The NetBSD Project

CVS log for pkgsrc/www/py-django2/Attic/Makefile

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / www / py-django2

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.45, Thu Jul 13 10:05:33 2023 UTC (7 months, 2 weeks ago) by wiz
Branch: MAIN
CVS Tags: HEAD
Changes since 1.44: +1 -1 lines
FILE REMOVED

py-django, py-django14, py-django2: remove old django versions

Unsupported upstream (support ended 2020, 2013, 2022 resp.)

As proposed on pkgsrc-users on July 3.

Revision 1.44 / (download) - annotate - [select for diffs], Wed Nov 9 13:14:18 2022 UTC (15 months, 3 weeks ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2023Q2-base, pkgsrc-2023Q2, pkgsrc-2023Q1-base, pkgsrc-2023Q1, pkgsrc-2022Q4-base, pkgsrc-2022Q4
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)

Reset MAINTAINER

Revision 1.43 / (download) - annotate - [select for diffs], Wed Apr 20 12:28:57 2022 UTC (22 months, 1 week ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3, pkgsrc-2022Q2-base, pkgsrc-2022Q2
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)

py-django2: updated to 2.2.28


Django 2.2.28 fixes two security issues with severity „ŗ◊…igh„ŗin 2.2.27.

CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra()

QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods.

CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL

QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument.

Revision 1.42 / (download) - annotate - [select for diffs], Wed Feb 2 10:17:19 2022 UTC (2 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)

py-django2: updated to 2.2.27

Django 2.2.27 fixes two security issues with severity „ŗ◊őedium„ŗin 2.2.26.

CVE-2022-22818: Possible XSS via {% debug %} template tag

CVE-2022-23833: Denial-of-service possibility in file uploads

Revision 1.41 / (download) - annotate - [select for diffs], Wed Jan 19 09:48:47 2022 UTC (2 years, 1 month ago) by adam
Branch: MAIN
Changes since 1.40: +2 -3 lines
Diff to previous 1.40 (colored)

py-django2: updated to 2.2.26

Django 2.2.26 fixes one security issue with severity „ŗ◊őedium„ŗand two security issues with severity „ŗ◊Õow„ŗin 2.2.25.
- CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator
- CVE-2021-45116: Potential information disclosure in dictsort template filter
- CVE-2021-45452: Potential directory-traversal via Storage.save()

Revision 1.40 / (download) - annotate - [select for diffs], Wed Jan 5 15:51:59 2022 UTC (2 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.39: +3 -2 lines
Diff to previous 1.39 (colored)

py-django*: switch to USE_PKG_RESOURCES

Revision 1.39 / (download) - annotate - [select for diffs], Wed Jan 5 10:09:53 2022 UTC (2 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.38: +3 -2 lines
Diff to previous 1.38 (colored)

py-django*: add dependency on py-setuptools

These use pkg_resources.

Noted by joerg.

Bump PKGREVISION.

Revision 1.38 / (download) - annotate - [select for diffs], Tue Jan 4 20:55:22 2022 UTC (2 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.37: +2 -1 lines
Diff to previous 1.37 (colored)

*: bump PKGREVISION for egg.mk users

They now have a tool dependency on py-setuptools instead of a DEPENDS

Revision 1.37 / (download) - annotate - [select for diffs], Tue Dec 14 08:57:48 2021 UTC (2 years, 2 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)

py-django2: updated to 2.2.25

2.2.25:

CVE-2021-44420: Potential bypass of an upstream access control based on URL paths

HTTP requests for URLs with trailing newlines could bypass an upstream access control based on URL paths.

Revision 1.36 / (download) - annotate - [select for diffs], Sat Jun 5 07:24:55 2021 UTC (2 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q3, pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)

py-django2: updated to 2.2.24

Django 2.2.24 fixes two security issues in 2.2.23.

CVE-2021-33203: Potential directory traversal via admindocs

Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses¶

URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn—’ prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks.

validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+.

Revision 1.35 / (download) - annotate - [select for diffs], Fri May 14 18:53:07 2021 UTC (2 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)

py-django2: updated to 2.2.23

Django 2.2.23 fixes a regression in 2.2.21.

