head 1.155; access; symbols pkgsrc-2026Q1:1.153.0.2 pkgsrc-2026Q1-base:1.153 pkgsrc-2025Q4:1.152.0.2 pkgsrc-2025Q4-base:1.152 pkgsrc-2025Q3:1.148.0.2 pkgsrc-2025Q3-base:1.148 pkgsrc-2025Q2:1.145.0.2 pkgsrc-2025Q2-base:1.145 pkgsrc-2025Q1:1.141.0.2 pkgsrc-2025Q1-base:1.141 pkgsrc-2024Q4:1.137.0.2 pkgsrc-2024Q4-base:1.137 pkgsrc-2024Q3:1.132.0.2 pkgsrc-2024Q3-base:1.132 pkgsrc-2024Q2:1.129.0.2 pkgsrc-2024Q2-base:1.129 pkgsrc-2024Q1:1.126.0.2 pkgsrc-2024Q1-base:1.126 pkgsrc-2023Q4:1.123.0.2 pkgsrc-2023Q4-base:1.123 pkgsrc-2023Q2:1.119.0.6 pkgsrc-2023Q2-base:1.119 pkgsrc-2023Q1:1.119.0.4 pkgsrc-2023Q1-base:1.119 pkgsrc-2022Q4:1.119.0.2 pkgsrc-2022Q4-base:1.119 pkgsrc-2022Q3:1.118.0.6 pkgsrc-2022Q3-base:1.118 pkgsrc-2022Q2:1.118.0.4 pkgsrc-2022Q2-base:1.118 pkgsrc-2022Q1:1.118.0.2 pkgsrc-2022Q1-base:1.118 pkgsrc-2021Q4:1.114.0.16 pkgsrc-2021Q4-base:1.114 pkgsrc-2021Q3:1.114.0.14 pkgsrc-2021Q3-base:1.114 pkgsrc-2021Q2:1.114.0.12 pkgsrc-2021Q2-base:1.114 pkgsrc-2021Q1:1.114.0.10 pkgsrc-2021Q1-base:1.114 pkgsrc-2020Q4:1.114.0.8 pkgsrc-2020Q4-base:1.114 pkgsrc-2020Q3:1.114.0.6 pkgsrc-2020Q3-base:1.114 pkgsrc-2020Q2:1.114.0.4 pkgsrc-2020Q2-base:1.114 pkgsrc-2020Q1:1.114.0.2 pkgsrc-2020Q1-base:1.114 pkgsrc-2019Q4:1.112.0.4 pkgsrc-2019Q4-base:1.112 pkgsrc-2019Q3:1.109.0.2 pkgsrc-2019Q3-base:1.109 pkgsrc-2019Q2:1.106.0.2 pkgsrc-2019Q2-base:1.106 pkgsrc-2019Q1:1.105.0.2 pkgsrc-2019Q1-base:1.105 pkgsrc-2018Q4:1.103.0.2 pkgsrc-2018Q4-base:1.103 pkgsrc-2018Q3:1.101.0.2 pkgsrc-2018Q3-base:1.101 pkgsrc-2018Q2:1.99.0.2 pkgsrc-2018Q2-base:1.99 pkgsrc-2018Q1:1.97.0.2 pkgsrc-2018Q1-base:1.97 pkgsrc-2017Q4:1.94.0.2 pkgsrc-2017Q4-base:1.94 pkgsrc-2017Q3:1.90.0.4 pkgsrc-2017Q3-base:1.90 pkgsrc-2017Q2:1.86.0.2 pkgsrc-2017Q2-base:1.86 pkgsrc-2017Q1:1.83.0.2 pkgsrc-2017Q1-base:1.83 pkgsrc-2016Q4:1.80.0.2 pkgsrc-2016Q4-base:1.80 pkgsrc-2016Q3:1.76.0.2 pkgsrc-2016Q3-base:1.76 pkgsrc-2016Q2:1.73.0.2 pkgsrc-2016Q2-base:1.73 pkgsrc-2016Q1:1.70.0.2 pkgsrc-2016Q1-base:1.70 pkgsrc-2015Q4:1.67.0.2 pkgsrc-2015Q4-base:1.67 pkgsrc-2015Q3:1.64.0.2 pkgsrc-2015Q3-base:1.64 pkgsrc-2015Q2:1.62.0.2 pkgsrc-2015Q2-base:1.62 pkgsrc-2015Q1:1.61.0.2 pkgsrc-2015Q1-base:1.61 pkgsrc-2014Q4:1.54.0.2 pkgsrc-2014Q4-base:1.54 pkgsrc-2014Q3:1.53.0.2 pkgsrc-2014Q3-base:1.53 pkgsrc-2014Q2:1.52.0.2 pkgsrc-2014Q2-base:1.52 pkgsrc-2014Q1:1.49.0.2 pkgsrc-2014Q1-base:1.49 pkgsrc-2013Q4:1.46.0.2 pkgsrc-2013Q4-base:1.46 pkgsrc-2013Q3:1.44.0.2 pkgsrc-2013Q3-base:1.44 pkgsrc-2013Q2:1.41.0.2 pkgsrc-2013Q2-base:1.41 pkgsrc-2013Q1:1.40.0.2 pkgsrc-2013Q1-base:1.40 pkgsrc-2012Q4:1.38.0.2 pkgsrc-2012Q4-base:1.38 pkgsrc-2012Q3:1.35.0.2 pkgsrc-2012Q3-base:1.35 pkgsrc-2012Q2:1.34.0.2 pkgsrc-2012Q2-base:1.34 pkgsrc-2012Q1:1.33.0.2 pkgsrc-2012Q1-base:1.33 pkgsrc-2011Q4:1.32.0.4 pkgsrc-2011Q4-base:1.32 pkgsrc-2011Q3:1.32.0.2 pkgsrc-2011Q3-base:1.32 pkgsrc-2011Q2:1.31.0.4 pkgsrc-2011Q2-base:1.31 pkgsrc-2011Q1:1.31.0.2 pkgsrc-2011Q1-base:1.31 pkgsrc-2010Q4:1.29.0.2 pkgsrc-2010Q4-base:1.29 pkgsrc-2010Q3:1.27.0.2 pkgsrc-2010Q3-base:1.27 pkgsrc-2010Q2:1.25.0.2 pkgsrc-2010Q2-base:1.25 pkgsrc-2010Q1:1.24.0.2 pkgsrc-2010Q1-base:1.24 pkgsrc-2009Q4:1.21.0.2 pkgsrc-2009Q4-base:1.21 pkgsrc-2009Q3:1.19.0.2 pkgsrc-2009Q3-base:1.19 pkgsrc-2009Q2:1.17.0.2 pkgsrc-2009Q2-base:1.17 pkgsrc-2009Q1:1.15.0.2 pkgsrc-2009Q1-base:1.15 pkgsrc-2008Q4:1.14.0.2 pkgsrc-2008Q4-base:1.14 pkgsrc-2008Q3:1.13.0.2 pkgsrc-2008Q3-base:1.13 cube-native-xorg:1.12.0.2 cube-native-xorg-base:1.12 pkgsrc-2008Q2:1.11.0.4 pkgsrc-2008Q2-base:1.11 cwrapper:1.11.0.2 pkgsrc-2008Q1:1.9.0.4 pkgsrc-2008Q1-base:1.9 pkgsrc-2007Q4:1.9.0.2 pkgsrc-2007Q4-base:1.9 pkgsrc-2007Q3:1.8.0.2 pkgsrc-2007Q3-base:1.8 pkgsrc-2007Q2:1.6.0.4 pkgsrc-2007Q2-base:1.6 pkgsrc-2007Q1:1.6.0.2 pkgsrc-2007Q1-base:1.6 pkgsrc-2006Q4:1.4.0.2 pkgsrc-2006Q4-base:1.4 pkgsrc-2006Q3:1.2.0.2 pkgsrc-2006Q3-base:1.2 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.155 date 2026.05.13.12.11.55; author adam; state Exp; branches; next 1.154; commitid G2SDHLwUnNO2lEFG; 1.154 date 2026.04.22.07.25.39; author adam; state Exp; branches; next 1.153; commitid