python-Django-1.9.9-2.1

- Change Requires: python-Pillow to python-imaging for compatibility
  with SLE-12 which provides PIL instead of Pillow.

- Update to 1.9.9
  Bugfixes
  * Fixed invalid HTML in template postmortem on the debug page
    (#26938).
  * Fixed some GIS database function crashes on MySQL 5.7 (#26657).
- Update to 1.9.8
  Fix XSS in admin?s add/change related popup (bsc#988420)
  Unsafe usage of JavaScript?s Element.innerHTML could result in XSS
  in the admin?s add/change related popup. Element.textContent is now
  used to prevent execution of the data.
  The debug view also used innerHTML. Although a security issue wasn?t
  identified there, out of an abundance of caution it?s also updated
  to use textContent.
  Bugfixes
  * Fixed missing varchar/text_pattern_ops index on CharField and
    TextField respectively when using AddField on PostgreSQL (#26889).
  * Fixed makemessages crash on Python 2 with non-ASCII file names
    (#26897).
- Update to 1.9.7
  Bugfixes
  * Removed the need for the request context processor on the admin
    login page to fix a regression in 1.9 (#26558).
  * Fixed translation of password validators? help_text in forms
    (#26544).
  * Fixed a regression causing the cached template loader to crash
    when using lazy template names (#26603).
  * Fixed on_commit callbacks execution order when callbacks make
    transactions (#26627).
  * Fixed HStoreField to raise a ValidationError instead of crashing
    on non-dictionary JSON input (#26672).
  * Fixed dbshell crash on PostgreSQL with an empty database name
    (#26698).
  * Fixed a regression in queries on a OneToOneField that has to_field
    and primary_key=True (#26667).

- Update to 1.9.6
  Bugfixes
  * Added support for relative path redirects to the test client and
    to SimpleTestCase.assertRedirects() because Django 1.9 no longer
    converts redirects to absolute URIs (#26428).
  * Fixed TimeField microseconds round-tripping on MySQL and SQLite
    (#26498).
  * Prevented makemigrations from generating infinite migrations for a
    model field that references a functools.partial (#26475).
  * Fixed a regression where SessionBase.pop() returned None rather
    than raising a KeyError for nonexistent values (#26520).
  * Fixed a regression causing the cached template loader to crash
    when using template names starting with a dash (#26536).
  * Restored conversion of an empty string to null when saving values
    of GenericIPAddressField on SQLite and MySQL (#26557).
  * Fixed a makemessages regression where temporary .py extensions
    were leaked in source file paths (#26341).

- Update to 1.9.5

- Update to 1.9.2
  Security issue
  * User with "change" but not "add" permission can create objects for
    ModelAdmin's with save_as=True
  Backwards incompatible change
  * .py-tpl files rewritten in project/app templates
  Bugfixes
  * Fixed a regression in ConditionalGetMiddleware causing
    If-None-Match checks to always return HTTP 200 (#26024).
  * Fixed a regression that caused the "user-tools" items to display
    on the admin's logout page (#26035).
  * Fixed a crash in the translations system when the current language
    has no translations (#26046).
  * Fixed a regression that caused the incorrect day to be selected
    when opening the admin calendar widget for timezones from GMT+0100
    to GMT+1200 (#24980).
  * Fixed a regression in the admin's edit related model popup that
    caused an escaped value to be displayed in the select dropdown of
    the parent window (#25997).
  * Fixed a regression in 1.8.8 causing incorrect index handling in
    migrations on PostgreSQL when adding db_index=True or unique=True
    to a CharField or TextField that already had the other specified,
    or when removing one of them from a field that had both, or when
    adding unique=True to a field already listed in unique_together
    (#26034).
  * Fixed a regression where defining a relation on an abstract
    model's field using a string model name without an app_label no
    longer resolved that reference to the abstract model's app if
    using that model in another application (#25858).
  * Fixed a crash when destroying an existing test database on MySQL
    or PostgreSQL (#26096).
  * Fixed CSRF cookie check on POST requests when
    USE_X_FORWARDED_PORT=True (#26094).
  * Fixed a QuerySet.order_by() crash when ordering by a relational
    field of a ManyToManyField through model (#26092).
  * Fixed a regression that caused an exception when making database
    queries on SQLite with more than 2000 parameters when DEBUG is
    True on distributions that increase the SQLITE_MAX_VARIABLE_NUMBER
    compile-time limit to over 2000, such as Debian (#26063).
  * Fixed a crash when using a reverse OneToOneField in
    ModelAdmin.readonly_fields (#26060).
  * Fixed a crash when calling the migrate command in a test case with
    the available_apps attribute pointing to an application with
    migrations disabled using the MIGRATION_MODULES setting (#26135).
  * Restored the ability for testing and debugging tools to determine
    the template from which a node came from, even during template
    inheritance or inclusion. Prior to Django 1.9, debugging tools
    could access the template origin from the node via
    Node.token.source[0]. This was an undocumented, private API. The
    origin is now available directly on each node using the
    Node.origin attribute (#25848).
  * Fixed a regression in Django 1.8.5 that broke copying a
    SimpleLazyObject with copy.copy() (#26122).
  * Always included geometry_field in the GeoJSON serializer output
    regardless of the fields parameter (#26138).
  * Fixed the contrib.gis map widgets when using
    USE_THOUSAND_SEPARATOR=True (#20415).
  * Made invalid forms display the initial of values of their disabled
    fields (#26129).