Bugfixes

Fixed a regression in Django 2.2.21 where saving FileField would raise a SuspiciousFileOperation even when a custom upload_to returns a valid file path


Django 2.2.22 fixes a security issue in 2.2.21.

CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+

On Python 3.9.5+, URLValidator didn„ŗ—’ prohibit newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn„ŗ—’ vulnerable because HttpResponse prohibits newlines in HTTP headers.

Moreover, the URLField form field which uses URLValidator silently removes newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your data only existed if you are using this validator outside of the form fields.

This issue was introduced by the bpo-43882 fix.

Revision 1.34 / (download) - annotate - [select for diffs], Wed May 5 07:04:18 2021 UTC (2 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.33: +2 -2 lines
Diff to previous 1.33 (colored)

py-django2: updated to t 2.2.21

Django 2.2.21 fixes a security issue in 2.2.20.
CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now applied. Specifically, empty file names and paths with dot segments will be rejected.

Django 2.2.20
CVE-2021-28658: Potential directory-traversal via uploaded files
MultiPartParser allowed directory-traversal via uploaded files with suitably crafted file names.
Built-in upload handlers were not affected by this vulnerability.

Revision 1.33 / (download) - annotate - [select for diffs], Mon Mar 1 12:44:07 2021 UTC (3 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Changes since 1.32: +2 -2 lines
Diff to previous 1.32 (colored)

py-django2: updated to 2.2.19

Django 2.2.19 fixes a security issue in 2.2.18.

CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details.

Revision 1.32 / (download) - annotate - [select for diffs], Fri Feb 5 07:52:37 2021 UTC (3 years ago) by adam
Branch: MAIN
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored)

py-django2: updated to 2.2.18

Django 2.2.18 fixes a security issue with severity „ŗ◊Õow„ŗin 2.2.17.

CVE-2021-3281: Potential directory-traversal via archive.extract()

The django.utils.archive.extract() function, used by startapp --template and startproject --template, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments.

Revision 1.31 / (download) - annotate - [select for diffs], Mon Nov 2 11:09:35 2020 UTC (3 years, 3 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)

py-django2: updated to 2.2.17

Django 2.2.17 adds compatibility with Python 3.9.

Revision 1.30 / (download) - annotate - [select for diffs], Thu Sep 10 09:32:28 2020 UTC (3 years, 5 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)

py-django2: updated to 2.2.16

Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.

CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+

On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.

You should review and manually fix permissions on existing intermediate-level directories.

CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+

On Python 3.7+, the intermediate-level directories of the file system cache had the system„ŗ—‘ standard umask rather than 0o077 (no group or others permissions).

Bugfixes

Fixed a data loss possibility in the select_for_update(). When using related fields pointing to a proxy model in the of argument, the corresponding model was not locked.
Fixed a data loss possibility, following a regression in Django 2.0, when copying model instances with a cached fields value.


Django 2.2.15 fixes two bugs in 2.2.14.

Bugfixes

Allowed setting the SameSite cookie flag in HttpResponse.delete_cookie().
Fixed crash when sending emails to addresses with display names longer than 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+.

Revision 1.29 / (download) - annotate - [select for diffs], Wed Jul 8 15:11:23 2020 UTC (3 years, 7 months ago) by adam
Branch: MAIN
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored)

py-django2: updated to 2.2.14

Django 2.2.14 fixes a bug in 2.2.13.

Bugfixes

Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings raised by cache key validation

Revision 1.28 / (download) - annotate - [select for diffs], Wed Jun 3 15:28:38 2020 UTC (3 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)

py-django2: updated to 2.2.13

Django 2.2.13 fixes two security issues and a regression in 2.2.12.

CVE-2020-13254: Potential data leakage via malformed memcached keys

In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.

CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget

Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.

Bugfixes

Fixed a regression in Django 2.2.12 that affected translation loading for apps providing translations for territorial language variants as well as a generic language, where the project has different plural equations for the language.
Tracking a jQuery security release, upgraded the version of jQuery used by the admin from 3.3.1 to 3.5.1.

Revision 1.27 / (download) - annotate - [select for diffs], Mon Apr 6 16:58:56 2020 UTC (3 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)

py-django2: updated to 2.2.12

Django 2.2.12:
Added the ability to handle .po files containing different plural equations for the same language

Revision 1.26 / (download) - annotate - [select for diffs], Thu Mar 12 16:21:02 2020 UTC (3 years, 11 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored)

py-django2: updated to 2.2.11

Django 2.2.11 fixes a security issue and a data loss bug in 2.2.10.

CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle

GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance.

Bugfixes

Fixed a data loss possibility in the select_for_update(). When using related fields or parent link fields with Multi-table inheritance in the of argument, the corresponding models were not locked

Revision 1.25 / (download) - annotate - [select for diffs], Tue Feb 4 17:25:05 2020 UTC (4 years ago) by adam
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)

py-django2: updated to 2.2.10

Django 2.2.10 fixes a security issue:
CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)
StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.

Revision 1.24 / (download) - annotate - [select for diffs], Thu Dec 19 13:40:36 2019 UTC (4 years, 2 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)

py-django2: updated to 2.2.9

Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.

CVE-2019-19844: Potential account hijack via password reset form

By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.

In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address.

Bugfixes
* Fixed a data loss possibility in SplitArrayField. When using with ArrayField(BooleanField()), all values after the first True value were marked as checked instead of preserving passed values

Revision 1.23 / (download) - annotate - [select for diffs], Mon Dec 2 11:46:56 2019 UTC (4 years, 2 months ago) by adam
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)

py-django2: updated to 2.2.8

2.2.8:
* CVE-2019-19118: Privilege escalation in the Django admin.
* Fixed a data loss possibility in the admin changelist view when a custom formset„ŗ—‘ prefix contains regular expression special characters, e.g. „ŗ„ŗ
* Fixed a regression in Django 2.2.1 that caused a crash when migrating permissions for proxy models with a multiple database setup if the default entry was empty.
* Fixed a data loss possibility in the select_for_update(). When using 'self' in the of argument with multi-table inheritance, a parent model was locked instead of the queryset„ŗ—‘ model

Revision 1.22 / (download) - annotate - [select for diffs], Tue Nov 5 07:44:24 2019 UTC (4 years, 3 months ago) by adam
Branch: MAIN
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored)

py-django2: updated to 2.2.7

Django 2.2.7:
Fixed a crash when using a contains, contained_by, has_key, has_keys, or has_any_keys lookup on JSONField, if the right or left hand side of an expression is a key transform.
Prevented migrate --plan from showing that RunPython operations are irreversible when reverse_code callables don„ŗ—’ have docstrings or when showing a forward migration plan.
Fixed migrations crash on PostgreSQL when adding an Index with fields ordering and opclasses.
Restored the ability to override get_FOO_display().

Revision 1.21 / (download) - annotate - [select for diffs], Tue Oct 1 17:58:37 2019 UTC (4 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)

py-django2: updated to 2.2.6

Django 2.2.6:
Fixed migrations crash on SQLite when altering a model containing partial indexes.
Fixed a regression in Django 2.2.4 that caused a crash when filtering with a Subquery() annotation of a queryset containing JSONField or HStoreField.

Revision 1.20 / (download) - annotate - [select for diffs], Wed Sep 4 08:31:45 2019 UTC (4 years, 5 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)

py-django2: updated to 2.2.5

Django 2.2.5 fixes several bugs in 2.2.4.

Bugfixes

Relaxed the system check added in Django 2.2 for models to reallow use of the same db_table by multiple models when database routers are installed.
Fixed crash of KeyTransform() for JSONField and HStoreField when using on expressions with params.
Fixed a regression in Django 2.2 where ModelAdmin.list_filter choices to foreign objects don„ŗ—’ respect a model„ŗ—‘ Meta.ordering.
Fixed a race condition in loading URLconf module that could cause a crash of auto-reloader on Python 3.5 and below

Revision 1.19 / (download) - annotate - [select for diffs], Tue Aug 6 09:33:00 2019 UTC (4 years, 6 months ago) by adam
Branch: MAIN
Changes since 1.18: +2 -2 lines
Diff to previous 1.18 (colored)

py-django2: updated to 2.2.4

Django 2.2.4:
* CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator
* CVE-2019-14233: Denial-of-service possibility in strip_tags()
* CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField
* CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
* Fixed a regression in Django 2.2 when ordering a QuerySet.union(), intersection(), or difference() by a field type present more than once results in the wrong ordering being used
* Fixed a migration crash on PostgreSQL when adding a check constraint with a contains lookup on DateRangeField or DateTimeRangeField, if the right hand side of an expression is the same type
* Fixed a regression in Django 2.2 where auto-reloader crashes if a file path contains nulls characters ('\x00')
* Fixed a regression in Django 2.2 where auto-reloader crashes if a translation directory cannot be resolved

