
Fixed a regression where Model._state.db wasn’t set correctly on multi-table inheritance parent models after saving a child model.
Corrected the return type of ArrayField(CITextField()) values retrieved from the database.
Fixed QuerySet.prefetch_related() crash when fetching relations in nested Prefetch objects.
Prevented hiding GDAL errors if it’s not installed when using contrib.gis. (It’s a required dependency as of Django 1.11.)
Fixed a regression causing __in lookups on a foreign key to fail when using the foreign key’s parent model as the lookup

Revision 1.83.2.1: download - view: text, markup, annotated - select for diffs
Sat Apr 8 19:25:56 2017 UTC (7 years, 7 months ago) by spz
Branches: pkgsrc-2017Q1
Diff to: previous 1.83: preferred, colored; next MAIN 1.84: preferred, colored
Changes since revision 1.83: +2 -2 lines
Pullup ticket #5252 - requested by joerg
www/py-django: security update

Revisions pulled up:
- www/py-django/Makefile                                      patch
- www/py-django/distinfo                                      patch

Revision 1.84: download - view: text, markup, annotated - select for diffs
Wed Apr 5 17:08:48 2017 UTC (7 years, 7 months ago) by adam
Branches: MAIN
Diff to: previous 1.83: preferred, colored
Changes since revision 1.83: +4 -4 lines
Changes 1.11:
As always, the release notes cover the medley of new features in detail, but a few highlights are:
* Class-based model indexes for creating database indexes.
* Template-based widget rendering to ease customizing form widgets.
* Subquery expressions to create explicit subqueries using the ORM.

Revision 1.83: download - view: text, markup, annotated - select for diffs
Sun Mar 12 18:45:33 2017 UTC (7 years, 8 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2017Q1-base
Branch point for: pkgsrc-2017Q1
Diff to: previous 1.82: preferred, colored
Changes since revision 1.82: +2 -2 lines
Changes 1.10.6:

Bugfixes:
* Fixed ClearableFileInput’s “Clear” checkbox on model form fields where the model field has a default.
* Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than generating a bad request response.
* Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or IntegerField from DateField.
* Fixed query expression date subtraction accuracy on PostgreSQL for differences larger than a month.
* Fixed a GDALException raised by GDALClose on GDAL ≥ 2.0.

Revision 1.82: download - view: text, markup, annotated - select for diffs
Sat Jan 7 19:05:46 2017 UTC (7 years, 10 months ago) by adam
Branches: MAIN
Diff to: previous 1.81: preferred, colored
Changes since revision 1.81: +2 -2 lines
Changes 1.10.5:
Bugfixes
* Fixed a crash in the debug view if request.user can’t be retrieved, such as if the database is unavailable.
* Fixed occasional missing plural forms in JavaScriptCatalog.
* Fixed a regression in the timesince and timeuntil filters that caused incorrect results for dates in a leap year.
* Fixed a regression where collectstatic overwrote newer files in remote storages.

Revision 1.81: download - view: text, markup, annotated - select for diffs
Tue Jan 3 13:23:04 2017 UTC (7 years, 10 months ago) by jperkin
Branches: MAIN
Diff to: previous 1.80: preferred, colored
Changes since revision 1.80: +3 -3 lines
Use "${MV} || ${TRUE}" and "${RM} -f" consistently in post-install targets.

Revision 1.80: download - view: text, markup, annotated - select for diffs
Fri Dec 2 12:21:17 2016 UTC (7 years, 11 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4
Diff to: previous 1.79: preferred, colored
Changes since revision 1.79: +2 -2 lines
Changes 1.10.4:
Bugfixes
* Quoted the Oracle test user’s password in queries to fix the “ORA-00922: missing or invalid option” error when the password starts with a number or special character.
* Fixed incorrect app_label / model_name arguments for allow_migrate() in makemigrations migration consistency checks.
* Made Model.delete(keep_parents=True) preserve parent reverse relationships in multi-table inheritance.
* Fixed a QuerySet.update() crash on SQLite when updating a DateTimeField with an F() expression and a timedelta.
* Prevented LocaleMiddleware from redirecting on URLs that should return 404 when using prefix_default_language=False.
* Prevented an unnecessary index from being created on an InnoDB ForeignKey when the field was added after the model was created.

Revision 1.79: download - view: text, markup, annotated - select for diffs
Sun Nov 6 09:08:52 2016 UTC (8 years ago) by wen
Branches: MAIN
Diff to: previous 1.78: preferred, colored
Changes since revision 1.78: +2 -2 lines
Update to 1.10.3
Approved by:	joerg@(maintainer)

Upstream changelog is too long, please visit:
https://github.com/django/django/tree/master/docs/releases

Revision 1.76.2.1: download - view: text, markup, annotated - select for diffs
Sat Nov 5 10:24:39 2016 UTC (8 years ago) by bsiegert
Branches: pkgsrc-2016Q3
Diff to: previous 1.76: preferred, colored; next MAIN 1.77: preferred, colored
Changes since revision 1.76: +2 -2 lines
Pullup ticket #5153 - requested by wen
www/py-django: security fix

Revisions pulled up:
- www/py-django/Makefile                                        1.78
- www/py-django/distinfo                                        1.60

---
   Module Name:    pkgsrc
   Committed By:   wen
   Date:           Wed Nov  2 14:30:49 UTC 2016

   Modified Files:
           pkgsrc/www/py-django: Makefile distinfo

   Log Message:
   Update to 1.9.11(security update)

   Upstream changes:
   Django 1.9.11 release notes

   November 1, 2016
   Django 1.9.11 fixes two security issues in 1.9.10.
           User with hardcoded password created when running tests on Oracle
           DNS rebinding vulnerability when DEBUG=True

Revision 1.78: download - view: text, markup, annotated - select for diffs
Wed Nov 2 14:30:49 2016 UTC (8 years ago) by wen
Branches: MAIN
Diff to: previous 1.77: preferred, colored
Changes since revision 1.77: +2 -2 lines
Update to 1.9.11(security update)

Upstream changes:
Django 1.9.11 release notes

November 1, 2016
Django 1.9.11 fixes two security issues in 1.9.10.
        User with hardcoded password created when running tests on Oracle
        DNS rebinding vulnerability when DEBUG=True

Revision 1.77: download - view: text, markup, annotated - select for diffs
Fri Oct 21 02:19:46 2016 UTC (8 years ago) by wen
Branches: MAIN
Diff to: previous 1.76: preferred, colored
Changes since revision 1.76: +2 -2 lines
Update to 1.9.10(security update)

Upstream changes:
Django 1.9.10 release notes

September 26, 2016

Django 1.9.10 fixes a security issue in 1.9.9.
CSRF protection bypass on a site with Google Analytics

An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.

The parser for request.COOKIES is simplified to better match the behavior of browsers and to mitigate this attack. request.COOKIES may now contain cookies that are invalid according to RFC 6265 but are possible to set via document.cookie.

Revision 1.76: download - view: text, markup, annotated - select for diffs
Sun Aug 28 15:48:36 2016 UTC (8 years, 2 months ago) by wiz
Branches: MAIN
CVS tags: pkgsrc-2016Q3-base
Branch point for: pkgsrc-2016Q3
Diff to: previous 1.75: preferred, colored
Changes since revision 1.75: +1 -3 lines
Remove unnecessary PLIST_SUBST and FILES_SUBST that are now provided
by the infrastructure.

Mark a couple more packages as not ready for python-3.x.