tTJqwiCW351OqVCG; 1.153 date 2026.02.16.12.33.51; author adam; state Exp; branches; next 1.152; commitid nIwKv1Cf5Gq0eBuG; 1.152 date 2025.12.02.20.37.45; author adam; state Exp; branches; next 1.151; commitid mhqLYcGDwRBklSkG; 1.151 date 2025.11.11.10.42.37; author adam; state Exp; branches; next 1.150; commitid gcTsLNkN3vm6J7iG; 1.150 date 2025.10.09.08.02.00; author wiz; state Exp; branches; next 1.149; commitid v4gBetJhBehVTRdG; 1.149 date 2025.10.02.07.49.51; author adam; state Exp; branches; next 1.148; commitid qrSGgQNqHWIB3YcG; 1.148 date 2025.09.03.14.28.03; author adam; state Exp; branches; next 1.147; commitid gydhx237DiX0ch9G; 1.147 date 2025.08.07.04.56.19; author adam; state Exp; branches; next 1.146; commitid Q8ZwXrkrQX7KTK5G; 1.146 date 2025.07.07.08.00.26; author adam; state Exp; branches; next 1.145; commitid AFYkxge7o3DCUM1G; 1.145 date 2025.06.10.14.41.50; author adam; state Exp; branches; next 1.144; commitid zYkwKqKOFxTa0mYF; 1.144 date 2025.06.09.10.20.19; author adam; state Exp; branches; next 1.143; commitid E9UeDPkEEHkmAcYF; 1.143 date 2025.05.10.18.20.17; author adam; state Exp; branches; next 1.142; commitid srcs7gdtw6dOcoUF; 1.142 date 2025.04.14.14.20.53; author adam; state Exp; branches; next 1.141; commitid WxD2qzQEVzLAI1RF; 1.141 date 2025.03.06.16.05.55; author adam; state Exp; branches; next 1.140; commitid 3Nwf2fpRK5fgy1MF; 1.140 date 2025.03.05.10.40.59; author wiz; state Exp; branches; next 1.139; commitid hexnydZfFMXXMRLF; 1.139 date 2025.02.05.20.51.59; author adam; state Exp; branches; next 1.138; commitid sFVI81vuwnFh4kIF; 1.138 date 2025.01.14.15.55.07; author adam; state Exp; branches; next 1.137; commitid Emj7YXyKtYXf8tFF; 1.137 date 2024.12.04.20.19.44; author adam; state Exp; branches; next 1.136; commitid q4QvMmuI56EHUdAF; 1.136 date 2024.11.11.07.29.17; author wiz; state Exp; branches; next 1.135; commitid 1fBDq3LwS98NncxF; 1.135 date 2024.11.05.08.35.58; author adam; state Exp; branches; next 1.134; commitid F8wP0AnIBQdXWqwF; 1.134 date 2024.10.14.06.46.05; author wiz; state Exp; branches; next 1.133; commitid ynDJEEQamKd33BtF; 1.133 date 2024.10.08.17.42.20; author adam; state Exp; branches; next 1.132; commitid MeXva9gpVWIhSSsF; 1.132 date 2024.09.06.07.08.44; author adam; state Exp; branches; next 1.131; commitid g9pt0kafm7qFoIoF; 1.131 date 2024.08.06.20.14.10; author adam; state Exp; branches; next 1.130; commitid jfaZnDqhIKT0KNkF; 1.130 date 2024.07.11.18.51.35; author adam; state Exp; branches; next 1.129; commitid 9RJ6nGGDCyoo7shF; 1.129 date 2024.05.07.18.16.55; author adam; state Exp; branches; next 1.128; commitid 6Zn0pUGj56Ab169F; 1.128 date 2024.05.07.03.55.16; author adam; state Exp; branches; next 1.127; commitid AxoxSWcuSBauf19F; 1.127 date 2024.04.05.10.40.17; author adam; state Exp; branches; next 1.126; commitid byzsv0o5h1hfwW4F; 1.126 date 2024.03.04.15.49.51; author adam; state Exp; branches; next 1.125; commitid mtCKH6h8yK48gR0F; 1.125 date 2024.02.08.22.43.53; author adam; state Exp; branches; next 1.124; commitid ojMSNxSClRS0mGXE; 1.124 date 2024.01.09.12.56.11; author adam; state Exp; branches; next 1.123; commitid a29RWMf3b33g4MTE; 1.123 date 2023.12.04.17.25.15; author adam; state Exp; branches; next 1.122; commitid dS7kRBtkxRYhIaPE; 1.122 date 2023.11.01.20.14.51; author adam; state Exp; branches; next 1.121; commitid DSkUCW1dPe2fIWKE; 1.121 date 2023.10.04.21.37.14; author adam; state Exp; branches; next 1.120; commitid 513yh9pQyjjX3mHE; 1.120 date 2023.07.13.10.05.32; author wiz; state dead; branches; next 1.119; commitid RZgLqneuYeqdUCwE; 1.119 date 2022.11.09.13.14.17; author joerg; state Exp; branches; next 1.118; commitid dN5ujJQiZbvcR11E; 1.118 date 2022.01.05.15.51.59; author wiz; state Exp; branches; next 1.117; commitid IQ2WPEGXoF3sDsnD; 1.117 date 2022.01.05.15.41.29; author wiz; state Exp; branches; next 1.116; commitid FQ77UruBIUsgzsnD; 1.116 date 2022.01.05.10.09.53; author wiz; state Exp; branches; next 1.115; commitid GDoJA1Bh3CW0KqnD; 1.115 date 2022.01.04.20.55.17; author wiz; state