- Update to 1.9.1
  Bugfixes
  * Fixed BaseCache.get_or_set() with the DummyCache backend (#25840).
  * Fixed a regression in FormMixin causing forms to be validated
    twice (#25548, #26018).
  * Fixed a system check crash with nested ArrayFields (#25867).
  * Fixed a state bug when migrating a SeparateDatabaseAndState
    operation backwards (#25896).
  * Fixed a regression in CommonMiddleware causing If-None-Match
    checks to always return HTTP 200 (#25900).
  * Fixed missing varchar/text_pattern_ops index on CharField and
    TextField respectively when using AlterField on PostgreSQL
    (#25412).
  * Fixed admin’s delete confirmation page’s summary counts of related
    objects (#25883).
  * Added from __future__ import unicode_literals to the default
    apps.py created by startapp on Python 2 (#25909). Add this line to
    your own apps.py files created using Django 1.9 if you want your
    migrations to work on both Python 2 and Python 3.
  * Prevented QuerySet.delete() from crashing on MySQL when querying
    across relations.
  * Fixed evaluation of zero-length slices of QuerySet.values()
    (#25894).
  * ...
  * https://docs.djangoproject.com/en/1.9/releases/1.9.1/

- update to 1.9
  * https://docs.djangoproject.com/en/1.9/releases/1.9/
  * Performing actions after a transaction commit
  * Password validation
  * Permission mixins for class-based views
  * New styling for "contrib.admin"
  * Running tests in parallel

- update to 1.8.6:
  * https://docs.djangoproject.com/en/1.8/releases/1.8.5/
  * https://docs.djangoproject.com/en/1.8/releases/1.8.6/

- add missing Requires for python-setuptools (bsc#952198)
  /usr/bin/django-admin needs the pkg_resources framework from
  python-setuptools to run properly.

- update to 1.8.4 (CVE-2015-5963):
  * https://docs.djangoproject.com/en/1.8/releases/1.8.4/

- add keyring and verify source signature

- update to 1.8.3:
  * https://docs.djangoproject.com/en/1.8/releases/1.8.3/
  Various bugfixes/security fixes (CVE-2015-5145, bsc#937524)

- update to 1.8.2 (CVE-2015-3982):
  * https://docs.djangoproject.com/en/1.8/releases/1.8.2/
  * https://docs.djangoproject.com/en/1.8/releases/1.8.1/

- Update to Django 1.8
  * "Long-Term Support" (LTS) release
  New features:
  * Model._meta API
  * Multiple template engines
  * Security enhancements
  * New PostgreSQL specific functionality
  * New data types
  * Query Expressions, Conditional Expressions, and Database Functions
  * TestCase data setup
  Backwards incompatible changes:
  * Related object operations are run in a transaction
  * Assigning unsaved objects to relations raises an error
  * Management commands that only accept positional arguments
  * Custom test management command arguments through test runner
  * Model check ensures auto-generated column names are within limits
    specified by database
  * Query relation lookups now check object types
  * select_related() now checks given fields
  * Default EmailField.max_length increased to 254
  * (DROP) Support for PostgreSQL versions older than 9.0
  * (DROP) Support for MySQL versions older than 5.5
  * (DROP) Support for Oracle versions older than 11.1
  * Specific privileges used instead of roles for tests on Oracle
  * ...

- Update to Django 1.7.7:
  Security issues:
  * Denial-of-service possibility with strip_tags()
  * Mitigated possible XSS attack via user-supplied redirect URLs
  Bugfixes:
  * Fixed renaming of classes in migrations where renaming a subclass would
    cause incorrect state to be recorded for objects that referenced the
    superclass (#24354).
  * Stopped writing migration files in dry run mode when merging migration
    conflicts. When makemigrations --merge is called with verbosity=3 the
    migration file is written to stdout (:ticket: 24427).