Revision 1.75: download - view: text, markup, annotated - select for diffs
Thu Aug 4 08:23:11 2016 UTC (8 years, 3 months ago) by adam
Branches: MAIN
Diff to: previous 1.74: preferred, colored
Changes since revision 1.74: +2 -2 lines
Changes 1.9.9:
Bugfixes:
* Fixed invalid HTML in template postmortem on the debug page
* Fixed some GIS database function crashes on MySQL 5.7

Revision 1.74: download - view: text, markup, annotated - select for diffs
Tue Jul 19 07:32:42 2016 UTC (8 years, 3 months ago) by adam
Branches: MAIN
Diff to: previous 1.73: preferred, colored
Changes since revision 1.73: +2 -2 lines
Django 1.9.8 fixes a security issue and several bugs in 1.9.7.

Unsafe usage of JavaScript’s Element.innerHTML could result in XSS in the admin’s add/change related popup. Element.textContent is now used to prevent execution of the data.

The debug view also used innerHTML. Although a security issue wasn’t identified there, out of an abundance of caution it’s also updated to use textContent.


Bugfixes:

* Fixed missing varchar/text_pattern_ops index on CharField and TextField respectively when using AddField on PostgreSQL.
* Fixed makemessages crash on Python 2 with non-ASCII file names.

Revision 1.73: download - view: text, markup, annotated - select for diffs
Mon Jun 6 09:34:59 2016 UTC (8 years, 5 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2
Diff to: previous 1.72: preferred, colored
Changes since revision 1.72: +2 -2 lines
Changes 1.9.7:
Bugfixes:
* Removed the need for the request context processor on the admin login page to fix a regression in 1.9.
* Fixed translation of password validators’ help_text in forms.
* Fixed a regression causing the cached template loader to crash when using lazy template names.
* Fixed on_commit callbacks execution order when callbacks make transactions.
* Fixed HStoreField to raise a ValidationError instead of crashing on non-dictionary JSON input.
* Fixed dbshell crash on PostgreSQL with an empty database name.
* Fixed a regression in queries on a OneToOneField that has to_field and primary_key=True.

Revision 1.72: download - view: text, markup, annotated - select for diffs
Sat May 7 07:51:52 2016 UTC (8 years, 6 months ago) by adam
Branches: MAIN
Diff to: previous 1.71: preferred, colored
Changes since revision 1.71: +2 -2 lines
Changes 1.9.6:
Bugfixes:
---------
Added support for relative path redirects to the test client and to SimpleTestCase.assertRedirects() because Django 1.9 no longer converts redirects to absolute URIs.
Fixed TimeField microseconds round-tripping on MySQL and SQLite.
Prevented makemigrations from generating infinite migrations for a model field that references a functools.partial.
Fixed a regression where SessionBase.pop() returned None rather than raising a KeyError for nonexistent values.
Fixed a regression causing the cached template loader to crash when using template names starting with a dash.
Restored conversion of an empty string to null when saving values of GenericIPAddressField on SQLite and MySQL.
Fixed a makemessages regression where temporary .py extensions were leaked in source file paths

Revision 1.71: download - view: text, markup, annotated - select for diffs
Fri Apr 8 16:20:18 2016 UTC (8 years, 7 months ago) by adam
Branches: MAIN
Diff to: previous 1.70: preferred, colored
Changes since revision 1.70: +2 -4 lines
Changes 1.9.5:
Made MultiPartParser ignore filenames that normalize to an empty string to fix crash in MemoryFileUploadHandler on specially crafted user input.
Fixed a race condition in BaseCache.get_or_set(). It now returns the default value instead of False if there’s an error when trying to add the value to the cache.
Fixed data loss on SQLite where DurationField values with fractional seconds could be saved as None.
The forms in contrib.auth no longer strip trailing and leading whitespace from the password fields. The change requires users who set their password to something with such whitespace after a site updated to Django 1.9 to reset their password. It provides backwards-compatibility for earlier versions of Django.
Fixed a memory leak in the cached template loader.
Fixed a regression that caused collectstatic --clear to fail if the storage doesn’t implement path().
Fixed a crash when using a reverse lookup with a subquery when a ForeignKey has a to_field set to something other than the primary key.
Fixed a regression in CommonMiddleware that caused spurious warnings in logs on requests missing a trailing slash.
Restored the functionality of the admin’s raw_id_fields in list_editable.
Fixed a regression with abstract model inheritance and explicit parent links.
Fixed a migrations crash on SQLite when renaming the primary key of a model containing a ForeignKey to 'self'.
Fixed JSONField inadvertently escaping its contents when displaying values after failed form validation.

Revision 1.70: download - view: text, markup, annotated - select for diffs
Sun Mar 6 14:17:06 2016 UTC (8 years, 8 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2016Q1-base, pkgsrc-2016Q1
Diff to: previous 1.69: preferred, colored
Changes since revision 1.69: +3 -3 lines
Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release where utils.http.is_safe_url() crashes on bytestring URLs.

Revision 1.69: download - view: text, markup, annotated - select for diffs
Fri Feb 5 17:39:40 2016 UTC (8 years, 9 months ago) by adam
Branches: MAIN
Diff to: previous 1.68: preferred, colored
Changes since revision 1.68: +2 -2 lines
Changes 1.8.9:
Fixed a regression that caused the “user-tools” items to display on the admin’s logout page.
Fixed a crash in the translations system when the current language has no translations.
Fixed a regression that caused the incorrect day to be selected when opening the admin calendar widget for timezones from GMT+0100 to GMT+1200.
Fixed a regression in 1.8.8 causing incorrect index handling in migrations on PostgreSQL when adding db_index=True or unique=True to a CharField or TextField that already had the other specified, or when removing one of them from a field that had both, or when adding unique=True to a field already listed in unique_together.
Fixed a crash when using an __in lookup inside a Case expression.
Fixed a crash when using a reverse OneToOneField in ModelAdmin.readonly_fields.
Fixed a regression in Django 1.8.5 that broke copying a SimpleLazyObject with copy.copy().
Fixed the contrib.gis map widgets when using USE_THOUSAND_SEPARATOR=True.

Revision 1.68: download - view: text, markup, annotated - select for diffs
Sun Jan 3 10:56:29 2016 UTC (8 years, 10 months ago) by adam
Branches: MAIN
Diff to: previous 1.67: preferred, colored
Changes since revision 1.67: +2 -2 lines
Changes 1.8.8:
Fixed incorrect unique_together field name generation by inspectdb.
Corrected __len query lookup on ArrayField for empty arrays.
Restored the ability to use custom formats from formats.py with django.utils.formats.get_format() and the date template filter.
Fixed a state bug when migrating a SeparateDatabaseAndState operation backwards.
Fixed missing varchar/text_pattern_ops index on CharField and TextField respectively when using AlterField on PostgreSQL.
Fixed a state bug when using an AlterModelManagers operation.
Fixed a regression which prevented using a language not in Django’s default language list (LANGUAGES).
django.views.decorators.cache.never_cache() now sends more persuasive headers (added no-cache, no-store, must-revalidate to Cache-Control) to better prevent caching. This fixes a problem where a page refresh in Firefox cleared the selected entries in the admin’s filter_horizontal and filter_vertical widgets, which could result in inadvertent data loss if a user didn’t notice that and then submitted the form.
Fixed a regression in the admin which ignored line breaks in read-only fields instead of converting them to <br>.
Made loaddata skip disabling and enabling database constraints when it doesn’t load any fixtures.
Fixed a crash in QuerySet.values()/values_list() after an annotate() and order_by() when values()/values_list() includes a field not in the order_by()

Revision 1.67: download - view: text, markup, annotated - select for diffs
Thu Nov 26 06:38:59 2015 UTC (8 years, 11 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4
Diff to: previous 1.66: preferred, colored
Changes since revision 1.66: +2 -2 lines
Changes 1.8.7:
* Fixed settings leak possibility in date template filter
* Bug fixes