Exp; branches; next 1.114; commitid CYyhdK9qtoffkmnD; 1.114 date 2020.03.12.16.22.38; author adam; state Exp; branches; next 1.113; commitid gsckNFTHzHcb980C; 1.113 date 2020.02.04.17.23.11; author adam; state Exp; branches; next 1.112; commitid xQLgyXWShhYBFnVB; 1.112 date 2019.12.19.13.39.50; author adam; state Exp; branches; next 1.111; commitid Qlmbp4VUseQvWjPB; 1.111 date 2019.11.05.07.40.16; author adam; state Exp; branches; next 1.110; commitid E1uDAfpcyJyZmDJB; 1.110 date 2019.10.01.17.56.03; author adam; state Exp; branches; next 1.109; commitid vxdr3HY4uYl2UbFB; 1.109 date 2019.09.04.08.31.06; author adam; state Exp; branches; next 1.108; commitid xAtRDjKEX1n1EFBB; 1.108 date 2019.08.06.09.30.46; author adam; state Exp; branches; next 1.107; commitid CBCaWPLzZWN1UWxB; 1.107 date 2019.07.01.18.23.52; author adam; state Exp; branches; next 1.106; commitid dz0Rttg9DYaQ0ntB; 1.106 date 2019.06.03.12.33.00; author adam; state Exp; branches; next 1.105; commitid w5kOHM1E2j0lYJpB; 1.105 date 2019.02.12.13.11.56; author adam; state Exp; branches 1.105.2.1; next 1.104; commitid hoQvNyyQoIRPKtbB; 1.104 date 2019.01.04.22.07.35; author adam; state Exp; branches; next 1.103; commitid 5gXJWa2MMWcqYv6B; 1.103 date 2018.12.03.18.59.35; author adam; state Exp; branches; next 1.102; commitid Mna9eUuOFtODXn2B; 1.102 date 2018.10.02.08.06.44; author adam; state Exp; branches; next 1.101; commitid iNJ0tXdVzJ9klmUA; 1.101 date 2018.08.02.14.02.21; author adam; state Exp; branches; next 1.100; commitid efRlQUQN9h4JgyMA; 1.100 date 2018.07.03.06.42.27; author adam; state Exp; branches; next 1.99; commitid nvceIn9hGVgJNEIA; 1.99 date 2018.05.02.06.28.35; author adam; state Exp; branches; next 1.98; commitid IqnXfQpMlFckIGAA; 1.98 date 2018.04.03.08.58.32; author adam; state Exp; branches; next 1.97; commitid CBpd3fahSDsItYwA; 1.97 date 2018.03.06.20.04.06; author adam; state Exp; branches; next 1.96; commitid 7zLIdrOkH9UU3rtA; 1.96 date 2018.02.02.07.55.34; author adam; state Exp; branches; next 1.95; commitid at1Qspmi6glB3gpA; 1.95 date 2018.01.03.07.23.45; author adam; state Exp; branches; next 1.94; commitid EHf8VmpIpAnvQolA; 1.94 date 2017.12.25.09.18.24; author adam; state Exp; branches; next 1.93; commitid HBu0UtLJYAxZLfkA; 1.93 date 2017.12.04.14.23.00; author adam; state Exp; branches; next 1.92; commitid 37zZxiT7EOH68AhA; 1.92 date 2017.11.02.09.38.43; author adam; state Exp; branches; next 1.91; commitid 5lIN0ohbb9doArdA; 1.91 date 2017.10.06.08.52.58; author adam; state Exp; branches; next 1.90; commitid hKv8nxibbvVucY9A; 1.90 date 2017.09.06.15.19.17; author adam; state Exp; branches; next 1.89; commitid wlsGQByY4bvJi96A; 1.89 date 2017.09.04.18.08.30; author wiz; state Exp; branches; next 1.88; commitid H3CpyvMOZDCWiU5A; 1.88 date 2017.08.02.10.45.09; author adam; state Exp; branches; next 1.87; commitid rawIkaPbTXsxUC1A; 1.87 date 2017.07.03.11.10.41; author adam; state Exp; branches; next 1.86; commitid 6mjOPHSHn47h1MXz; 1.86 date 2017.06.02.07.19.55; author adam; state Exp; branches; next 1.85; commitid jMQDLaSAjFMeJLTz; 1.85 date 2017.05.08.04.58.58; author adam; state Exp; branches; next 1.84; commitid XRofcgJd9NXlLxQz; 1.84 date 2017.04.05.17.08.48; author adam; state Exp; branches; next 1.83; commitid wNg08yrX5eRpRmMz; 1.83 date 2017.03.12.18.45.33; author adam; state Exp; branches 1.83.2.1; next 1.82; commitid YUNqhVTJGybhaiJz; 1.82 date 2017.01.07.19.05.46; author adam; state Exp; branches; next 1.81; commitid drfGroD8MoTLk4Bz; 1.81 date 2017.01.03.13.23.04; author jperkin; state Exp; branches; next 1.80; commitid C9GLdDCVrmakywAz; 1.80 date 2016.12.02.12.21.17; author adam; state Exp; branches; next 1.79; commitid DEWsxv8PPBbLfpwz; 1.79 date 2016.11.06.09.08.52; author wen; state Exp; branches; next 1.78; commitid BDzDMDj3T6Kb13tz; 1.78 date 2016.11.02.14.30.49; author wen; state Exp; branches; next 1.77; commitid WWg7qeC4Fl7nVysz; 1.77 date 2016.10.21.02.19.46; author wen; state Exp; branches; next 1.76; commitid S0y5ITYopGYOgXqz; 1.76 date 2016.08.28.15.48.36; author