Revision 1.18 / (download) - annotate - [select for diffs], Mon Jul 1 18:26:22 2019 UTC (4 years, 8 months ago) by adam
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)

py-django2: updated to 2.2.3

Django 2.2.3
Fix CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Fixed a regression in Django 2.2 where Avg, StdDev, and Variance crash with filter argument
Fixed a regression in Django 2.2.2 where auto-reloader crashes with AttributeError, e.g. when using ipdb

Revision 1.14.2.1 / (download) - annotate - [select for diffs], Tue Jun 4 09:10:44 2019 UTC (4 years, 8 months ago) by bsiegert
Branch: pkgsrc-2019Q1
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored) next main 1.15 (colored)

Pullup ticket #5976 - requested by adam
www/py-django: security fix
www/py-django2: security fix

Revisions pulled up:
- www/py-django/Makefile                                        1.106
- www/py-django/distinfo                                        1.85
- www/py-django2/Makefile                                       1.17
- www/py-django2/PLIST                                          1.6
- www/py-django2/distinfo                                       1.15

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Jun  3 12:33:00 UTC 2019

   Modified Files:
           pkgsrc/www/py-django: Makefile distinfo

   Log Message:
   py-django: updated to 1.11.21

   Django 1.11.21 release notes

   CVE-2019-12308: AdminURLFieldWidget XSS

   The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

   AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using formfield_overrides.

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Jun  3 12:39:46 UTC 2019

   Modified Files:
           pkgsrc/www/py-django2: Makefile PLIST distinfo

   Log Message:
   py-django2: updated to 2.2.2

   2.2.2:
   CVE-2019-12308: AdminURLFieldWidget XSS

   The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

   AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.

   2.2.1:
   Bugfixes

   Fixed a regression in Django 2.1 that caused the incorrect quoting of database user password when using dbshell on Oracle
   Added compatibility for psycopg2 2.8
   Fixed a regression in Django 2.2 that caused a crash when loading the template for the technical 500 debug page
   Fixed crash of ordering argument in ArrayAgg and StringAgg when it contains an expression with params
   Fixed a regression in Django 2.2 that caused a single instance fast-delete to not set the primary key to None
   Prevented makemigrations from generating infinite migrations for check constraints and partial indexes when condition contains a range object
   Reverted an optimization in Django 2.2
   Fixed a regression in Django 2.2 where Paginator crashes if object_list is a queryset ordered or aggregated over a nested JSONField key transform
   Fixed a regression in Django 2.2 where IntegerField validation of database limits crashes if limit_value attribute in a custom validator is callable
   Fixed a regression in Django 2.2 where SearchVector generates SQL that is not indexable
   Fixed a regression in Django 2.2 that caused an exception to be raised when a custom error handler could not be imported
   Relaxed the system check added in Django 2.2 for the admin app„ŗ—‘ dependencies to reallow use of SessionMiddleware subclasses, rather than requiring django.contrib.sessions to be in INSTALLED_APPS
   Increased the default timeout when using Watchman to 5 seconds to prevent falling back to StatReloader on larger projects and made it customizable via the DJANGO_WATCHMAN_TIMEOUT environment variable
   Fixed a regression in Django 2.2 that caused a crash when migrating permissions for proxy models if the target permissions already existed. For example, when a permission had been created manually or a model had been migrated from concrete to proxy
   Fixed a regression in Django 2.2 that caused a crash of runserver when URLConf modules raised exceptions
   Fixed a regression in Django 2.2 where changes were not reliably detected by auto-reloader when using StatReloader
   Fixed a migration crash on Oracle and PostgreSQL when adding a check constraint with a contains, startswith, or endswith lookup (or their case-insensitive variant)
   Fixed a migration crash on Oracle and SQLite when adding a check constraint with condition contains | (OR) operator
    Django 2.2.2 release notesDjango 2.2 release notes

   2.2:
   This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2019.