Revision 1.66: download - view: text, markup, annotated - select for diffs
Fri Nov 6 08:38:29 2015 UTC (9 years ago) by adam
Branches: MAIN
Diff to: previous 1.65: preferred, colored
Changes since revision 1.65: +2 -2 lines
Django 1.8.6 adds official support for Python 3.5 and fixes several bugs in 1.8.5:
Fixed a regression causing ModelChoiceField to ignore prefetch_related() on its queryset.
Allowed “mode=memory” in SQLite test database name if supported.
Fixed system check crash on ForeignKey to abstract model.
Fixed incorrect queries when you have multiple ManyToManyFields on different models that have the same field name, point to the same model, and have their reverse relations disabled.
Allowed filtering over a RawSQL annotation.
Made the Concat database function idempotent on SQLite.
Avoided a confusing stack trace when starting runserver with an invalid INSTALLED_APPS setting.
Made deferred models use their proxied model’s _meta.apps for caching and retrieval. This prevents any models generated in data migrations using QuerySet.defer() from leaking to test and application code.
Fixed a typo in the name of the strictly_above PostGIS lookup.
Fixed crash with contrib.postgres.forms.SplitArrayField and IntegerField on invalid value.
Added a helpful error message when Django and South migrations exist in the same directory.
Fixed a regression in URLValidator that allowed URLs with consecutive dots in the domain section (like http://example..com/) to pass.
Fixed a crash with GenericRelation and BaseModelAdmin.to_field_allowed.

Revision 1.65: download - view: text, markup, annotated - select for diffs
Thu Oct 8 07:58:17 2015 UTC (9 years, 1 month ago) by adam
Branches: MAIN
Diff to: previous 1.64: preferred, colored
Changes since revision 1.64: +2 -2 lines
Changes 1.8.5:
Made the development server’s autoreload more robust.
Fixed AssertionError in some delete queries with a model containing a field that is both a foreign and primary key.
Fixed AssertionError in some complex queries.
Fixed a migrations crash with GenericForeignKey.
Made translation.override() clear the overridden language when a translation isn’t initially active.
Fixed crash when using a value in ModelAdmin.list_display that clashed with a reverse field on the model.
Fixed autocompletion for options of non-argparse management commands.
Alphabetized ordering of imports in from django.db import migrations, models statement in newly created migrations.
Fixed migrations crash on MySQL when adding a text or a blob field with an unhashable default.
Changed Count queries to execute COUNT(*) instead of COUNT('*') as versions of Django before 1.8 did. This may fix a performance regression on some databases.
Fixed custom queryset chaining with values() and values_list().
Moved the unsaved model instance assignment data loss check on reverse relations to Model.save().
Readded inline foreign keys to form instances when validating model formsets.
Allowed using ORM write methods after disabling autocommit with set_autocommit(False).
Fixed the manage.py test --keepdb option on Oracle.
Fixed incorrect queries with multiple many-to-many fields on a model with the same ‘to’ model and with related_name set to ‘+’.
Fixed pickling a SimpleLazyObject wrapping a mode

Revision 1.64: download - view: text, markup, annotated - select for diffs
Mon Aug 24 10:45:22 2015 UTC (9 years, 2 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2015Q3-base, pkgsrc-2015Q3
Diff to: previous 1.63: preferred, colored
Changes since revision 1.63: +2 -2 lines
Changes 1.8.4:
* Denial-of-service possibility in logout() view by filling session store.
* Bugfixes:
- Added the ability to serialize values from the newly added UUIDField.
- Added a system check warning if the old TEMPLATE_* settings are defined in addition to the new TEMPLATES setting.
- Fixed QuerySet.raw() so InvalidQuery is not raised when using the db_column name of a ForeignKey field with primary_key=True.
- Prevented an exception in TestCase.setUpTestData() from leaking the transaction.
- Fixed has_changed() method in contrib.postgres.forms.HStoreField.
- Fixed the recording of squashed migrations when running the migrate command.
- Moved the unsaved model instance assignment data loss check to Model.save() to allow easier usage of in-memory models.
- Prevented varchar_patterns_ops and text_patterns_ops indexes for ArrayField.

Revision 1.63: download - view: text, markup, annotated - select for diffs
Fri Jul 17 15:50:53 2015 UTC (9 years, 3 months ago) by adam
Branches: MAIN
Diff to: previous 1.62: preferred, colored
Changes since revision 1.62: +2 -2 lines
Changes 1.8.3:
* Denial-of-service possibility by filling session store
* Header injection possibility since validators accept newlines in input
* Denial-of-service possibility in URL validation
* Bugfixes

Revision 1.62: download - view: text, markup, annotated - select for diffs
Mon Apr 13 23:12:43 2015 UTC (9 years, 7 months ago) by rodent
Branches: MAIN
CVS tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2
Diff to: previous 1.61: preferred, colored
Changes since revision 1.61: +1 -2 lines
Removing python26. EOL'd quite some ago and discussed a couple times on
tech-pkg@ and pkgsrc-users@.

Revision 1.61: download - view: text, markup, annotated - select for diffs
Thu Mar 19 09:53:45 2015 UTC (9 years, 7 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2015Q1-base, pkgsrc-2015Q1
Diff to: previous 1.60: preferred, colored
Changes since revision 1.60: +2 -2 lines
Changes 1.7.7:
* Fix for Denial-of-service possibility with strip_tags()
* Mitigated possible XSS attack via user-supplied redirect URLs

Revision 1.60: download - view: text, markup, annotated - select for diffs
Mon Mar 9 19:01:39 2015 UTC (9 years, 8 months ago) by adam
Branches: MAIN
Diff to: previous 1.59: preferred, colored
Changes since revision 1.59: +2 -2 lines
Changes 1.7.6:
These releases address a security issue in the Django admin.
* Issue: XSS attack via properties in ModelAdmin.readonly_fields
* Advisory: HTML escaping when calling template filters from Python code

Revision 1.59: download - view: text, markup, annotated - select for diffs
Thu Feb 26 06:27:06 2015 UTC (9 years, 8 months ago) by adam
Branches: MAIN
Diff to: previous 1.58: preferred, colored
Changes since revision 1.58: +2 -2 lines
Changes 1.7.5:
Bugfixes:
* Reverted a fix that prevented a migration crash when unapplying contrib.contenttypes’s or contrib.auth’s first migration (24075) due to severe impact on the test performance (24251) and problems in multi-database setups (24298).
* Fixed a regression that prevented custom fields inheriting from ManyToManyField from being recognized in migrations (24236).
* Fixed crash in contrib.sites migrations when a default database isn’t used (24332).
* Added the ability to set the isolation level on PostgreSQL with psycopg2 ≥ 2.4.2 (24318). It was advertised as a new feature in Django 1.6 but it didn’t work in practice.
* Formats for the Azerbaijani locale (az) have been added.

Revision 1.58: download - view: text, markup, annotated - select for diffs
Wed Jan 28 06:41:30 2015 UTC (9 years, 9 months ago) by adam
Branches: MAIN
Diff to: previous 1.57: preferred, colored
Changes since revision 1.57: +2 -2 lines
Changes 1.7.4:
* Fixed a migration crash when unapplying contrib.contenttypes’s or contrib.auth’s first migration.
* Made the migration’s RenameModel operation rename ManyToManyField tables.
* Fixed a migration crash on MySQL when migrating from a OneToOneField to a ForeignKey.
* Prevented the static.serve view from producing ResourceWarnings in certain circumstances.
* Fixed schema check for ManyToManyField to look for internal type instead of checking class instance, so you can write custom m2m-like fields with the same behaviour.

Revision 1.57: download - view: text, markup, annotated - select for diffs
Wed Jan 14 17:07:12 2015 UTC (9 years, 10 months ago) by adam
Branches: MAIN
Diff to: previous 1.56: preferred, colored
Changes since revision 1.56: +2 -2 lines
Fixed securify issues:
* WSGI header spoofing via underscore/dash conflation
* Mitigated possible XSS attack via user-supplied redirect URLs
* Denial-of-service attack against django.views.static.serve
* Database denial-of-service with ModelMultipleChoiceField

Revision 1.56: download - view: text, markup, annotated - select for diffs
Tue Jan 6 23:07:32 2015 UTC (9 years, 10 months ago) by joerg
Branches: MAIN
Diff to: previous 1.55: preferred, colored
Changes since revision 1.55: +2 -1 lines
Python 2.6 is no longer supported.