wiz; state Exp; branches 1.76.2.1; next 1.75; commitid rTBn3EBawNhbu5kz; 1.75 date 2016.08.04.08.23.11; author adam; state Exp; branches; next 1.74; commitid RLuy9P29ioymNXgz; 1.74 date 2016.07.19.07.32.42; author adam; state Exp; branches; next 1.73; commitid 5ofMnqzt1QDI1Uez; 1.73 date 2016.06.06.09.34.59; author adam; state Exp; branches; next 1.72; commitid 8qDLsXkoxLxo5o9z; 1.72 date 2016.05.07.07.51.52; author adam; state Exp; branches; next 1.71; commitid 7pumwKnlEJnTtw5z; 1.71 date 2016.04.08.16.20.18; author adam; state Exp; branches; next 1.70; commitid ej4RF0ma3KJ2eQ1z; 1.70 date 2016.03.06.14.17.06; author adam; state Exp; branches; next 1.69; commitid W8ArVuqnuW0GBAXy; 1.69 date 2016.02.05.17.39.40; author adam; state Exp; branches; next 1.68; commitid JlDiZplOTPuSGKTy; 1.68 date 2016.01.03.10.56.29; author adam; state Exp; branches; next 1.67; commitid d6jOeSVIVtQgwtPy; 1.67 date 2015.11.26.06.38.59; author adam; state Exp; branches; next 1.66; commitid gu1nste4wkcLjzKy; 1.66 date 2015.11.06.08.38.29; author adam; state Exp; branches; next 1.65; commitid UdEGJJgenxIpC0Iy; 1.65 date 2015.10.08.07.58.17; author adam; state Exp; branches; next 1.64; commitid gdOkPyY6mWeukhEy; 1.64 date 2015.08.24.10.45.22; author adam; state Exp; branches; next 1.63; commitid 6mH1fMqnwnLoHvyy; 1.63 date 2015.07.17.15.50.53; author adam; state Exp; branches; next 1.62; commitid qB4qHbAJEoI7CEty; 1.62 date 2015.04.13.23.12.43; author rodent; state Exp; branches; next 1.61; commitid NgZhNHAKgraV6uhy; 1.61 date 2015.03.19.09.53.45; author adam; state Exp; branches; next 1.60; commitid p8tD0snHX3HJucey; 1.60 date 2015.03.09.19.01.39; author adam; state Exp; branches; next 1.59; commitid ysojjKW21PyzQXcy; 1.59 date 2015.02.26.06.27.06; author adam; state Exp; branches; next 1.58; commitid yc1J5E8Zh0jH1uby; 1.58 date 2015.01.28.06.41.30; author adam; state Exp; branches; next 1.57; commitid nDIv8cirewWo2L7y; 1.57 date 2015.01.14.17.07.12; author adam; state Exp; branches; next 1.56; commitid 3qqYUPxIwGAXW06y; 1.56 date 2015.01.06.23.07.32; author joerg; state Exp; branches; next 1.55; commitid ZBYARioRyneIc15y; 1.55 date 2015.01.03.15.47.21; author adam; state Exp; branches; next 1.54; commitid sHZhgFe6wiIDRA4y; 1.54 date 2014.11.23.14.05.13; author adam; state Exp; branches; next 1.53; commitid 5SBtRnwvXF0hCjZx; 1.53 date 2014.08.23.11.13.01; author adam; state Exp; branches; next 1.52; commitid TIU2viUYPzWLAtNx; 1.52 date 2014.05.20.11.06.26; author adam; state Exp; branches; next 1.51; commitid oTE1CERdTCICDgBx; 1.51 date 2014.05.03.18.19.30; author adam; state Exp; branches; next 1.50; commitid ipbEIQaVGTA6A7zx; 1.50 date 2014.04.22.18.05.22; author adam; state Exp; branches; next 1.49; commitid nmnHvvnqW4abRHxx; 1.49 date 2014.02.09.08.09.04; author adam; state Exp; branches; next 1.48; commitid 1KQZnGQ6MDxTRoox; 1.48 date 2014.01.18.19.07.57; author wiz; state Exp; branches; next 1.47; commitid O6XoB5EFaMb2eDlx; 1.47 date 2013.12.31.12.02.53; author adam; state Exp; branches; next 1.46; commitid UoqmYv21fP3Irhjx; 1.46 date 2013.11.12.19.12.12; author adam; state Exp; branches; next 1.45; commitid YuQRbaUo7lzWo1dx; 1.45 date 2013.10.28.20.12.40; author adam; state Exp; branches; next 1.44; commitid iXqT6qNSTKokd6bx; 1.44 date 2013.09.17.19.54.49; author adam; state Exp; branches; next 1.43; commitid 6fxoGrAp0hddrP5x; 1.43 date 2013.09.11.16.50.38; author adam; state Exp; branches; next 1.42; commitid lVKEJsThMdJWB25x; 1.42 date 2013.08.13.17.48.24; author adam; state Exp; branches; next 1.41; commitid q73944JMOYtARj1x; 1.41 date 2013.04.01.20.52.44; author adam; state Exp; branches; next 1.40; 1.40 date 2013.03.12.20.47.59; author adam; state Exp; branches; next 1.39; 1.39 date 2013.02.23.17.00.19; author adam; state Exp; branches; next 1.38; 1.38 date 2012.12.13.08.03.20; author adam; state Exp; branches; next 1.37; 1.37 date 2012.10.28.06.30.59; author asau; state Exp; branches; next 1.36; 1.36 date 2012.10.18.12.04.17; author adam; state Exp; branches; next 1.35; 1.35 date 