Debian Patches
Status for python-django/3:3.2.19-1+deb12u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-disable-sources-in-sphinxdoc.diff | Disable creation of _sources directory by Sphinx We do this to save some space as the sources of the documentation are not really useful in a binary package. . This is a Debian specific patch. |
=?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org> | not-needed | vendor | 2015-10-11 | |
| 0002-use_debian_geoip_database_as_default.diff | Use Debian GeoIP database path as default Default to Debian standard path for GeoIP directory and for GeoIP city file. Avoids the need to declare them in each project. . This is a Debian specific patch. |
Tapio Rantala <tapio.rantala@iki.fi> | not-needed | debian | 2015-10-11 | |
| 0004-Use-locally-installed-documentation-sources.patch | Use locally installed documentation sources | Brian May <bam@debian.org> | no | 2017-06-24 | ||
| 0004-Set-the-default-shebang-to-new-projects-to-use-Pytho.patch | Set the default shebang to new projects to use Python 3. | Chris Lamb <lamby@debian.org> | no | 2017-09-24 | ||
| 0005-Use-usr-bin-env-python3-shebang-for-django-admin.py.patch | Use #!/usr/bin/env python3 shebang for django-admin.py. | Chris Lamb <lamby@debian.org> | no | 2017-09-26 | ||
| 0006-Fixed-32690-Fixed-__in-lookup-crash-when-combining-w.patch | Fixed #32690 -- Fixed __in lookup crash when combining with filtered aggregates. Having lookups group by subquery right-hand-sides is likely unnecessary in the first place but relatively large amount of work would be needed to achieve that such as making Lookup instances proper resolvable expressions. Regression in 35431298226165986ad07e91f9d3aca721ff38ec. Thanks James A. Munsch for the report. (cherry picked from commit 136ff592ad8aa8b7fa1e61435e5501cc98ce8573) |
Simon Charette <charette.s@gmail.com> | no | 2021-05-04 | ||
| 0007-Refs-32786-Made-Query.clear_ordering-not-to-cause-si.patch | Refs #32786 -- Made Query.clear_ordering() not to cause side effects by default. (cherry picked from commit 053141d31fe5aef1c255a1be183383860e0ccce9) |
Hannes Ljungberg <hannes.ljungberg@gmail.com> | no | 2021-05-26 | ||
| 0008-Refs-32690-Altered-lookups-Query-rhs-alterations-dur.patch | Refs #32690 -- Altered lookups Query rhs alterations during initialization. Having it happen at the lookup creation time ensures entry points called before the compilation phase (e.g. get_group_by_cols) don't have to duplicate the logic in charge of altering Query instances used as rhs. It also has the nice effect of reducing the amount of time the alteration logic to once as opposed to multiple times if the queryset is compiled more than once. (cherry picked from commit e3bde71676a704e27d62e5f96dd967f7305db7f2) |
Simon Charette <charette.s@gmail.com> | no | 2021-12-01 | ||
| 0009-Fixed-33282-Fixed-a-crash-when-OR-ing-subquery-and-a.patch | Fixed #33282 -- Fixed a crash when OR'ing subquery and aggregation lookups. As a QuerySet resolves to Query the outer column references grouping logic should be defined on the latter and proxied from Subquery for the cases where get_group_by_cols is called on unresolved expressions. Thanks Antonio Terceiro for the report and initial patch. (cherry picked from commit e5a92d400acb4ca6a8e1375d1ab8121f2c7220be) |
Simon Charette <charette.s@gmail.com> | no | 2021-12-01 | ||
| 0011-Moved-RequestSite-import-to-the-toplevel.patch | Moved RequestSite import to the toplevel. Via https://github.com/django/django/commit/78163d1ac4407d59bfc5fdf1f84f2dbbb2ed3443 |
Claude Paroz <claude@2xlibre.net> | no | 2021-11-11 | ||
| 0012-Add-Python-3.11-support-for-tests.patch | Fix test_runner/test_utils tests on Python 3.11+. Python 3.11 uses fully qualified test name in unittest output. See https://github.com/python/cpython/commit/755be9b1505af591b9f2ee424a6525b6c2b65ce9 Python 3.11 while transitioning to Django 4.x |
Mariusz Felisiak <felisiak.mariusz@gmail.com> | no | upstream, https://github.com/django/django/commit/2ee4caf56b8e000cabbb73ad81ff05738d6d0a35 | 2023-01-06 | |
| 0013-fix-url-validator.patch | Fixed URLValidator crash in some edge cases | Pedro Schlickmann Mendes <windowsxpedro@gmail.com> | yes | upstream | upstream, https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c | 2021-12-15 |
| 0014-CVE-2023-36053.patch | [PATCH] [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator. Thanks Seokchan Yoon for reports. |
Mariusz Felisiak <felisiak.mariusz@gmail.com> | no | 2023-06-14 | ||
| 0015-CVE-2024-39329.patch | commit 5d8645857936c142a3973694799c52165e2bdcdb Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review. diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index 86ae7f42a..ee81b641d 100644 |
Michael Manfre <mike@manfre.net> | no | 2024-06-14 | ||
| 0016-CVE-2024-39330.patch | commit fe4a0bbe2088d0c2b331216dad21ccd0bb3ee80d Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews. diff --git a/django/core/files/storage.py b/django/core/files/storage.py index 22984f949..680f5ec91 100644 |
Natalia <124304+nessita@users.noreply.github.com> | no | 2024-03-20 | ||
| 0017-CVE-2024-39614-1.patch | commit 9e9792228a6bb5d6402a5d645bc3be4cf364aefb Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report. diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py index b262a5000..92442185f 100644 |
Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | no | 2024-06-26 | ||
| 0018-CVE-2024-39614-2.patch | commit 0e94f292cda632153f2b3d9a9037eb0141ae9c2e Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. =================================================================== |
Lorenzo Peña <lorinkoz@gmail.com> | no | 2024-07-23 | ||
| 0019-CVE-2024-41989.patch | commit c19465ad87e33b6122c886b97a202ad54cd43672 Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com> diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py index 02cac06bcf..66c6e76d20 100644 |
Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | no | 2024-07-12 | ||
| 0020-CVE-2024-41991.patch | commit 5f1757142febd95994caa1c0f64c1a0c161982c3 Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py index aeb74773a..b7dd0d87a 100644 |
Mariusz Felisiak <felisiak.mariusz@gmail.com> | no | 2024-07-10 | ||
| 0021-CVE-2024-42005.patch | commit c87bfaacf8fb84984243b5055dc70f97996cb115 Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields. Thanks Eyal (eyalgabay) for the report. =================================================================== |
Simon Charette <charette.s@gmail.com> | no | 2024-07-25 |
All known versions for source package 'python-django'
- 3:6.0~alpha1-1 (experimental)
- 3:4.2.24-1 (sid, forky)
- 3:4.2.23-1 (trixie)
- 3:4.2.21-1~bpo12+1 (bookworm-backports)
- 3:3.2.19-1+deb12u2 (bookworm-proposed-updates)
- 3:3.2.19-1+deb12u1 (bookworm-security, bookworm)