Revision 1.55: download - view: text, markup, annotated - select for diffs
Sat Jan 3 15:47:21 2015 UTC (9 years, 10 months ago) by adam
Branches: MAIN
Diff to: previous 1.54: preferred, colored
Changes since revision 1.54: +10 -32 lines
Django 1.7.2 fixes several bugs in 1.7.1.
Additionally, Django’s vendored version of six, django.utils.six, has been upgraded to the latest release (1.9.0).

Revision 1.54: download - view: text, markup, annotated - select for diffs
Sun Nov 23 14:05:13 2014 UTC (9 years, 11 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2014Q4-base, pkgsrc-2014Q4
Diff to: previous 1.53: preferred, colored
Changes since revision 1.53: +2 -2 lines
Changes 1.6.8:
This release fixes a couple regressions in the 1.6.6 security release.
Bugfixes
Allowed related many-to-many fields to be referenced in the admin
Allowed inline and hidden references to admin fields

Revision 1.53: download - view: text, markup, annotated - select for diffs
Sat Aug 23 11:13:01 2014 UTC (10 years, 2 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2014Q3-base, pkgsrc-2014Q3
Diff to: previous 1.52: preferred, colored
Changes since revision 1.52: +2 -2 lines
Changes 1.6.6:
Security fixes:
* Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
* Issue: file upload denial of service (CVE-2014-0481)
* Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)
* Issue: data leakage via querystring manipulation in admin (CVE-2014-0483)

Revision 1.52: download - view: text, markup, annotated - select for diffs
Tue May 20 11:06:26 2014 UTC (10 years, 5 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2014Q2-base, pkgsrc-2014Q2
Diff to: previous 1.51: preferred, colored
Changes since revision 1.51: +2 -2 lines
Changes 1.6.5:
These releases address a caching issue which might lead to cache poisoning and an incorrect validation of safe redirect targets. Since these issues will affect the majority of users we strongly encourage everyone to upgrade.

Revision 1.51: download - view: text, markup, annotated - select for diffs
Sat May 3 18:19:30 2014 UTC (10 years, 6 months ago) by adam
Branches: MAIN
Diff to: previous 1.50: preferred, colored
Changes since revision 1.50: +2 -2 lines
Changes 1.6.4:
Shortly after last week's security releases were issued, we received reports of a potential regression in using reverse() with views created by functools.partial. We were able to confirm the bug, and test and commit a fix for it.

Revision 1.50: download - view: text, markup, annotated - select for diffs
Tue Apr 22 18:05:22 2014 UTC (10 years, 6 months ago) by adam
Branches: MAIN
Diff to: previous 1.49: preferred, colored
Changes since revision 1.49: +2 -2 lines
Changes 1.6.3:
These releases address an unexpected code-execution issue, a caching issue which can expose CSRF tokens and a MySQL typecasting issue. While these issues present limited risk and may not affect all Django users, we encourage all users to evaluate their own risk and upgrade as soon as possible.

Revision 1.49: download - view: text, markup, annotated - select for diffs
Sun Feb 9 08:09:04 2014 UTC (10 years, 9 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2014Q1-base, pkgsrc-2014Q1
Diff to: previous 1.48: preferred, colored
Changes since revision 1.48: +2 -2 lines
Changes 1.6.2:
Prevented the base geometry object of a prepared geometry to be garbage collected, which could lead to crash Django.
Fixed a crash when executing the changepassword command when the user object representation contained non-ASCII characters.
The collectstatic command will raise an error rather than default to using the current working directory if STATIC_ROOT is not set. Combined with the --clear option, the previous behavior could wipe anything below the current working directory.
Fixed mail encoding on Python 3.3.3+.
Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False, the connection wasn’t in autocommit mode but Django pretended it was.
Fixed a regression in multiple-table inheritance exclude() queries.
Added missing items to django.utils.timezone.__all__.
Fixed a field misalignment issue with select_related() and model inheritance.
Fixed join promotion for negated AND conditions.
Oracle database introspection now works with boolean and float fields.
Fixed an issue where lazy objects weren’t actually marked as safe when passed through mark_safe() and could end up being double-escaped

Revision 1.48: download - view: text, markup, annotated - select for diffs
Sat Jan 18 19:07:57 2014 UTC (10 years, 9 months ago) by wiz
Branches: MAIN
Diff to: previous 1.47: preferred, colored
Changes since revision 1.47: +3 -5 lines
Use versioned_dependencies.mk for flup.

Revision 1.47: download - view: text, markup, annotated - select for diffs
Tue Dec 31 12:02:53 2013 UTC (10 years, 10 months ago) by adam
Branches: MAIN
Diff to: previous 1.46: preferred, colored
Changes since revision 1.46: +3 -3 lines
Changes 1.6.1:
Bug fixes
Fixed BCryptSHA256PasswordHasher with py-bcrypt and Python 3.
Fixed a regression that prevented a ForeignKey with a hidden reverse manager (related_name ending with ‘+’) from being used as a lookup for prefetch_related.
Fixed Queryset.datetimes raising AttributeError in some situations.
Fixed ModelBackend raising UnboundLocalError if get_user_model() raised an error.
Fixed a regression that prevented editable GenericRelation subclasses from working in ModelForms.
Added missing to_python method for ModelMultipleChoiceField which is required in Django 1.6 to properly detect changes from initial values.
Fixed django.contrib.humanize translations where the unicode sequence for the non-breaking space was returned verbatim.
Fixed loaddata error when fixture file name contained any dots not related to file extensions or when fixture path was relative but located in a subdirectory.
Fixed display of inline instances in formsets when parent has 0 for primary key.
Fixed a regression where custom querysets for foreign keys were overwritten if ModelAdmin had ordering set.
Removed mention of a feature in the --locale/-l option of the makemessages and compilemessages commands that never worked as promised: Support of multiple locale names separated by commas. It’s still possible to specify multiple locales in one run by using the option multiple times.
Fixed a regression that unnecessarily triggered settings configuration when importing get_wsgi_application.
Fixed test client logout() method when using the cookie-based session backend.
Fixed a crash when a GeometryField uses a non-geometric widget.
Fixed password hash upgrade when changing the iteration count.
Fixed a bug in the debug view when the URLconf only contains one element.
Re-added missing search result count and reset link in changelist admin view.
The current language is no longer saved to the session by LocaleMiddleware on every response, but rather only after a logout.
Fixed a crash when executing runserver on non-English systems and when the formatted date in its output contained non-ASCII characters.
Fixed a crash in the debug view after an exception occurred on Python ≥ 3.3.
Fixed a crash in ImageField on some platforms (Homebrew and RHEL6 reported).
Fixed a regression when using generic relations in ModelAdmin.list_filter.

Revision 1.46: download - view: text, markup, annotated - select for diffs
Tue Nov 12 19:12:12 2013 UTC (11 years ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2013Q4-base, pkgsrc-2013Q4
Diff to: previous 1.45: preferred, colored
Changes since revision 1.45: +6 -3 lines
Changes 1.6:
Simplified default project and app templates
Improved transaction management
Persistent database connections
Discovery of tests in any test module
Time zone aware aggregation
Support for savepoints in SQLite
BinaryField model field
GeoDjango form widgets
check management command added for verifying compatibility
Model.save() algorithm changed
Minor features

Revision 1.45: download - view: text, markup, annotated - select for diffs
Mon Oct 28 20:12:40 2013 UTC (11 years ago) by adam
Branches: MAIN
Diff to: previous 1.44: preferred, colored
Changes since revision 1.44: +2 -2 lines
Changes 1.5.5:
Django 1.5.5 fixes a couple security-related bugs and several other bugs in the 1.5 series.