- Update to Djano 1.7.6:
  Bugfixes
  * Mitigated an XSS attack via properties in
    "ModelAdmin.readonly_fields"
  * Fixed crash when coercing "ManyRelatedManager" to a string
    (#24352).
  * Fixed a bug that prevented migrations from adding a foreign key
    constraint when converting an existing field to a foreign key
    (#24447).

- Update to Django 1.7.5:
  Bugfixes
  * Reverted a fix that prevented a migration crash when unapplying
    contrib.contenttypes's or contrib.auth's first migration (#24075)
    due to severe impact on the test performance (#24251) and problems
    in multi-database setups (#24298).
  * Fixed a regression that prevented custom fields inheriting from
    ManyToManyField from being recognized in migrations (#24236).
  * Fixed crash in contrib.sites migrations when a default database
    isn't used (#24332).
  * Added the ability to set the isolation level on PostgreSQL with
    psycopg2 >= 2.4.2 (#24318). It was advertised as a new feature in
    Django 1.6 but it didn't work in practice.
  * Formats for the Azerbaijani locale (az) have been added.

- Update to Django 1.7.4:
  Bugfixes
  * Fixed a migration crash when unapplying ``contrib.contenttypes``?s
    or ``contrib.auth``?s first migration (:ticket:`24075`).
  * Made the migration's ``RenameModel`` operation rename
    ``ManyToManyField`` tables (:ticket:`24135`).
  * Fixed a migration crash on MySQL when migrating from a
    ``OneToOneField`` to a ``ForeignKey`` (:ticket:`24163`).
  * Prevented the ``static.serve`` view from producing
    ``ResourceWarning``\s in certain circumstances (security fix
    regression, :ticket:`24193`).
  * Fixed schema check for ManyToManyField to look for internal type
    instead of checking class instance, so you can write custom
    m2m-like fields with the same behavior. (:ticket:`24104`).

- Update to Django 1.7.3:
  Security fixes:
  * WSGI header spoofing via underscore/dash conflation.
  * Mitigated possible XSS attack via user-supplied redirect URLs.
  * Denial-of-service attack against django.views.static.serve.
  * Database denial-of-service with ModelMultipleChoiceField.
  Bug fixes:
  * The default iteration count for the PBKDF2 password hasher has been
    increased by 25%. This part of the normal major release process was
    inadvertently omitted in 1.7. This backwards compatible change will not
    affect users who have subclassed
    django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default
    value.
  * Fixed a crash in the CSRF middleware when handling non-ASCII referer
    header (#23815).
  * Fixed a crash in the django.contrib.auth.redirect_to_login view when
    passing a reverse_lazy() result on Python 3 (#24097).
  * Added correct formats for Greek (el) (#23967).
  * Fixed a migration crash when unapplying a migration where multiple
    operations interact with the same model (#24110).

- South has been merged in main Django; provide and obsolete it

- Add CVE-2023-24580-DOS_file_upload.patch (CVE-2023-24580,
  bsc#1208082) to prevent DOS in file uploads.
- .sig file is actually not available (and
  https://www.djangoproject.com/download/1.7.11/checksum/ is not
  it), so stop pretending we can cryptographically verify the
  tarball.

- update to 2.0.8
  * CVE-2018-14574: Open redirect possibility in CommonMiddleware boo#1102680
  * Fixed a regression in Django 2.0.7 that broke the regex lookup on MariaD
  * Fixed a regression where django.template.Template crashed if
    the template_string argument is lazy
  * Fixed __regex and __iregex lookups with MySQL
  * Fixed admin check crash when using a query expression in ModelAdmin.ordering
  * Fixed admin changelist crash when using a query expression without asc()
    or desc() in the page?s ordering
  * Fixed a regression that broke custom template filters that use decorators
  * Fixed detection of custom URL converters in included pattern
  * Fixed a regression that added an unnecessary subquery to the GROUP BY clause
    on MySQL when using a RawSQL annotation
  * Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+
  * Fixed a regression in Django 1.10 that could result in large memory usage
    when making edits using ModelAdmin.list_editable
  * Corrected the import paths that inspectdb generates for django.contrib.postgres fields
  * Fixed crashes in django.contrib.admindocs when a view is a callable object,
    such as django.contrib.syndication.views.Feed
  * Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list()
    after combining an annotated and unannotated queryset with union(),
    difference(), or intersection() crashed due to mismatching columns

- Update to 1.11.11
  * Fixes CVE-2018-7536, CVE-2018-7537

- Update to 1.11.10 LTS
  * Fixes CVE-2018-6188 bsc#1077714, CVE-2017-7234, CVE-2017-7233,
    CVE-2017-12794