From ${URL} : Today the Django team issued 1.11.5 and 1.10.8 as part of our security process. These releases address a security issue, and we encourage all users to upgrade as soon as possible: https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ As a reminder, we ask that potential security issues be reported via private email to security@...ngoproject.com and not via Django's Trac instance or the django-developers list. Please see https://www.djangoproject.com/security for further information. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
1.11.x and 1.10.x are both unstable in Gentoo. They still need bumped though and vulnerable versions cleaned.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=353ab3c934731b424d59e9efd92dce75ae3e7252 commit 353ab3c934731b424d59e9efd92dce75ae3e7252 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-07-17 14:46:31 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-07-17 14:46:31 +0000 dev-python/django: bump to 1.11.14 * Add myself as maintainer * Add missing test dependencies Bug: https://bugs.gentoo.org/630064 Package-Manager: Portage-2.3.40, Repoman-2.3.9 dev-python/django/Manifest | 2 +- dev-python/django/{django-1.11.2.ebuild => django-1.11.14.ebuild} | 6 ++++-- dev-python/django/metadata.xml | 4 ++++ 3 files changed, 9 insertions(+), 3 deletions(-)
I've just bumped django to 1.11.14. Even though 1.11.x and 1.10.x were unstable, 1.8.x is not supported anymore (support ended in april 2018 [1]) and is therefore insecure. I would like to request a stabilization operation as part of this security fix under the ALLARCHES policy. 1.11.2 has been around for a good while, ebuild hasn't significantly changed in the latest bump and django minor releases tend to be pretty solid. Please stabilize =dev-python/django-1.11.14 I will remove all older versions afterwards. [1]:https://www.djangoproject.com/download/#supported-versions
Oops, sorry, forgot to CC the arches.
amd64 stable
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b40fac4739d8bf1bc96de3be93e4903f5dff2801 commit b40fac4739d8bf1bc96de3be93e4903f5dff2801 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-07-21 00:17:34 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-07-21 00:18:32 +0000 profiles: remove dev-python/django package mask Vulnerable versions have been removed from the tree. Bug: https://bugs.gentoo.org/630064 profiles/package.mask | 13 ------------- 1 file changed, 13 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5bd127d40a0ae08853af6e2c2c7cff86c5cc608 commit b5bd127d40a0ae08853af6e2c2c7cff86c5cc608 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-07-21 00:15:27 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-07-21 00:15:27 +0000 dev-python/django: remove old and vulnerable Bug: https://bugs.gentoo.org/630064 Package-Manager: Portage-2.3.43, Repoman-2.3.10 dev-python/django/Manifest | 7 -- dev-python/django/django-1.10.7.ebuild | 110 --------------------- dev-python/django/django-1.4.22.ebuild | 103 ------------------- dev-python/django/django-1.5.12.ebuild | 77 --------------- dev-python/django/django-1.6.11.ebuild | 105 -------------------- dev-python/django/django-1.7.11.ebuild | 104 ------------------- dev-python/django/django-1.8.18.ebuild | 106 -------------------- dev-python/django/django-1.9.13.ebuild | 110 --------------------- .../django/files/django-1.4.19-bashcomp.patch | 37 ------- dev-python/django/files/django-1.5-py3tests.patch | 22 ----- dev-python/django/files/django-1.5.4-objects.patch | 31 ------ dev-python/django/files/django-1.6-objects.patch | 18 ---- .../django/files/django-1.6.10-bashcomp.patch | 35 ------- .../django/files/django-1.7.6-bashcomp.patch | 34 ------- 14 files changed, 899 deletions(-)
Vulnerable versions have been removed.
It turns out that removing django 1.8.x, even if unsupported, is trickier than I thought. It has a couple of revdeps I hadn't noticed. It might take a while to remove them. In the interest of closing this bug and because there's no CVE for django 1.8.19 yet, I'll bump the to 1.8.19 shortly and request stabilization.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01060e7ce00061bfae821547ffaebe3cc149bae9 commit 01060e7ce00061bfae821547ffaebe3cc149bae9 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-07-21 11:11:37 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-07-21 11:11:37 +0000 dev-python/django: security bump to 1.8.19 * versionator -> eapi7-ver * Drop py36 (not supported upstream, added by mistake) Bug: https://bugs.gentoo.org/630064 Package-Manager: Portage-2.3.43, Repoman-2.3.10 dev-python/django/Manifest | 1 + dev-python/django/django-1.8.19.ebuild | 106 +++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+)
The 1.8.19 ebuild is pushed, but because I've dropped support for py36 impl (it was mistakenly added, upstream specifically doesn't support it), I have to adapt the couple of revdeps to it before requesting stabilization.
Revdeps for django 1.8.19 have been sorted out, one of them (dev-python/django-tastypie) needs stabilization. amd64, x86, please stabilize: =dev-python/django-1.8.19 =dev-python/django-tastypie-0.13.3-r1 Thanks.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed97cb6fbc33d594d2a7255f76f559b13f80d09c commit ed97cb6fbc33d594d2a7255f76f559b13f80d09c Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-07-23 00:43:06 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-07-23 00:44:49 +0000 dev-python/django: remove old and vulnerable version Bug: https://bugs.gentoo.org/630064 Package-Manager: Portage-2.3.43, Repoman-2.3.10 dev-python/django/Manifest | 1 - dev-python/django/django-1.8.18.ebuild | 106 --------------------------------- 2 files changed, 107 deletions(-)
Cleanup is done. If I fixed revdeps properly, I won't make the CI scream this time...