Readdressed denial-of-service via password hashers
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large passwords. In Django 1.5.5, we’ve reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.

Properly rotate CSRF token on login
This behaviour introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed.

Bugfixes
Fixed a data corruption bug with datetime_safe.datetime.combine.
Fixed a Python 3 incompatability in django.utils.text.unescape_entities().
Fixed a couple data corruption issues with QuerySet edge cases under Oracle and MySQL.
Fixed crashes when using combinations of annotate(), select_related(), and only()

Revision 1.44: download - view: text, markup, annotated - select for diffs
Tue Sep 17 19:54:49 2013 UTC (11 years, 1 month ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2013Q3-base, pkgsrc-2013Q3
Diff to: previous 1.43: preferred, colored
Changes since revision 1.43: +2 -2 lines
Changes 1.5.4:
These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately.

Revision 1.43: download - view: text, markup, annotated - select for diffs
Wed Sep 11 16:50:38 2013 UTC (11 years, 2 months ago) by adam
Branches: MAIN
Diff to: previous 1.42: preferred, colored
Changes since revision 1.42: +4 -5 lines
Changes 1.5.3:
These releases address a directory-traversal vulnerability in one of Django's built-in template tags. While this issue requires some fairly specific factors to be exploitable, we encourage all users of Django to upgrade promptly.

Revision 1.42: download - view: text, markup, annotated - select for diffs
Tue Aug 13 17:48:24 2013 UTC (11 years, 3 months ago) by adam
Branches: MAIN
Diff to: previous 1.41: preferred, colored
Changes since revision 1.41: +2 -2 lines
Changes 1.5.2:
These releases address two cross-site scripting (XSS) vulnerabilities: one in a widget used by Django's admin interface, and one in a utility function used to validate redirects often used after login or logout.

While these issues are of limited impact and may not effect all Django users, we encourage all users to upgrade as soon as possible.

Revision 1.41: download - view: text, markup, annotated - select for diffs
Mon Apr 1 20:52:44 2013 UTC (11 years, 7 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2013Q2-base, pkgsrc-2013Q2
Diff to: previous 1.40: preferred, colored
Changes since revision 1.40: +2 -2 lines
Changes 1.5.1:
The biggest fix is for a memory leak introduced in Django 1.5. Under certain circumstances, repeated iteration over querysets could leak memory - sometimes quite a bit of it. If you'd like more information, the details are in our ticket tracker (and in a related issue in Python itself).

If you've noticed memory problems under Django 1.5, upgrading to 1.5.1 should fix those issues.

Django 1.5.1 also includes a couple smaller fixes:
* Module-level warnings emitted during tests are no longer silently hidden.
* Prevented filtering on password hashes in the user admin.

Revision 1.40: download - view: text, markup, annotated - select for diffs
Tue Mar 12 20:47:59 2013 UTC (11 years, 8 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2013Q1-base, pkgsrc-2013Q1
Diff to: previous 1.39: preferred, colored
Changes since revision 1.39: +4 -3 lines
Changes 1.5:
Django 1.5 introduces support for a configurable User model. The basic Django User model is still around, of course, but now there's first-class support for specifying your own model and having Django's auth system make use of it.

Django 1.5 is the first Django release with support for Python 3 (specifically, Python 3.2 and newer). Python 3 support is still considered experimental -- largely because it hasn't received as much real-world testing as we'd like -- but a Python 3 porting guide is available if you'd like to give it a try, and we will be considering Python 3 compatibility bugs to be blockers for future releases.

Of course, if you're still comfortable with Python 2, Django continues to offer support for that just as we always have -- though note that the minimum version for Django 1.5 is Python 2.6.5, and Python 2.7.3 or newer is strongly recommended.

Django's documentation has also gotten some pretty significant work; the main documentation page has had a bit of a facelift to make things easier to find, the existing tutorial got some refurbishing, and several new tutorials -- including some more advanced topics, like writing an app you can reuse in multiple projects -- have been added. And the documentation for class-based views has been significantly expanded, which should make this feature a lot easier to understand and take advantage of.

Revision 1.39: download - view: text, markup, annotated - select for diffs
Sat Feb 23 17:00:19 2013 UTC (11 years, 8 months ago) by adam
Branches: MAIN
Diff to: previous 1.38: preferred, colored
Changes since revision 1.38: +2 -2 lines
Changes 1.4.5:
Security-fix release. Here's a brief summary of each issue and its resolution:

Issue: Host header poisoning: an attacker could cause Django to generate and display URLs that link to arbitrary domains. This could be used as part of a phishing attack. These releases fix this problem by introducing a new setting, ALLOWED_HOSTS, which specifies a whitelist of domains your site is known to respond to.

Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to allow all hosts. This means that to actually fix the security vulnerability you should define this setting yourself immediately after upgrading.

Issue: Formset denial-of-service: an attacker can abuse Django's tracking of the number of forms in a formset to cause a denial-of-service attack. This has been fixed by adding a default maximum number of forms of 1,000. You can still manually specify a bigger max_num, if you wish, but 1,000 should be enough for anyone.

Issue: XML attacks: Django's serialization framework was vulnerable to attacks via XML entity expansion and external references; this is now fixed. However, if you're parsing arbitrary XML in other parts of your application, we recommend you look into the defusedxml Python packages which remedy this anywhere you parse XML, not just via Django's serialization framework.

Issue: Data leakage via admin history log: Django's admin interface could expose supposedly-hidden information via its history log. This has been fixed.

Revision 1.38: download - view: text, markup, annotated - select for diffs
Thu Dec 13 08:03:20 2012 UTC (11 years, 11 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2012Q4-base, pkgsrc-2012Q4
Diff to: previous 1.37: preferred, colored
Changes since revision 1.37: +2 -2 lines
Changes 1.4.3:
Security fixes:
* Host header poisoning
* Redirect poisoning

Revision 1.37: download - view: text, markup, annotated - select for diffs
Sun Oct 28 06:30:59 2012 UTC (12 years ago) by asau
Branches: MAIN
Diff to: previous 1.36: preferred, colored
Changes since revision 1.36: +1 -3 lines
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.

Revision 1.36: download - view: text, markup, annotated - select for diffs
Thu Oct 18 12:04:17 2012 UTC (12 years ago) by adam
Branches: MAIN
Diff to: previous 1.35: preferred, colored
Changes since revision 1.35: +2 -2 lines
Changes 1.4.2:
Fixed security issues:
* Host header poisoning
* Documentation of HttpOnly cookie option

Revision 1.35: download - view: text, markup, annotated - select for diffs
Mon Aug 6 15:33:07 2012 UTC (12 years, 3 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2012Q3-base, pkgsrc-2012Q3
Diff to: previous 1.34: preferred, colored
Changes since revision 1.34: +2 -2 lines
Changes 1.4.1:
* Bug fixes.

Revision 1.34: download - view: text, markup, annotated - select for diffs
Tue Apr 17 17:57:38 2012 UTC (12 years, 6 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2012Q2-base, pkgsrc-2012Q2
Diff to: previous 1.33: preferred, colored
Changes since revision 1.33: +12 -10 lines
Changes 1.4:
* Support for time zones
* Support for in-browser testing frameworks
* Updated default project layout and manage.py
* Custom project and app templates
* Improved WSGI support
* Improved password hashing
* HTML5 doctype
* List filters in admin interface
* Multiple sort in admin interface
* New ModelAdmin methods
More...

Revision 1.33: download - view: text, markup, annotated - select for diffs
Thu Jan 26 11:34:28 2012 UTC (12 years, 9 months ago) by obache
Branches: MAIN
CVS tags: pkgsrc-2012Q1-base, pkgsrc-2012Q1
Diff to: previous 1.32: preferred, colored
Changes since revision 1.32: +3 -3 lines
distutils pkg, register egg-info.

