Fri Feb 2 07:55:34 2018 UTC ()

py-django: updated to 1.11.10

1.11.10:

CVE-2018-6188: Information leakage in AuthenticationForm

A regression in Django 1.11.8 made AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn窶冲 overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked.

This issue is fixed with the caveat that AuthenticationForm can no longer raise the 窶弋his account is inactive.窶� error if the authentication backend rejects inactive users (the default authentication backend, ModelBackend, has done that since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address the caveat will likely be too invasive for inclusion in older versions.

Bugfixes:
Fixed incorrect foreign key nullification if a model has two foreign keys to the same model and a target model is deleted.
Fixed a regression where contrib.auth.authenticate() crashes if an authentication backend doesn窶冲 accept request and a later one does.
Fixed crash when entering an invalid uuid in ModelAdmin.raw_id_fields


(adam)

diff -r1.95 -r1.96 pkgsrc/www/py-django/Makefile
diff -r1.74 -r1.75 pkgsrc/www/py-django/distinfo

--- pkgsrc/www/py-django/Makefile 2018/01/03 07:23:45 1.95
+++ pkgsrc/www/py-django/Makefile 2018/02/02 07:55:34 1.96

 @@ -1,27 +1,27 @@
-# $NetBSD: Makefile,v 1.95 2018/01/03 07:23:45 adam Exp $
+# $NetBSD: Makefile,v 1.96 2018/02/02 07:55:34 adam Exp $
-DISTNAME=	Django-1.11.9
+DISTNAME=	Django-1.11.10
 PKGNAME=	${PYPKGPREFIX}-${DISTNAME:tl}
 CATEGORIES=	www python
 MASTER_SITES=	https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/
 MAINTAINER=	joerg@NetBSD.org
 HOMEPAGE=	https://www.djangoproject.com/
 COMMENT=	Django, a high-level Python Web framework
 LICENSE=	modified-bsd
 DEPENDS+=	${PYPKGPREFIX}-pytz-[0-9]*:../../time/py-pytz
 USE_LANGUAGES=	# none
-REPLACE_PYTHON=	django/bin/django-admin.py
+REPLACE_PYTHON+=	django/bin/django-admin.py
-REPLACE_PYTHON+=django/conf/project_template/manage.py-tpl
+REPLACE_PYTHON+=	django/conf/project_template/manage.py-tpl
 post-install:
 	cd ${DESTDIR}${PREFIX}/bin && \
 		${MV} django-admin django-admin${PYVERSSUFFIX} && \
 		${MV} django-admin.py django-admin${PYVERSSUFFIX}.py || ${TRUE}
 .include "../../lang/python/application.mk"
 .include "../../lang/python/egg.mk"
 .include "../../mk/bsd.pkg.mk"

--- pkgsrc/www/py-django/distinfo 2018/01/03 07:23:45 1.74
+++ pkgsrc/www/py-django/distinfo 2018/02/02 07:55:34 1.75

 @@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.74 2018/01/03 07:23:45 adam Exp $
+$NetBSD: distinfo,v 1.75 2018/02/02 07:55:34 adam Exp $
-SHA1 (Django-1.11.9.tar.gz) = 8c3f72bcfebd84749523c137a5f3e4cfa1740a48
+SHA1 (Django-1.11.10.tar.gz) = 69485a3f6f9d0fcc15e5d50788bcae1f82216028
-RMD160 (Django-1.11.9.tar.gz) = d228b413a8da82bb8aaca1028bd9c7deac782dc2
+RMD160 (Django-1.11.10.tar.gz) = 2201510ee9549ce695568605850fb96bded9cae4
-SHA512 (Django-1.11.9.tar.gz) = 140e59126bb278777adb9a89e00e3d2458c50175f48fd48b92574cdf05ea9378ea06f2e9488890d75622931e35c5dc1b0a0206b311e0a2e7738e409feef14152
+SHA512 (Django-1.11.10.tar.gz) = fb0b5ed29590dba87ab3776987cfd3df5d87dc827d8cb0efb0cf65a32c3a40abb4dde74f3d6b9c9366b675f8d3e175f7e647edda64811b1be74210195f29779b
-Size (Django-1.11.9.tar.gz) = 7879870 bytes
+Size (Django-1.11.10.tar.gz) = 7881348 bytes