2012.08.06.15.33.07; author adam; state Exp; branches; next 1.34; 1.34 date 2012.04.17.17.57.38; author adam; state Exp; branches; next 1.33; 1.33 date 2012.01.26.11.34.28; author obache; state Exp; branches; next 1.32; 1.32 date 2011.09.12.08.17.07; author adam; state Exp; branches; next 1.31; 1.31 date 2011.03.23.10.38.48; author adam; state Exp; branches; next 1.30; 1.30 date 2011.02.10.10.03.59; author adam; state Exp; branches; next 1.29; 1.29 date 2010.12.28.19.13.06; author joerg; state Exp; branches; next 1.28; 1.28 date 2010.12.28.13.54.52; author joerg; state Exp; branches; next 1.27; 1.27 date 2010.09.13.16.51.05; author joerg; state Exp; branches; next 1.26; 1.26 date 2010.09.09.13.34.04; author adam; state Exp; branches; next 1.25; 1.25 date 2010.06.16.19.08.37; author joerg; state Exp; branches; next 1.24; 1.24 date 2010.02.11.13.37.44; author joerg; state Exp; branches; next 1.23; 1.23 date 2010.02.10.19.30.09; author joerg; state Exp; branches; next 1.22; 1.22 date 2010.02.10.17.21.55; author joerg; state Exp; branches; next 1.21; 1.21 date 2009.10.19.11.31.05; author joerg; state Exp; branches; next 1.20; 1.20 date 2009.10.13.18.19.23; author joerg; state Exp; branches; next 1.19; 1.19 date 2009.07.29.11.02.08; author joerg; state Exp; branches 1.19.2.1; next 1.18; 1.18 date 2009.07.14.11.17.11; author joerg; state Exp; branches; next 1.17; 1.17 date 2009.05.02.16.21.46; author reed; state Exp; branches 1.17.2.1; next 1.16; 1.16 date 2009.04.14.09.14.24; author joerg; state Exp; branches; next 1.15; 1.15 date 2009.01.29.09.35.54; author joerg; state Exp; branches; next 1.14; 1.14 date 2008.12.17.19.55.38; author joerg; state Exp; branches 1.14.2.1; next 1.13; 1.13 date 2008.09.21.15.23.28; author joerg; state Exp; branches; next 1.12; 1.12 date 2008.09.04.22.04.17; author tonnerre; state Exp; branches; next 1.11; 1.11 date 2008.05.20.13.46.49; author joerg; state Exp; branches; next 1.10; 1.10 date 2008.04.25.20.39.13; author joerg; state Exp; branches; next 1.9; 1.9 date 2007.11.01.21.24.02; author joerg; state Exp; branches 1.9.4.1; next 1.8; 1.8 date 2007.08.11.17.20.16; author joerg; state Exp; branches 1.8.2.1; next 1.7; 1.7 date 2007.08.09.14.05.29; author joerg; state Exp; branches; next 1.6; 1.6 date 2007.02.19.20.55.51; author joerg; state Exp; branches; next 1.5; 1.5 date 2007.01.25.20.11.30; author joerg; state Exp; branches; next 1.4; 1.4 date 2006.11.14.13.36.53; author joerg; state Exp; branches 1.4.2.1; next 1.3; 1.3 date 2006.11.03.14.14.18; author joerg; state Exp; branches; next 1.2; 1.2 date 2006.09.17.13.42.07; author joerg; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2006.09.11.11.38.33; author joerg; state Exp; branches 1.1.1.1; next ; 1.105.2.1 date 2019.06.04.09.10.44; author bsiegert; state Exp; branches; next ; commitid hvEkijTO3K26PQpB; 1.83.2.1 date 2017.04.08.19.25.56; author spz; state Exp; branches; next ; commitid 8Tiy5xUMDx6zwLMz; 1.76.2.1 date 2016.11.05.10.24.39; author bsiegert; state Exp; branches; next ; commitid a26B4wot9Z1MtVsz; 1.19.2.1 date 2009.10.14.09.09.06; author tron; state Exp; branches; next ; 1.17.2.1 date 2009.07.29.20.36.04; author tron; state Exp; branches; next ; 1.14.2.1 date 2009.01.30.15.16.42; author tron; state Exp; branches; next ; 1.9.4.1 date 2008.05.22.13.46.33; author ghen; state Exp; branches; next ; 1.8.2.1 date 2007.12.17.21.03.07; author ghen; state Exp; branches; next ; 1.4.2.1 date 2007.01.28.20.06.01; author ghen; state Exp; branches; next ; 1.2.2.1 date 2006.11.23.09.41.31; author ghen; state Exp; branches; next ; 1.1.1.1 date 2006.09.11.11.38.33; author joerg; state Exp; branches; next ; desc @@ 1.155 log @py-django: updated to 6.0.5 6.0.5 Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4. CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. This issue has severity “low” according to the Django security policy. CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user’s session after that user visits a cached public page. This issue has severity “low” according to the Django security