OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2019.02-op-build 2019-02-15T20:48:38+00:00 2019-02-15T20:48:38+00:00 Peter Korsgaard peter@korsgaard.com 2019-02-15T13:32:01+00:00 urn:sha1:653f86c0e91847dd8841837b650e2e966b59dd78 Fixes the following security issues: CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() If django.utils.numberformat.format() – used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters – received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation. https://docs.djangoproject.com/en/2.1/releases/2.1.6/ 2.1.6 contained a packaging error, fixed by 2.1.7: https://docs.djangoproject.com/en/2.1/releases/2.1.7/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2019-01-04T20:57:01+00:00 Asaf Kahlon asafka7@gmail.com 2019-01-04T14:11:08+00:00 urn:sha1:86d0ecf07615ff47a11ca6aa4d6aba908d6f359a Fixes CVE-2019-3498: Content spoofing possibility in the default 404 page For more details, see the announcement: https://www.djangoproject.com/weblog/2019/jan/04/security-releases/ Signed-off-by: Asaf Kahlon <asafka7@gmail.com> [Peter: mention that bump fixes security issues] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-12-05T21:57:44+00:00 Asaf Kahlon asafka7@gmail.com 2018-12-04T18:43:46+00:00 urn:sha1:89829c4f112e673985c06d458308c962cf31fb11 Signed-off-by: Asaf Kahlon <asafka7@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-11-02T18:20:11+00:00 Asaf Kahlon asafka7@gmail.com 2018-11-02T08:53:40+00:00 urn:sha1:df8a9ec20fdfde4d187a8993e7eabfb9180fedf7 The django-admin cli tool is loaded as entry point with pkg_resources, which is provided by setuptools. Signed-off-by: Asaf Kahlon <asafka7@gmail.com> Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-11-01T20:20:40+00:00 Asaf Kahlon asafka7@gmail.com 2018-11-01T18:47:35+00:00 urn:sha1:0b404b1c896581c3dcf3f77ecc4228949dcf02e2 Signed-off-by: Asaf Kahlon <asafka7@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-10-07T19:18:48+00:00 Asaf Kahlon asafka7@gmail.com 2018-10-05T04:46:36+00:00 urn:sha1:f4972e2e8c7c251a263568158d3c9b9f4a04d042 Django has dropped support for Python 2.x Fixes: http://autobuild.buildroot.org/results/423/423d480271b8bfdd9319a11cd97f9229681478e4 Signed-off-by: Asaf Kahlon <asafka7@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-10-03T07:37:23+00:00 Peter Korsgaard peter@korsgaard.com 2018-10-01T11:32:55+00:00 urn:sha1:feb811f56756bdbbbdd5a2230545462d46b2ea61 Fixes a race condition in QuerySet.update_or_create() that could result in data loss: https://code.djangoproject.com/ticket/29499 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-08-17T16:58:05+00:00 Peter Korsgaard peter@korsgaard.com 2018-08-17T14:47:36+00:00 urn:sha1:ae977e942893ac7e5c9b69418f047acae1603c27 Bump to the latest release of the 1.11.x LTS series as 1.10.x is no longer supported upstream: https://www.djangoproject.com/download/ Fixes the following security issues: - CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page (1.11.5) - CVE-2018-6188: Information leakage in AuthenticationForm (1.11.10) - CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters (1.11.11) - CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters (1.11.11) - CVE-2018-14574: Open redirect possibility in CommonMiddleware (1.11.15) Also add a hash for the license file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-12-18T08:22:54+00:00 Thomas Petazzoni thomas.petazzoni@free-electrons.com 2017-12-18T08:21:05+00:00 urn:sha1:2277fdeca8c94f8ea8fe8afebcdbb176c6b1531d This commit fixes the warnings reported by check-package on the help text of all package Config.in files, related to the formatting of the help text: should start with a tab, then 2 spaces, then at most 62 characters. The vast majority of warnings fixed were caused by too long lines. A few warnings were related to spaces being used instead of a tab to indent the help text. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-27T19:27:27+00:00 Peter Korsgaard peter@korsgaard.com 2017-04-27T07:37:18+00:00 urn:sha1:3a66a81b7a9db8e45f15fa63cc0670d158003d5a Fixes the following security issues: Since 1.10.3: CVE-2016-9013 - User with hardcoded password created when running tests on Oracle Marti Raudsepp reported that a user with a hardcoded password is created when running tests with an Oracle database. CVE-2016-9014 - DNS rebinding vulnerability when DEBUG=True Aymeric Augustin discovered that Django does not properly validate the Host header against settings.ALLOWED_HOSTS when the debug setting is enabled. A remote attacker can take advantage of this flaw to perform DNS rebinding attacks. Since 1.10.7: CVE-2017-7233 - Open redirect and possible XSS attack via user-supplied numeric redirect URLs It was discovered that is_safe_url() does not properly handle certain numeric URLs as safe. A remote attacker can take advantage of this flaw to perform XSS attacks or to use a Django server as an open redirect. CVE-2017-7234 - Open redirect vulnerability in django.views.static.serve() Phithon from Chaitin Tech discovered an open redirect vulnerability in the django.views.static.serve() view. Note that this view is not intended for production use. Cc: Oli Vogt <oli.vogt.pub01@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>