buildroot/package/python-django, branch 2017.08

python-django: security bump to version 1.10.7

2017-04-27T19:27:27+00:00

Fixes the following security issues: Since 1.10.3: CVE-2016-9013 - User with hardcoded password created when running tests on Oracle Marti Raudsepp reported that a user with a hardcoded password is created when running tests with an Oracle database. CVE-2016-9014 - DNS rebinding vulnerability when DEBUG=True Aymeric Augustin discovered that Django does not properly validate the Host header against settings.ALLOWED_HOSTS when the debug setting is enabled. A remote attacker can take advantage of this flaw to perform DNS rebinding attacks. Since 1.10.7: CVE-2017-7233 - Open redirect and possible XSS attack via user-supplied numeric redirect URLs It was discovered that is_safe_url() does not properly handle certain numeric URLs as safe. A remote attacker can take advantage of this flaw to perform XSS attacks or to use a Django server as an open redirect. CVE-2017-7234 - Open redirect vulnerability in django.views.static.serve() Phithon from Chaitin Tech discovered an open redirect vulnerability in the django.views.static.serve() view. Note that this view is not intended for production use. Cc: Oli Vogt Signed-off-by: Peter Korsgaard

boot, package: use SPDX short identifier for BSD-3c

2017-04-01T13:26:57+00:00

We want to use SPDX identifier for license string as much as possible. SPDX short identifier for BSD-3c is BSD-3-Clause. This change is done using following command. find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-3c/BSD-3-Clause/g' Signed-off-by: Rahul Bedarkar Signed-off-by: Thomas Petazzoni

package/python-django: bump version to 1.10.2

2016-10-05T21:00:34+00:00

Signed-off-by: Bernd Kuhls Signed-off-by: Thomas Petazzoni

Remove trailing slash from all package site URLs

2015-03-10T19:40:08+00:00

The recommended form is without the trailing slash. Buildroot will add a slash between FOO_SITE and FOO_SOURCE as appropriate. Reported-by: Arnout Vandecappelle Signed-off-by: Luca Ceresoli Signed-off-by: Peter Korsgaard

python-django: security bump to version 1.7.3

2015-01-14T18:26:12+00:00

Fixes: CVE-2015-0219 - incorrectly handled underscores in WSGI headers. A remote attacker could possibly use this issue to spoof headers in certain environments. CVE-2015-0220 - incorrectly handled user-supplied redirect URLs. A remote attacker could possibly use this issue to perform a cross-site scripting attack. CVE-2015-0221 - incorrectly handled reading files in django.views.static.serve(). A remote attacker could possibly use this issue to cause Django to consume resources, resulting in a denial of service. CVE-2015-0222 - incorrectly handled forms with ModelMultipleChoiceField. A remote attacker could possibly use this issue to cause a large number of SQL queries, resulting in a database denial of service. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni

python-django: be more specific about the license

2015-01-04T21:08:44+00:00

The license is really a 3 clauses BSD license, so let's specify this in python-django.mk. Signed-off-by: Thomas Petazzoni

python-django: new package

2015-01-04T21:04:35+00:00

[Thomas: - Bump to Django 1.7.2, the latest available version; - Support Python 3 in addition to Python 2. - Use a download location from pypi.python.org since the download location from djangoproject.com didn't work as is and is impractical to use with Buildroot: the full URL of the tarball is https://www.djangoproject.com/download/1.7.2/tarball/. I.e, it does not end with the tarball file name.] Signed-off-by: oli vogt Signed-off-by: Thomas Petazzoni