policy. CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware Previously, UpdateCacheMiddleware would erroneously cache requests where the Vary header contained an asterisk ('*'). This could lead to private data being stored and served. This issue has severity “low” according to the Django security policy. Bugfixes Fixed a misplaced in the django/contrib/admin/templates/admin/change_list.html template added in Django 6.0 that could be problematic when overriding the pagination block. Fixed a bug in Django 6.0 where deprecation warnings incorrectly skipped lines from third-party packages prefixed with “django”. @ text @# $NetBSD: Makefile,v 1.154 2026/04/22 07:25:39 adam Exp $ DISTNAME= django-6.0.5 PKGNAME= ${PYPKGPREFIX}-${DISTNAME} CATEGORIES= www python MASTER_SITES= https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/ MASTER_SITES+= ${MASTER_SITE_PYPI:=D/Django/} MAINTAINER= pkgsrc-users@@NetBSD.org HOMEPAGE= https://www.djangoproject.com/ COMMENT= Django, a high-level Python Web framework LICENSE= modified-bsd TOOL_DEPENDS+= ${PYPKGPREFIX}-setuptools>=78:../../devel/py-setuptools DEPENDS+= ${PYPKGPREFIX}-asgiref>=3.9.1:../../www/py-asgiref DEPENDS+= ${PYPKGPREFIX}-sqlparse>=0.5.0:../../databases/py-sqlparse USE_LANGUAGES= # none PY_RENAME_BINARIES= django-admin REPLACE_PYTHON+= django/conf/project_template/manage.py-tpl .include "../../lang/python/application.mk" .include "../../lang/python/wheel.mk" .include "../../mk/bsd.pkg.mk" @ 1.154 log @py-django: updated to 6.0.4 6.0.4 Django 6.0.4 fixes one security issue with severity “moderate”, four security issues with severity “low”, and several bugs in 6.0.3. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.153 2026/02/16 12:33:51 adam Exp $ d3 1 a3 1 DISTNAME= django-6.0.4 @ 1.153 log @py-django: updated to 5.2.11 5.2.11 Django 5.2.11 fixes three security issues with severity “high”, two security issues with severity “moderate”, and one security issue with severity “low” in 5.2.10. CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack. This issue has severity “low” according to the Django security policy. CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI When receiving duplicates of a single header, ASGIRequest allowed a remote attacker to cause a potential denial-of-service via a specifically created request with multiple duplicate headers. The vulnerability resulted from repeated string concatenation while combining repeated headers, which produced super-linear computation resulting in service degradation or outage. This issue has severity “moderate” according to the Django security policy. CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS Raster lookups on GIS fields (only implemented on PostGIS) were subject to SQL injection if untrusted data was used as a band index. As a reminder, all untrusted user input should be validated before use. This issue has severity “high” according to the Django security policy. CVE-2026-1285: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters were subject to a potential denial-of-service attack via certain inputs with a large number of unmatched HTML end tags, which could cause quadratic time complexity during HTML parsing. This issue has severity “moderate” according to the Django security policy. CVE-2026-1287: Potential SQL injection in column aliases via control characters FilteredRelation was subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias(). This issue has severity “high” according to the Django security policy. CVE-2026-1312: Potential SQL injection via QuerySet.order_by and FilteredRelation QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias was, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.152 2025/12/02 20:37:45 adam Exp $ d3 1 a3 1 DISTNAME= django-5.2.11 d15 2 a16 2 DEPENDS+= ${PYPKGPREFIX}-asgiref>=3.8.1:../../www/py-asgiref DEPENDS+= ${PYPKGPREFIX}-sqlparse>=0.3.1:../../databases/py-sqlparse d20 1 a22 4 post-install: cd ${DESTDIR}${PREFIX}/bin && \ ${MV} django-admin django-admin-${PYVERSSUFFIX} || ${TRUE} @ 1.152 