   As always, the release notes cover the salmagundi of new features in detail, but a few highlights are:
   * HttpRequest.headers to allow simple access to a request„ŗ—‘ headers.
   * Database-level constraints on models.
   * Watchman compatibility for runserver to improve the performance of watching a large number of files for changes.

Revision 1.17 / (download) - annotate - [select for diffs], Mon Jun 3 12:39:46 2019 UTC (4 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)

py-django2: updated to 2.2.2

2.2.2:
CVE-2019-12308: AdminURLFieldWidget XSS

The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.

2.2.1:
Bugfixes

Fixed a regression in Django 2.1 that caused the incorrect quoting of database user password when using dbshell on Oracle
Added compatibility for psycopg2 2.8
Fixed a regression in Django 2.2 that caused a crash when loading the template for the technical 500 debug page
Fixed crash of ordering argument in ArrayAgg and StringAgg when it contains an expression with params
Fixed a regression in Django 2.2 that caused a single instance fast-delete to not set the primary key to None
Prevented makemigrations from generating infinite migrations for check constraints and partial indexes when condition contains a range object
Reverted an optimization in Django 2.2
Fixed a regression in Django 2.2 where Paginator crashes if object_list is a queryset ordered or aggregated over a nested JSONField key transform
Fixed a regression in Django 2.2 where IntegerField validation of database limits crashes if limit_value attribute in a custom validator is callable
Fixed a regression in Django 2.2 where SearchVector generates SQL that is not indexable
Fixed a regression in Django 2.2 that caused an exception to be raised when a custom error handler could not be imported
Relaxed the system check added in Django 2.2 for the admin app„ŗ—‘ dependencies to reallow use of SessionMiddleware subclasses, rather than requiring django.contrib.sessions to be in INSTALLED_APPS
Increased the default timeout when using Watchman to 5 seconds to prevent falling back to StatReloader on larger projects and made it customizable via the DJANGO_WATCHMAN_TIMEOUT environment variable
Fixed a regression in Django 2.2 that caused a crash when migrating permissions for proxy models if the target permissions already existed. For example, when a permission had been created manually or a model had been migrated from concrete to proxy
Fixed a regression in Django 2.2 that caused a crash of runserver when URLConf modules raised exceptions
Fixed a regression in Django 2.2 where changes were not reliably detected by auto-reloader when using StatReloader
Fixed a migration crash on Oracle and PostgreSQL when adding a check constraint with a contains, startswith, or endswith lookup (or their case-insensitive variant)
Fixed a migration crash on Oracle and SQLite when adding a check constraint with condition contains | (OR) operator
 Django 2.2.2 release notesDjango 2.2 release notes

2.2:
This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2019.

As always, the release notes cover the salmagundi of new features in detail, but a few highlights are:
* HttpRequest.headers to allow simple access to a request„ŗ—‘ headers.
* Database-level constraints on models.
* Watchman compatibility for runserver to improve the performance of watching a large number of files for changes.

Revision 1.16 / (download) - annotate - [select for diffs], Fri May 31 12:40:05 2019 UTC (4 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.15: +4 -4 lines
Diff to previous 1.15 (colored)

py-django2: updated to 2.1.8

2.1.8:
Bugfixes
Prevented admin inlines for a ManyToManyField„ŗ—‘ implicit through model from being editable if the user only has the view permission

Revision 1.15 / (download) - annotate - [select for diffs], Fri Apr 26 13:14:21 2019 UTC (4 years, 10 months ago) by maya
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)

Omit mentions of python 34 and 35, after those were removed.

- Includes some whitespace changes, to be handled in a separate commit.

Revision 1.14 / (download) - annotate - [select for diffs], Tue Feb 12 13:16:07 2019 UTC (5 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base
Branch point for: pkgsrc-2019Q1
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)

py-django2: updated to 2.1.7

2.1.7:
Bugfixes
Corrected packaging error from 2.1.6

2.1.6:
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()¶

If django.utils.numberformat.format() used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters „ŗreceived a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using scientific notation.