Bump PKGREVISION.

Revision 1.32: download - view: text, markup, annotated - select for diffs
Mon Sep 12 08:17:07 2011 UTC (13 years, 2 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2011Q4-base, pkgsrc-2011Q4, pkgsrc-2011Q3-base, pkgsrc-2011Q3
Diff to: previous 1.31: preferred, colored
Changes since revision 1.31: +2 -2 lines
Changes 1.3.1:
Fixed security issues:
* Session manipulation
* Denial of service attack via URLField
* URLField redirection
* Host header cache poisoning
* Advisory: Host header and CSRF
* Advisory: Cross-subdomain CSRF attacks
* Advisory: DEBUG pages and sensitive POST data

Revision 1.31: download - view: text, markup, annotated - select for diffs
Wed Mar 23 10:38:48 2011 UTC (13 years, 7 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2011Q2-base, pkgsrc-2011Q2, pkgsrc-2011Q1-base, pkgsrc-2011Q1
Diff to: previous 1.30: preferred, colored
Changes since revision 1.30: +3 -3 lines
Changes 1.3:
Django 1.3’s focus has mostly been on resolving smaller, long-standing feature
requests, but that hasn’t prevented a few fairly significant new features from
landing, including:
* A framework for writing class-based views.
* Built-in support for using Python’s logging facilities.
* Contrib support for easy handling of static files.
* Django’s testing framework now supports (and ships with a copy of) the
  unittest2 library.

Revision 1.30: download - view: text, markup, annotated - select for diffs
Thu Feb 10 10:03:59 2011 UTC (13 years, 9 months ago) by adam
Branches: MAIN
Diff to: previous 1.29: preferred, colored
Changes since revision 1.29: +7 -8 lines
Changes 1.2.5:
Fixed:
* Flaw in CSRF handling
* Potential XSS in file field rendering
* Directory-traversal vulnerability on Windows

Revision 1.29: download - view: text, markup, annotated - select for diffs
Tue Dec 28 19:13:06 2010 UTC (13 years, 10 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2010Q4-base, pkgsrc-2010Q4
Diff to: previous 1.28: preferred, colored
Changes since revision 1.28: +2 -2 lines
Revert backup junk.

Revision 1.28: download - view: text, markup, annotated - select for diffs
Tue Dec 28 13:54:52 2010 UTC (13 years, 10 months ago) by joerg
Branches: MAIN
Diff to: previous 1.27: preferred, colored
Changes since revision 1.27: +3 -3 lines
Update to Django 1.2.4:
- Fix a bug in the admin interface that could leak informations to
  users with staff privileges bypassing lookup arguments in the query
  string.
- Fix a bug for running the test suite in a multi-db setup
- Deprecated django.contrib.gis.tests.run_gis_tests()

Revision 1.27: download - view: text, markup, annotated - select for diffs
Mon Sep 13 16:51:05 2010 UTC (14 years, 2 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2010Q3-base, pkgsrc-2010Q3
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +11 -2 lines
Update to django 1.2.3 to fix problems of the 1.2.2 security fix:
- Properly deal with non-ASCII responses in the CSRF code
- Restore compatibility with certain forms like the user-editing form in
  admin

Reduce maintainance overhead in pkgsrc by providing PLIST print magic.

Revision 1.26: download - view: text, markup, annotated - select for diffs
Thu Sep 9 13:34:04 2010 UTC (14 years, 2 months ago) by adam
Branches: MAIN
Diff to: previous 1.25: preferred, colored
Changes since revision 1.25: +2 -2 lines
Changes 1.2.2:
As of the 1.2 release, the core Django framework includes a system, enabled by
default, for detecting and preventing cross-site request forgery (CSRF) attacks
against Django-powered applications. Previous Django releases provided
a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms --
{% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie can
cause arbitrary content to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.

This issue was first reported via a public ticket in Django's Trac instance;
while being triaged it was then independently reported, with broader
description, by Jeff Balogh of Mozilla.

Revision 1.25: download - view: text, markup, annotated - select for diffs
Wed Jun 16 19:08:37 2010 UTC (14 years, 5 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2010Q2-base, pkgsrc-2010Q2
Diff to: previous 1.24: preferred, colored
Changes since revision 1.24: +3 -4 lines
Django 1.2.1:
- Support multiple database in one Django instance
- Model validation inspired by the Form validation
- Vastly improved protection against Cross-Site Request Forgery
- New user "message" framework, incl. support for anonymous users
- Hooks for object-level permissions and permissions for anonymous users
- Customization of e-mail sending via the new e-mail backend
- Smarter if template tag

Revision 1.24: download - view: text, markup, annotated - select for diffs
Thu Feb 11 13:37:44 2010 UTC (14 years, 9 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2010Q1-base, pkgsrc-2010Q1
Diff to: previous 1.23: preferred, colored
Changes since revision 1.23: +3 -1 lines
Add an option for the oracle backend.

Revision 1.23: download - view: text, markup, annotated - select for diffs
Wed Feb 10 19:30:09 2010 UTC (14 years, 9 months ago) by joerg
Branches: MAIN
Diff to: previous 1.22: preferred, colored
Changes since revision 1.22: +2 -2 lines
Use pgsql as option name for consistency with other packages.

Revision 1.22: download - view: text, markup, annotated - select for diffs
Wed Feb 10 17:21:55 2010 UTC (14 years, 9 months ago) by joerg
Branches: MAIN
Diff to: previous 1.21: preferred, colored
Changes since revision 1.21: +3 -4 lines
Retire psycopg1 option and rename psycopg2 to postgresql, making it
the default. Bump revision.

Revision 1.21: download - view: text, markup, annotated - select for diffs
Mon Oct 19 11:31:05 2009 UTC (15 years ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2009Q4-base, pkgsrc-2009Q4
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +4 -3 lines
Update to Django 1.1:
- Support for aggregates and query expression in the ORM
- Suport for unamanged models and proxy models
- Support for deffered fields
- Mark individual fields as editable in the admin; support for custom
actions
- Better support for Last-Modified/ETag
- Improved GIS support
- {% for %} now has an {% empty %} to simplify handling empty lists
- Various smaller improvements

Revision 1.19.2.1: download - view: text, markup, annotated - select for diffs
Wed Oct 14 09:09:06 2009 UTC (15 years, 1 month ago) by tron
Branches: pkgsrc-2009Q3
Diff to: previous 1.19: preferred, colored; next MAIN 1.20: preferred, colored
Changes since revision 1.19: +2 -2 lines
Pullup ticket #2911 - requested by joerg
py-django: bug-fix update

Revisions pulled up:
- www/py-django/Makefile		1.20
- www/py-django/distinfo		1.11
---
Module Name:	pkgsrc
Committed By:	joerg
Date:		Tue Oct 13 18:19:24 UTC 2009

Modified Files:
	pkgsrc/www/py-django: Makefile distinfo

Log Message:
Django 1.0.4:
Fix a regular expression used by the form validation code to not trigger
pathologoical performance cases for certain inputs.

Revision 1.20: download - view: text, markup, annotated - select for diffs
Tue Oct 13 18:19:23 2009 UTC (15 years, 1 month ago) by joerg
Branches: MAIN
Diff to: previous 1.19: preferred, colored
Changes since revision 1.19: +2 -2 lines
Django 1.0.4:
Fix a regular expression used by the form validation code to not trigger
pathologoical performance cases for certain inputs.

