py-django: updated to 1.11.10 1.11.10: CVE-2018-6188: Information leakage in AuthenticationForm A regression in Django 1.11.8 made AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn窶冲 overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked. This issue is fixed with the caveat that AuthenticationForm can no longer raise the 窶弋his account is inactive.窶� error if the authentication backend rejects inactive users (the default authentication backend, ModelBackend, has done that since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address the caveat will likely be too invasive for inclusion in older versions. Bugfixes: Fixed incorrect foreign key nullification if a model has two foreign keys to the same model and a target model is deleted. Fixed a regression where contrib.auth.authenticate() crashes if an authentication backend doesn窶冲 accept request and a later one does. Fixed crash when entering an invalid uuid in ModelAdmin.raw_id_fieldsdiff -r1.95 -r1.96 pkgsrc/www/py-django/Makefile
(adam)
@@ -1,27 +1,27 @@ | @@ -1,27 +1,27 @@ | |||
1 | # $NetBSD: Makefile,v 1.95 2018/01/03 07:23:45 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.96 2018/02/02 07:55:34 adam Exp $ | |
2 | 2 | |||
3 | DISTNAME= Django-1.11.9 | 3 | DISTNAME= Django-1.11.10 | |
4 | PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl} | 4 | PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl} | |
5 | CATEGORIES= www python | 5 | CATEGORIES= www python | |
6 | MASTER_SITES= https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/ | 6 | MASTER_SITES= https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/ | |
7 | 7 | |||
8 | MAINTAINER= joerg@NetBSD.org | 8 | MAINTAINER= joerg@NetBSD.org | |
9 | HOMEPAGE= https://www.djangoproject.com/ | 9 | HOMEPAGE= https://www.djangoproject.com/ | |
10 | COMMENT= Django, a high-level Python Web framework | 10 | COMMENT= Django, a high-level Python Web framework | |
11 | LICENSE= modified-bsd | 11 | LICENSE= modified-bsd | |
12 | 12 | |||
13 | DEPENDS+= ${PYPKGPREFIX}-pytz-[0-9]*:../../time/py-pytz | 13 | DEPENDS+= ${PYPKGPREFIX}-pytz-[0-9]*:../../time/py-pytz | |
14 | 14 | |||
15 | USE_LANGUAGES= # none | 15 | USE_LANGUAGES= # none | |
16 | 16 | |||
17 | REPLACE_PYTHON= django/bin/django-admin.py | 17 | REPLACE_PYTHON+= django/bin/django-admin.py | |
18 | REPLACE_PYTHON+=django/conf/project_template/manage.py-tpl | 18 | REPLACE_PYTHON+= django/conf/project_template/manage.py-tpl | |
19 | 19 | |||
20 | post-install: | 20 | post-install: | |
21 | cd ${DESTDIR}${PREFIX}/bin && \ | 21 | cd ${DESTDIR}${PREFIX}/bin && \ | |
22 | ${MV} django-admin django-admin${PYVERSSUFFIX} && \ | 22 | ${MV} django-admin django-admin${PYVERSSUFFIX} && \ | |
23 | ${MV} django-admin.py django-admin${PYVERSSUFFIX}.py || ${TRUE} | 23 | ${MV} django-admin.py django-admin${PYVERSSUFFIX}.py || ${TRUE} | |
24 | 24 | |||
25 | .include "../../lang/python/application.mk" | 25 | .include "../../lang/python/application.mk" | |
26 | .include "../../lang/python/egg.mk" | 26 | .include "../../lang/python/egg.mk" | |
27 | .include "../../mk/bsd.pkg.mk" | 27 | .include "../../mk/bsd.pkg.mk" |
@@ -1,6 +1,6 @@ | @@ -1,6 +1,6 @@ | |||
1 | $NetBSD: distinfo,v 1.74 2018/01/03 07:23:45 adam Exp $ | 1 | $NetBSD: distinfo,v 1.75 2018/02/02 07:55:34 adam Exp $ | |
2 | 2 | |||
3 | SHA1 (Django-1.11.9.tar.gz) = 8c3f72bcfebd84749523c137a5f3e4cfa1740a48 | 3 | SHA1 (Django-1.11.10.tar.gz) = 69485a3f6f9d0fcc15e5d50788bcae1f82216028 | |
4 | RMD160 (Django-1.11.9.tar.gz) = d228b413a8da82bb8aaca1028bd9c7deac782dc2 | 4 | RMD160 (Django-1.11.10.tar.gz) = 2201510ee9549ce695568605850fb96bded9cae4 | |
5 | SHA512 (Django-1.11.9.tar.gz) = 140e59126bb278777adb9a89e00e3d2458c50175f48fd48b92574cdf05ea9378ea06f2e9488890d75622931e35c5dc1b0a0206b311e0a2e7738e409feef14152 | 5 | SHA512 (Django-1.11.10.tar.gz) = fb0b5ed29590dba87ab3776987cfd3df5d87dc827d8cb0efb0cf65a32c3a40abb4dde74f3d6b9c9366b675f8d3e175f7e647edda64811b1be74210195f29779b | |
6 | Size (Django-1.11.9.tar.gz) = 7879870 bytes | 6 | Size (Django-1.11.10.tar.gz) = 7881348 bytes |