Bugfixes
Made the obj argument of InlineModelAdmin.has_add_permission() optional to restore backwards compatibility with third-party code that doesn„ŗ—’ provide it

Revision 1.13 / (download) - annotate - [select for diffs], Fri Jan 4 21:53:17 2019 UTC (5 years, 1 month ago) by adam
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)

py-django2: updated to 2.1.5

Django 2.1.5 fixes a security issue and several bugs in 2.1.4.

CVE-2019-3498: Content spoofing possibility in the default 404 page

Bugfixes:
Fixed compatibility with mysqlclient 1.3.14.
Fixed a schema corruption issue on SQLite 3.26+. You might have to drop and rebuild your SQLite database if you applied a migration while using an older version of Django with SQLite 3.26 or later.
Prevented SQLite schema alterations while foreign key checks are enabled to avoid the possibility of schema corruption.
Fixed a regression in Django 2.1.4 (which enabled keep-alive connections) where request body data isn„ŗ—’ properly consumed for such connections.
Fixed a regression in Django 2.1.4 where InlineModelAdmin.has_change_permission() is incorrectly called with a non-None obj argument during an object add

Revision 1.12 / (download) - annotate - [select for diffs], Mon Dec 3 19:04:16 2018 UTC (5 years, 2 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base, pkgsrc-2018Q4
Changes since 1.11: +4 -4 lines
Diff to previous 1.11 (colored)

py-django2: updated to 2.1.4

Django 2.1.4 fixes several bugs in 2.1.3.

Bugfixes:
Corrected the default password list that CommonPasswordValidator uses by lowercasing all passwords to match the format expected by the validator.
Prevented repetitive calls to geos_version_tuple() in the WKBWriter class in an attempt to fix a random crash involving LooseVersion.
Fixed keep-alive support in runserver after it was disabled to fix another issue in Django 2.0.
Fixed admin view-only change form crash when using ModelAdmin.prepopulated_fields.

Revision 1.11 / (download) - annotate - [select for diffs], Fri Nov 2 09:52:18 2018 UTC (5 years, 3 months ago) by adam
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)

py-django2: updated to 2.1.3

Django 2.1.3

Bugfixes:
Fixed a regression in Django 2.0 where combining Q objects with __in lookups and lists crashed
Fixed a regression in Django 1.11 where django-admin shell may hang on startup
Fixed a regression in Django 2.0 where test databases aren„ŗ—’ reused with manage.py test --keepdb on MySQL
Fixed a regression where cached foreign keys that use to_field were incorrectly cleared in Model.save()
Fixed a regression in Django 2.0 where FileSystemStorage crashes with FileExistsError if concurrent saves try to create the same directory

Revision 1.10 / (download) - annotate - [select for diffs], Tue Oct 2 08:09:27 2018 UTC (5 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)

py-django2: updated to 2.1.2

Django 2.1.2:
CVE-2018-16984: Password hash disclosure to „ŗ◊◊iew only„ŗadmin users
Fixed a regression where nonexistent joins in F() no longer raised FieldError
Fixed a regression where files starting with a tilde or underscore weren„ŗ—’ ignored by the migrations loader
Made migrations detect changes to Meta.default_related_name
Added compatibility for cx_Oracle 7
Fixed a regression in Django 2.0 where unique index names weren„ŗ—’ quoted
Fixed a regression where sliced queries with multiple columns with the same name crashed on Oracle 12.1
Fixed a crash when a user with the view (but not change) permission made a POST request to an admin user change form

Revision 1.9 / (download) - annotate - [select for diffs], Tue Sep 4 00:12:28 2018 UTC (5 years, 5 months ago) by minskim
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)

www/py-django2: Requires Python>=3.5

Revision 1.8 / (download) - annotate - [select for diffs], Mon Sep 3 12:24:51 2018 UTC (5 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.7: +3 -3 lines
Diff to previous 1.7 (colored)