Revision 1.17.2.1: download - view: text, markup, annotated - select for diffs
Wed Jul 29 20:36:04 2009 UTC (15 years, 3 months ago) by tron
Branches: pkgsrc-2009Q2
Diff to: previous 1.17: preferred, colored; next MAIN 1.18: preferred, colored
Changes since revision 1.17: +3 -4 lines
Pullup ticket #2845 - requested by joerg
py-django: security update

Revisions pulled up:
- www/py-django/Makefile			1.19
- www/py-django/PLIST				1.11
- www/py-django/distinfo			1.10
- www/py-django/patches/patch-aa		delete
- www/py-django/patches/patch-ab		1.2
---
Module Name:	pkgsrc
Committed By:	joerg
Date:		Wed Jul 29 11:02:08 UTC 2009

Modified Files:
	pkgsrc/www/py-django: Makefile PLIST distinfo
	pkgsrc/www/py-django/patches: patch-ab
Removed Files:
	pkgsrc/www/py-django/patches: patch-aa

Log Message:
Update to Django 1.0.3:
- various bugfix
- correctly validate file names for the admin media when using the
development server

Revision 1.19: download - view: text, markup, annotated - select for diffs
Wed Jul 29 11:02:08 2009 UTC (15 years, 3 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2009Q3-base
Branch point for: pkgsrc-2009Q3
Diff to: previous 1.18: preferred, colored
Changes since revision 1.18: +3 -4 lines
Update to Django 1.0.3:
- various bugfix
- correctly validate file names for the admin media when using the
development server

Revision 1.18: download - view: text, markup, annotated - select for diffs
Tue Jul 14 11:17:11 2009 UTC (15 years, 4 months ago) by joerg
Branches: MAIN
Diff to: previous 1.17: preferred, colored
Changes since revision 1.17: +3 -1 lines
No need for a C compiler.

Revision 1.17: download - view: text, markup, annotated - select for diffs
Sat May 2 16:21:46 2009 UTC (15 years, 6 months ago) by reed
Branches: MAIN
CVS tags: pkgsrc-2009Q2-base
Branch point for: pkgsrc-2009Q2
Diff to: previous 1.16: preferred, colored
Changes since revision 1.16: +3 -1 lines
Add PREV_PKGPATH and/or SUPERSEDES for various packages that
were moved or renamed.

This was for some from 2008 and 2009 and one from 2001.

Also I noticed that a CHANGES entry was wrong as said "Renamed"
when should have said "Moved" (lua-OSBF) because PKGBASE stayed the
same.

Revision 1.16: download - view: text, markup, annotated - select for diffs
Tue Apr 14 09:14:24 2009 UTC (15 years, 7 months ago) by joerg
Branches: MAIN
Diff to: previous 1.15: preferred, colored
Changes since revision 1.15: +3 -3 lines
Fix sqlite option for Python 2.5 and higher, we always want to use the
newer external py-sqlite package for that. Bump revision.

Revision 1.14.2.1: download - view: text, markup, annotated - select for diffs
Fri Jan 30 15:16:42 2009 UTC (15 years, 9 months ago) by tron
Branches: pkgsrc-2008Q4
Diff to: previous 1.14: preferred, colored; next MAIN 1.15: preferred, colored
Changes since revision 1.14: +2 -1 lines
Pullup ticket #2667 - requested by joerg
py-django: package list fix

Revisions pulled up:
- www/py-django/Makefile	1.15
- www/py-django/PLIST		1.8-1.9
---
Module Name:	pkgsrc
Committed By:	joerg
Date:		Thu Jan 29 09:35:54 UTC 2009

Modified Files:
	pkgsrc/www/py-django: Makefile PLIST

Log Message:
Fix PLIST. No idea how that slipped through testing.
---
Module Name:	pkgsrc
Committed By:	joerg
Date:		Fri Jan 30 13:59:57 UTC 2009

Modified Files:
	pkgsrc/www/py-django: PLIST

Log Message:
Also remove some more directories on deinstall.

Revision 1.15: download - view: text, markup, annotated - select for diffs
Thu Jan 29 09:35:54 2009 UTC (15 years, 9 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2009Q1-base, pkgsrc-2009Q1
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +2 -1 lines
Fix PLIST. No idea how that slipped through testing.

Revision 1.14: download - view: text, markup, annotated - select for diffs
Wed Dec 17 19:55:38 2008 UTC (15 years, 10 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2008Q4-base
Branch point for: pkgsrc-2008Q4
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +3 -3 lines
Update to Django 1.0.2:
- various bugfixes
- improved documentation and i18n

Revision 1.13: download - view: text, markup, annotated - select for diffs
Sun Sep 21 15:23:28 2008 UTC (16 years, 1 month ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2008Q3-base, pkgsrc-2008Q3
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +1 -2 lines
Remove PYBINMODULE, it doesn't apply.

Revision 1.12: download - view: text, markup, annotated - select for diffs
Thu Sep 4 22:04:17 2008 UTC (16 years, 2 months ago) by tonnerre
Branches: MAIN
CVS tags: cube-native-xorg-base, cube-native-xorg
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +5 -6 lines
Update Django to newly released version 1.0, fixing a cross-site request
forgery vulnerability described in
http://www.djangoproject.com/weblog/2008/sep/02/security/ .

Revision 1.9.4.1: download - view: text, markup, annotated - select for diffs
Thu May 22 13:46:33 2008 UTC (16 years, 5 months ago) by ghen
Branches: pkgsrc-2008Q1
Diff to: previous 1.9: preferred, colored; next MAIN 1.10: preferred, colored
Changes since revision 1.9: +2 -1 lines
Pullup ticket 2390 - requested by joerg
security fix for py-django

- pkgsrc/www/py-django/Makefile				1.11
- pkgsrc/www/py-django/distinfo				1.6
- pkgsrc/www/py-django/patches/patch-aa			1.3

   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Tue May 20 13:46:49 UTC 2008

   Modified Files:
	   pkgsrc/www/py-django: Makefile distinfo
   Added Files:
	   pkgsrc/www/py-django/patches: patch-aa

   Log Message:
   Fix a CSS issue in the login page of the admin module. Bump revision.

Revision 1.11: download - view: text, markup, annotated - select for diffs
Tue May 20 13:46:49 2008 UTC (16 years, 5 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2008Q2-base, pkgsrc-2008Q2, cwrapper
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +2 -1 lines
Fix a CSS issue in the login page of the admin module. Bump revision.

Revision 1.10: download - view: text, markup, annotated - select for diffs
Fri Apr 25 20:39:13 2008 UTC (16 years, 6 months ago) by joerg
Branches: MAIN
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +2 -2 lines
Update PYTHON_VERSIONS_COMPATIBLE
- assume that Python 2.4 and 2.5 are compatible and allow checking for
fallout.
- remove PYTHON_VERSIONS_COMPATIBLE that are obsoleted by the 2.3+
default. Modify the others to deal with the removals.

Revision 1.8.2.1: download - view: text, markup, annotated - select for diffs
Mon Dec 17 21:03:07 2007 UTC (16 years, 10 months ago) by ghen
Branches: pkgsrc-2007Q3
Diff to: previous 1.8: preferred, colored; next MAIN 1.9: preferred, colored
Changes since revision 1.8: +3 -4 lines
Pullup ticket 2217 - requested by joerg
security update for py-django

- pkgsrc/www/py-django/Makefile				1.9
- pkgsrc/www/py-django/distinfo				1.5

   Module Name:	pkgsrc
   Committed By:	joerg
   Date:		Thu Nov  1 21:24:02 UTC 2007

   Modified Files:
	   pkgsrc/www/py-django: Makefile distinfo

   Log Message:
   Update to Django 0.96.1: Fix a DOS in the i18n layer.

Revision 1.9: download - view: text, markup, annotated - select for diffs
Thu Nov 1 21:24:02 2007 UTC (17 years ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2008Q1-base, pkgsrc-2007Q4-base, pkgsrc-2007Q4
Branch point for: pkgsrc-2008Q1
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +3 -4 lines
Update to Django 0.96.1: Fix a DOS in the i18n layer.

