Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

django: [18.09] CVE-2019-3498 #54941

Merged
merged 6 commits into from Jan 31, 2019
Merged

django: [18.09] CVE-2019-3498 #54941

merged 6 commits into from Jan 31, 2019

Conversation

dotlambda
Copy link
Member

@dotlambda dotlambda commented Jan 30, 2019
edited

Motivation for this change

Backport of #54940.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc @georgewhewell

marsam and others added 6 commits January 30, 2019 14:51
@marsam
pythonPackages.django_1_11: 1.11.16 -> 1.11.17 (NixOS#52636)
8f9bbbe 
(cherry picked from commit ddd91fc)
python.pkgs.django_1_11: 1.11.17 -> 1.11.18
ec76d88 
fixes CVE-2019-3498

(cherry picked from commit e79d165)
python.pkgs.django_2_0: 2.0.9 -> 2.0.10
67f7b70 
fixes CVE-2019-3498

(cherry picked from commit 682b551)
@r-ryantm
python36Packages.django_2_1: 2.1.2 -> 2.1.3
425238f 
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.6-django/versions

(cherry picked from commit 1330965)
@r-ryantm
python37Packages.django_2_1: 2.1.3 -> 2.1.4
a38319b 
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-django/versions

(cherry picked from commit 375f2c2)
@r-ryantm
python37Packages.django_2_1: 2.1.4 -> 2.1.5
e9a99dd 
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-django/versions

(cherry picked from commit 0f5b4ec)
@dotlambda dotlambda added 1.severity: security 8.has: port to stable A PR already has a backport to the stable release. labels Jan 30, 2019
@dotlambda dotlambda requested a review from lsix January 30, 2019 13:57
@dotlambda dotlambda requested a review from FRidh as a code owner January 30, 2019 13:57
@grahamc grahamc changed the title [18.09] CVE-2019-3498 django: [18.09] CVE-2019-3498 Jan 30, 2019
@dotlambda
Copy link
Member Author

Tested every dependency except sage (to which this change shouldn't make any difference) using nix-review. The reported failures (buildbot buildbot-full buildbot-ui python27Packages.django-sites python36Packages.channels python36Packages.django-sites) are also present in the release-18.09 branch.

@dotlambda dotlambda merged commit 5769ebc into NixOS:release-18.09 Jan 31, 2019
@dotlambda dotlambda deleted the CVE-2019-3498-backport branch January 17, 2024 05:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lsix lsix Awaiting requested review from lsix

@FRidh FRidh Awaiting requested review from FRidh FRidh is a code owner

Assignees
No one assigned
Labels
1.severity: security 6.topic: python 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dotlambda @GrahamcOfBorg @marsam @r-ryantm