py-django2: updated to 2.1.1

2.1.1:
Bugfixes
Fixed a race condition in QuerySet.update_or_create() that could result in data loss
Fixed a regression where QueryDict.urlencode() crashed if the dictionary contains a non-string value
Fixed a regression in Django 2.0 where using manage.py test --keepdb fails on PostgreSQL if the database exists and the user doesn„ŗ—’ have permission to create databases
Fixed a regression in Django 2.0 where combining Q objects with __in lookups and lists crashed
Fixed translation failure of DurationField„ŗ—‘ „ŗ◊–verflow„ŗerror message
Fixed a regression where the admin change form crashed if the user doesn„ŗ—’ have the „ŗŌ¬dd„ŗpermission to a model that uses TabularInline
Fixed a regression where a related_query_name reverse accessor wasn„ŗ—’ set up when a GenericRelation is declared on an abstract base model
Fixed the test client„ŗ—‘ JSON serialization of a request data dictionary for structured content type suffixes
Made the admin change view redirect to the changelist view after a POST if the user has the „ŗŌ◊iew„ŗpermission
Fixed admin change view crash for view-only users if the form has an extra form field
Fixed a regression in Django 2.0.5 where QuerySet.values() or values_list() after combining querysets with extra() with union(), difference(), or intersection() crashed due to mismatching columns
Fixed crash if InlineModelAdmin.has_add_permission() doesn„ŗ—’ accept the obj argument

Revision 1.7 / (download) - annotate - [select for diffs], Tue Aug 7 09:53:53 2018 UTC (5 years, 6 months ago) by adam
Branch: MAIN
Changes since 1.6: +4 -3 lines
Diff to previous 1.6 (colored)

py-django2: updated to 2.1

2.1:
Model „ŗ◊◊iew„ŗpermission

django.contrib.admin
ModelAdmin.search_fields now accepts any lookup such as field__exact.
jQuery is upgraded from version 2.2.3 to 3.3.1.
The new ModelAdmin.delete_queryset() method allows customizing the deletion process of the „ŗ◊Ňelete selected objects„ŗaction.
You can now override the default admin site.
The new ModelAdmin.sortable_by attribute and ModelAdmin.get_sortable_by() method allow limiting the columns that can be sorted in the change list page.
The admin_order_field attribute for elements in ModelAdmin.list_display may now be a query expression.
The new ModelAdmin.get_deleted_objects() method allows customizing the deletion process of the delete view and the „ŗ◊Ňelete selected„ŗaction.
The actions.html, change_list_results.html, date_hierarchy.html, pagination.html, prepopulated_fields_js.html, search_form.html, and submit_line.html templates can now be overridden per app or per model (besides overridden globally).
The admin change list and change form object tools can now be overridden per app, per model, or globally with change_list_object_tools.html and change_form_object_tools.html templates.
InlineModelAdmin.has_add_permission() is now passed the parent object as the second positional argument, obj.
Admin actions may now specify permissions to limit their availability to certain users.

django.contrib.auth
createsuperuser now gives a prompt to allow bypassing the AUTH_PASSWORD_VALIDATORS checks.
UserCreationForm and UserChangeForm no longer need to be rewritten for a custom user model.

django.contrib.gis
The new GEOSGeometry.buffer_with_style() method is a version of buffer() that allows customizing the style of the buffer.
OpenLayersWidget is now based on OpenLayers 4.6.5 (previously 3.20.1).

django.contrib.sessions
Added the SESSION_COOKIE_SAMESITE setting to set the SameSite cookie flag on session cookies.

Cache
The local-memory cache backend now uses a least-recently-used (LRU) culling strategy rather than a pseudo-random one.
The new touch() method of the low-level cache API updates the timeout of cache keys.

CSRF
Added the CSRF_COOKIE_SAMESITE setting to set the SameSite cookie flag on CSRF cookies.

Forms
The widget for ImageField now renders with the HTML attribute accept="image/*".

Internationalization
Added the get_supported_language_variant() function.
Untranslated strings for territorial language variants now use the translations of the generic language. For example, untranslated pt_BR strings use pt translations.

Management Commands
The new inspectdb --include-views option allows creating models for database views.
The BaseCommand class now uses a custom help formatter so that the standard options like --verbosity or --settings appear last in the help output, giving a more prominent position to subclassed command„ŗ—‘ options.

Migrations
Added support for serialization of functools.partialmethod objects.
To support frozen environments, migrations may be loaded from .pyc files.