Revision 1.8: download - view: text, markup, annotated - select for diffs
Sat Aug 11 17:20:16 2007 UTC (17 years, 3 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2007Q3-base
Branch point for: pkgsrc-2007Q3
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +2 -1 lines
Add the variations of the plist for the various options back.
Bump revision.

Revision 1.7: download - view: text, markup, annotated - select for diffs
Thu Aug 9 14:05:29 2007 UTC (17 years, 3 months ago) by joerg
Branches: MAIN
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +5 -12 lines
Update to Django 0.96:

The main goal of the 0.96 release is to cleanup and stabilise the
features from 0.95.

Incompatible changes:
- constraint names changed in some cases, this can effect manage.py
reset on old databases
- some names in manage.py changed
- backslash escaping is done more consistently
- ENABLE_PSYCO is gone

Important changes:
- merge of newforms
- URLconf takes normal callables
- new test framework
- passwords for users can be entered as normal text in the admin
interface, no need to hash manually

In addition: dropped py-setuptools dependency.

Revision 1.6: download - view: text, markup, annotated - select for diffs
Mon Feb 19 20:55:51 2007 UTC (17 years, 8 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2007Q2-base, pkgsrc-2007Q2, pkgsrc-2007Q1-base, pkgsrc-2007Q1
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +3 -2 lines
Fix installation when only psycopg2 support is requested, the postgres
code is shared with psycopg1.
Include a small patch to make keyword mistakes in query args much
more obvious (from django svn). Other users might be as stupid as
the maintainer. Bump revision.

Revision 1.4.2.1: download - view: text, markup, annotated - select for diffs
Sun Jan 28 20:06:01 2007 UTC (17 years, 9 months ago) by ghen
Branches: pkgsrc-2006Q4
Diff to: previous 1.4: preferred, colored; next MAIN 1.5: preferred, colored
Changes since revision 1.4: +3 -4 lines
Pullup ticket 2003 - requested by joerg
security update for py-django

- pkgsrc/www/py-django/Makefile				1.5
- pkgsrc/www/py-django/PLIST				1.2
- pkgsrc/www/py-django/distinfo				1.2

   Module Name:	pkgsrc
   Committed By:	joerg
   Date:		Thu Jan 25 20:11:30 UTC 2007

   Modified Files:
	   pkgsrc/www/py-django: Makefile PLIST distinfo

   Log Message:
   Update Django to 0.95.1. Changes:
   * A patch for a small security vulnerability in the script Django's
     internationalization system uses to compile translation files.
   * A fix for a bug in Django's authentication middleware which could cause
     apparent "caching" of a logged-in user.
   * A patch which disables debugging mode in the flup FastCGI package
     Django uses to launch its FastCGI server, which prevents tracebacks
     from bubbling up during production use.

Revision 1.5: download - view: text, markup, annotated - select for diffs
Thu Jan 25 20:11:30 2007 UTC (17 years, 9 months ago) by joerg
Branches: MAIN
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +3 -4 lines
Update Django to 0.95.1. Changes:
* A patch for a small security vulnerability in the script Django's
  internationalization system uses to compile translation files.
* A fix for a bug in Django's authentication middleware which could cause
  apparent "caching" of a logged-in user.
* A patch which disables debugging mode in the flup FastCGI package
  Django uses to launch its FastCGI server, which prevents tracebacks
  from bubbling up during production use.

Revision 1.2.2.1: download - view: text, markup, annotated - select for diffs
Thu Nov 23 09:41:31 2006 UTC (17 years, 11 months ago) by ghen
Branches: pkgsrc-2006Q3
Diff to: previous 1.2: preferred, colored; next MAIN 1.3: preferred, colored
Changes since revision 1.2: +6 -2 lines
Pullup ticket 1896 - requested by joerg
install fix for py24-setuptools

- pkgsrc/devel/py24-setuptools/DEINSTALL		1.1
- pkgsrc/devel/py24-setuptools/INSTALL			1.1
- pkgsrc/devel/py24-setuptools/Makefile			1.4
- pkgsrc/devel/py24-setuptools/PLIST			1.3
- pkgsrc/devel/py24-setuptools/files/manage-eggs.py	1.1
- pkgsrc/www/py-django/DEINSTALL			1.1
- pkgsrc/www/py-django/INSTALL				1.1
- pkgsrc/www/py-django/Makefile				1.3
- pkgsrc/www/py-flup/DEINSTALL				1.1
- pkgsrc/www/py-flup/INSTALL				1.1
- pkgsrc/www/py-flup/Makefile				1.3

   Module Name:	pkgsrc
   Committed By:	joerg
   Date:		Fri Nov  3 13:56:46 UTC 2006

   Modified Files:
	pkgsrc/devel/py24-setuptools: Makefile PLIST
   Added Files:
	pkgsrc/devel/py24-setuptools: DEINSTALL INSTALL
	pkgsrc/devel/py24-setuptools/files: manage-eggs.py

   Log Message:
   easy-install.pth is a volatile file as installed eggs are registered in
   it for sys.path handling. Create a default version on install time and
   remove it when done. Also install a small script which allows registering
   and unregistering of eggs installed via packages. Bump revision.
---
   Module Name:	pkgsrc
   Committed By:	joerg
   Date:		Fri Nov  3 14:13:57 UTC 2006

   Modified Files:
	pkgsrc/www/py-flup: Makefile
   Added Files:
	pkgsrc/www/py-flup: DEINSTALL INSTALL

   Log Message:
   Require newer py24-setuptools and register/unregister egg.
---
   Module Name:	pkgsrc
   Committed By:	joerg
   Date:		Fri Nov  3 14:14:18 UTC 2006

   Modified Files:
	pkgsrc/www/py-django: Makefile

   Log Message:
   Require newer py24-setuptools and register/unregister egg.
---
   Module Name:	pkgsrc
   Committed By:	joerg
   Date:		Fri Nov  3 14:14:52 UTC 2006

   Added Files:
	pkgsrc/www/py-django: DEINSTALL INSTALL

   Log Message:
   Forgotten files: register/unregister egg.

Revision 1.4: download - view: text, markup, annotated - select for diffs
Tue Nov 14 13:36:53 2006 UTC (18 years ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2006Q4-base
Branch point for: pkgsrc-2006Q4
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +6 -2 lines
Switch django and flup to use the new location of py-setuptools.
Skip easy-install.pyth as it gets modified. Mark explicitly as
not supporting DESTDIR, as setuptools doesn't like it right now.

Revision 1.3: download - view: text, markup, annotated - select for diffs
Fri Nov 3 14:14:18 2006 UTC (18 years ago) by joerg
Branches: MAIN
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +6 -2 lines
Require newer py24-setuptools and register/unregister egg.

Revision 1.2: download - view: text, markup, annotated - select for diffs
Sun Sep 17 13:42:07 2006 UTC (18 years, 1 month ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2006Q3-base
Branch point for: pkgsrc-2006Q3
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +2 -2 lines
Point directly to media server as MASTER_SITE to catch up with the
layout changes.

Revision 1.1.1.1 (vendor branch): download - view: text, markup, annotated - select for diffs
Mon Sep 11 11:38:33 2006 UTC (18 years, 2 months ago) by joerg
Branches: TNF
CVS tags: pkgsrc-base
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +0 -0 lines
Import Django 0.95 from pkgsrc-wip:
Django is a high-level Python Web framework that encourages rapid development
and clean, pragmatic design. Django was designed to make common Web-development
tasks fast and easy.

Revision 1.1: download - view: text, markup, annotated - select for diffs
Mon Sep 11 11:38:33 2006 UTC (18 years, 2 months ago) by joerg
Branches: MAIN
Initial revision

Diff request

This form allows you to request diffs between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

Log view options

CVSweb <webmaster@jp.NetBSD.org>