* Mon May 19 2025 Markéta Machová <mmachova@suse.com>
- Add some forgotten security patches:
* CVE-2024-53907.patch (bsc#1234232)
* CVE-2025-26699.patch (bsc#1239052)
* CVE-2025-32873.patch (bsc#1242210)
- Add upstream patch urlvalidator.patch to fix tests
* Wed Jan 15 2025 Markéta Machová <mmachova@suse.com>
- Add security patch CVE-2024-56374.patch (bsc#1235856)
* Tue Sep 03 2024 Markéta Machová <mmachova@suse.com>
- Add more (mostly) security patches:
* unescape.patch
* needed for the tests to work
* CVE-2024-45230.patch (bsc#1229823)
* CVE-2024-45231.patch (bsc#1229824)
* Thu Aug 08 2024 Markéta Machová <mmachova@suse.com>
- Add bunch of (mostly) security patches:
* Decimal.patch
* needed for CVE-2024-41989.patch to pass tests
* CVE-2024-42005.patch (bsc#1228629)
* CVE-2024-41989.patch (bsc#1228630)
* CVE-2024-41990.patch (bsc#1228631)
* CVE-2024-41991.patch (bsc#1228632)
* Mon Jul 22 2024 Nico Krapp <nico.krapp@suse.com>
- Add fix-cve-2023-23969.patch (CVE-2023-23969, bsc#1207565)
* CVE-2023-23969: Potential denial-of-service via
Accept-Language headers
- Add CVE-2024-38875.patch (CVE-2024-38875, bsc#1227590)
* CVE-2024-38875: Potential denial-of-service attack via
certain inputs with a very large number of brackets
- Add CVE-2024-39329.patch (CVE-2024-39329, bsc#1227593)
* CVE-2024-39329: Username enumeration through timing difference
for users with unusable passwords
- Add CVE-2024-39330.patch (CVE-2024-39330, bsc#1227594)
* CVE-2024-39330: Potential directory traversal in
django.core.files.storage.Storage.save()
- Add CVE-2024-39614.patch (CVE-2024-39614, bsc#1227595)
* CVE-2024-39614: Potential denial-of-service through
django.utils.translation.get_supported_language-variant()
* Thu Feb 29 2024 Alberto Planas Dominguez <aplanas@suse.com>
- Add fix_test_lazy_addresses.patch to fix test
- Add CVE-2024-27351.patch patch (CVE-2024-27351, bsc#1220358)
* Mon Oct 16 2023 Daniel Garcia Moreno <daniel.garcia@suse.com>
- Add CVE-2023-43665.patch (bsc#1215978, CVE-2023-43665)
* Denial-of-service possibility in django.utils.text.Truncator
* Mon Jul 10 2023 Alberto Planas Dominguez <aplanas@suse.com>
- Add fix-cve-2023-36053.patch (bsc#1212742, CVE-2023-36053)
* Thu Feb 23 2023 Matej Cepl <mcepl@suse.com>
- Add CVE-2023-24580-DOS_file_upload.patch (CVE-2023-24580,
bsc#1208082) to prevent DOS in file uploads.
* Thu Feb 02 2023 Alberto Planas Dominguez <aplanas@suse.com>
- Add fix-cve-2023-23969.patch (bsc#1207565, CVE-2023-23969)
* Tue Oct 04 2022 Alberto Planas Dominguez <aplanas@suse.com>
- Add fix-cve-2022-41323.patch (bsc#1203793, CVE-2022-41323)
* Backport fix and tests from uptream branch 3.2.X
- Add test_custom_fields.patch
* Required to fix an inspectdb test
* Mon Aug 08 2022 Alberto Planas Dominguez <aplanas@suse.com>
- Add fix-cve-2022-36359.patch (CVE-2022-36359, bsc#1201923)
* Backport fix and tests from uptream branch 3.2.X
- Rename Django-2.2.28.tar.gz.asc to Django-2.2.28.checksum.txt
* The source validator try to validate the signature agains
Django-2.2.28.tar.gz, instead of the checksum message itself
* Mon Apr 11 2022 Alberto Planas Dominguez <aplanas@suse.com>
- Update to 2.2.28 (bsc#1198297)
* Many CVEs fixes (check https://github.com/django/django/blob/main/docs/releases/)
* Fri Apr 03 2020 Tomáš Chvátal <tchvatal@suse.com>
- Update to 2.2.12:
* Added the ability to handle .po files containing different plural
equations for the same language (#30439).
* Wed Mar 18 2020 Ondřej Súkup <mimi.vx@gmail.com>
- update to 2.2.11
* fix boo#1165022 (CVE-2020-9402) Potential SQL injection via tolerance
parameter in GIS functions and aggregates on Oracle
* Tue Feb 04 2020 Ondřej Súkup <mimi.vx@gmail.com>
- update to 2.2.10
- drop pyyaml53.patch
* fix boo#1161919 (CVE-2020-7471) Potential SQL injection via ``StringAgg(delimiter)``
* Wed Jan 15 2020 Ondřej Súkup <mimi.vx@gmail.com>
- add pyyaml53.patch - fix tests with PyYAML 5.3
* Sun Dec 29 2019 Ondřej Súkup <mimi.vx@gmail.com>
- Update to 2.2.9
* CVE-2019-19844: Potential account hijack via password reset form (bsc#1159447)
* Fixed a data loss possibility in SplitArrayField.
* Mon Dec 02 2019 Alberto Planas Dominguez <aplanas@suse.com>
- Update to 2.2.8
* CVE-2019-19118: Privilege escalation in the Django admin (boo#1157705)
* Fixed a data loss possibility in the admin changelist view when a
custom formset’s prefix contains regular expression special
characters, e.g. '$'
* Fixed a regression in Django 2.2.1 that caused a crash when
migrating permissions for proxy models with a multiple database
setup if the default entry was empty
* Fixed a data loss possibility in the select_for_update(). When
using 'self' in the of argument with multi-table inheritance, a
parent model was locked instead of the queryset’s model
- Add patch fix-selenium-test.patch to fix a test when selenium is
missing
* Fri Nov 15 2019 Tomáš Chvátal <tchvatal@suse.com>
- Update to 2.2.7:
* Fixed a crash when using a contains, contained_by, has_key, has_keys, or has_any_keys lookup on JSONField, if the right or left hand side of an expression is a key transform (#30826).
* Prevented migrate --plan from showing that RunPython operations are irreversible when reverse_code callables don’t have docstrings or when showing a forward migration plan (#30870).
* Fixed migrations crash on PostgreSQL when adding an Index with fields ordering and opclasses (#30903).
* Restored the ability to override get_FOO_display() (#30931).