Models
Models can now use __init_subclass__() from PEP 487.
A BinaryField may now be set to editable=True if you wish to include it in model forms.
A number of new text database functions are added: Chr, Left, LPad, LTrim, Ord, Repeat, Replace, Right, RPad, RTrim, and Trim.
The new TruncWeek function truncates DateField and DateTimeField to the Monday of a week.
Query expressions can now be negated using a minus sign.
QuerySet.order_by() and distinct(*fields) now support using field transforms.
BooleanField can now be null=True. This is encouraged instead of NullBooleanField, which will likely be deprecated in the future.
The new QuerySet.explain() method displays the database„ŗ—‘ execution plan of a queryset„ŗ—‘ query.
QuerySet.raw() now supports prefetch_related().

Requests and Responses
Added HttpRequest.get_full_path_info().
Added the samesite argument to HttpResponse.set_cookie() to allow setting the SameSite cookie flag.
The new as_attachment argument for FileResponse sets the Content-Disposition header to make the browser ask if the user wants to download the file. FileResponse also tries to set the Content-Type and Content-Length headers where appropriate.

Templates
The new json_script filter safely outputs a Python object as JSON, wrapped in a <script> tag, ready for use with JavaScript.

Revision 1.6 / (download) - annotate - [select for diffs], Tue Jul 3 06:47:31 2018 UTC (5 years, 7 months ago) by adam
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)

py-django2: updated tp 2.0.7

Django 2.0.7:

Bugfixes
Fixed admin changelist crash when using a query expression without asc() or desc() in the page„ŗ—‘ ordering.
Fixed admin check crash when using a query expression in ModelAdmin.ordering.
Fixed __regex and __iregex lookups with MySQL 8.
Fixed migrations crash with namespace packages on Python 3.7

Revision 1.5 / (download) - annotate - [select for diffs], Mon Jun 4 15:21:03 2018 UTC (5 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)

py-django2: updated to 2.0.6

2.0.6:
Bugfixes
* Fixed a regression that broke custom template filters that use decorators
* Fixed detection of custom URL converters in included patterns
* Fixed a regression that added an unnecessary subquery to the GROUP BY
  clause on MySQL when using a RawSQL annotation.
* Fixed WKBWriter.write() and write_hex() for empty polygons on
  GEOS 3.6.1+.
* Fixed a regression in Django 1.10 that could result in large memory usage
  when making edits using ModelAdmin.list_editable

Revision 1.4 / (download) - annotate - [select for diffs], Wed May 2 06:31:03 2018 UTC (5 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)

py-django2: updated to 2.0.5

2.0.5:
Bugfixes
* Corrected the import paths that inspectdb generates for django.contrib.postgres fields.
* Fixed a regression in Django 1.11.8 where altering a field with a unique constraint may drop and rebuild more foreign keys than necessary.
* Fixed crashes in django.contrib.admindocs when a view is a callable object, such as django.contrib.syndication.views.Feed.
* Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection() crashed due to mismatching columns

Revision 1.3 / (download) - annotate - [select for diffs], Tue Apr 3 08:57:51 2018 UTC (5 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)

py-django2: updated to 2.0.4

Django 2.0.4:
Bugfixes:
Fixed a crash when filtering with an Exists() annotation of a queryset containing a single field.
Fixed admin autocomplete widget„ŗ—‘ translations for zh-hans and zh-hant languages.
Corrected admin„ŗ—‘ autocomplete widget to add a space after custom classes.
Fixed PasswordResetConfirmView crash when using a user model with a UUIDField primary key and the reset URL contains an encoded primary key value that decodes to an invalid UUID.
Fixed a regression in Django 1.11.8 where combining two annotated values_list() querysets with union(), difference(), or intersection() crashed due to mismatching columns.
Fixed a regression in Django 1.11 where an empty choice could be initially selected for the SelectMultiple and CheckboxSelectMultiple widgets.
Fixed a regression in Django 2.0 where OpenLayersWidget deserialization ignored the widget map„ŗ—‘ SRID and assumed 4326

Revision 1.2 / (download) - annotate - [select for diffs], Tue Mar 6 20:06:32 2018 UTC (5 years, 11 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)

py-django2: updated to 2.0.3

2.0.3:
CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters
CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters
Bugfixes

Revision 1.1 / (download) - annotate - [select for diffs], Sun Feb 4 05:20:24 2018 UTC (6 years ago) by wen
Branch: MAIN

Import django-2.0.2 as www/py-django2.

Django is a high-level Python Web framework that encourages rapid development
and clean, pragmatic design. Django was designed to make common Web-development
tasks fast and easy.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>