log @py-django: updated to 5.2.9 Django 5.2.9 fixes one security issue with severity “high”, one security issue with severity “moderate”, and several bugs in 5.2.8. CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL. CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer XML Serialization was subject to a potential denial-of-service attack due to quadratic time complexity when deserializing crafted documents containing many nested invalid elements. The internal helper django.core.serializers.xml_serializer.getInnerText() previously accumulated inner text inefficiently during recursion. It now collects text per element, avoiding excessive resource usage. Bugfixes Fixed a bug in Django 5.2 where django.utils.feedgenerator.Stylesheet.__str__() did not escape the url, mimetype, and media attributes, potentially leading to invalid XML markup. Fixed a bug in Django 5.2 on PostgreSQL where bulk_create() did not apply a field’s custom query placeholders. Fixed a regression in Django 5.2.2 that caused a crash when using aggregate functions with an empty Q filter over a queryset with annotations. Fixed a regression in Django 5.2.8 where DisallowedRedirect was raised by HttpResponseRedirect and HttpResponsePermanentRedirect for URLs longer than 2048 characters. The limit is now 16384 characters. Fixed a crash on Python 3.14+ that prevented template tag functions from being registered when their type annotations required deferred evaluation. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.151 2025/11/11 10:42:37 adam Exp $ d3 1 a3 1 DISTNAME= django-5.2.9 @ 1.151 log @py-django: updated to 5.2.8 Django 5.2.8 fixes one security issue with severity “high”, one security issue with severity “moderate”, and several bugs in 5.2.7. It also adds compatibility with Python 3.14. CVE-2025-64458: Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows Python’s NFKC normalization is slow on Windows. As a consequence, HttpResponseRedirect, HttpResponsePermanentRedirect, and the shortcut redirect() were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters (follow up to CVE 2025-27556). CVE-2025-64459: Potential SQL injection via _connector keyword argument QuerySet.filter(), exclude(), get(), and Q were subject to SQL injection using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Bugfixes Added compatibility for oracledb 3.4.0. Fixed a bug in Django 5.2 where QuerySet.first() and QuerySet.last() raised an error on querysets performing aggregation that selected all fields of a composite primary key. Fixed a bug in Django 5.2 where proxy models having a CompositePrimaryKey incorrectly raised a models.E042 system check error. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.150 2025/10/09 08:02:00 wiz Exp $ d3 1 a3 1 DISTNAME= django-5.2.8 @ 1.150 log @*: remove more references to (removed) Python 3.9 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.149 2025/10/02 07:49:51 adam Exp $ d3 1 a3 1 DISTNAME= django-5.2.7 @ 1.149 log @py-django: updated to 5.2.7 Django 5.2.7 fixes one security issue with severity “high”, one security issue with severity “low”, and one bug in 5.2.6. Also, the latest string translations from Transifex are incorporated. CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB QuerySet.annotate(), alias(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (follow up to CVE 2022-28346). CVE-2025-59682: Potential partial directory-traversal via archive.extract() The django.utils.archive.extract() function, used by startapp --template and startproject --template, allowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory (follow up to CVE 2021-3281). Bugfixes Fixed a regression in Django 5.2 that reduced the color contrast of the chosen label of filter_horizontal and filter_vertical widgets within a TabularInline @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.148 2025/09/03 14:28:03 adam Exp $ a19 2 PYTHON_VERSIONS_INCOMPATIBLE= 39 @ 1.148 log @py-django: updated to 5.2.6 Django 5.2.6 fixes a security issue with severity “high” and one bug in 5.2.5. Bugfixes Fixed a bug where using QuerySet.values() or values_list() with a ForeignObject composed of multiple fields returned incorrect results instead of tuples of the referenced fields. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.147 2025/08/07 04:56:19 adam Exp $ d3 1 a3 1 DISTNAME= django-5.2.6 @ 1.147 log @py-django: updated to 5.2.5 5.2.5 Fixed a regression in Django 5.2.1 that prevented the usage of UNNEST PostgreSQL strategy of QuerySet.bulk_create() with foreign keys Fixed a crash in Django 5.2 when filtering against a composite primary key using a tuple containing expressions Fixed a crash in Django 5.2 when validating a model that uses GeneratedField or constraints composed of Q and Case lookups Added compatibility for docutils 0.22 Fixed a crash in Django 5.2 when using a ManyToManyField on a model with a composite primary key, by extending the fields.E347 system check @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.146 2025/07/07 08:00:26 adam Exp $ d3 1 a3 1 DISTNAME= django-5.2.5 @ 1.146 log @py-django: updated to 5.2.4 5.2.4 Bugfixes Fixed a regression in Django 5.2.2 where HttpRequest.get_preferred_type() incorrectly preferred more specific media types with a lower quality. Fixed a regression in Django 5.2.3 where Value(None, JSONField()) used in a When condition was incorrectly serialized as SQL NULL instead of JSON null. Fixed a crash in Django 5.2 when performing an __in lookup involving a composite primary key and a subquery on backends that lack native support for tuple lookups. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.145 2025/06/10 14:41:50 adam Exp $ d3 1 a3 1 DISTNAME= django-5.2.4 @ 1.145 log @py-django: updated to 5.2.3 Django 5.2.3 fixes several bugs in 5.2.2. Also, the latest string translations from Transifex are incorporated. Bugfixes Fixed a log injection possibility by migrating remaining response logging to django.utils.log.log_response(), which safely escapes arguments such as the request path to prevent unsafe log output (CVE 2025-48432). Fixed a regression in Django 5.2 that caused QuerySet.bulk_update() to incorrectly convert None to JSON null instead of SQL NULL for JSONField Fixed a regression in Django 5.2.2 where the q parameter was removed from the internal django.http.MediaType.params property @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.144 2025/06/09 10:20:19 adam Exp $ d3 1 a3 1 DISTNAME= django-5.2.3 @ 1.144 log @py-django: updated to 5.2.2 Django 5.2.2 fixes a security issue with severity “low” and several bugs in 5.2.1. CVE-2025-48432: Potential log injection via unescaped request path Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. Although this does not directly impact Django’s security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function now escapes all positional formatting arguments using a safe encoding. Bugfixes Fixed a crash when using select_related against a ForeignObject originating from a model with a CompositePrimaryKey Fixed a bug in Django 5.2 where subqueries using "pk" to reference models with a CompositePrimaryKey failed to raise ValueError when too many or too few columns were selected Fixed a regression in Django 5.2 that caused a crash when no arguments were passed into QuerySet.union() Fixed a regression in Django 5.2 where subclasses of RemoteUserMiddleware that had overridden process_request() were no longer supported Fixed a regression in Django 5.2 that caused a crash when using OuterRef in the filter argument of an Aggregate expression Fixed a regression in Django 5.2 that caused a crash when using OuterRef in PostgreSQL aggregate functions ArrayAgg, StringAgg, and JSONBAgg Fixed a regression in Django 5.2 where admin’s filter_horizontal buttons lacked type="button", causing them to intercept form submission when pressing the Enter key Fixed a bug in Django 5.2 where calling QuerySet.in_bulk() with an id_list argument on models with a CompositePrimaryKey failed to observe database parameter limits Fixed a bug in Django 5.2 where HttpRequest.get_preferred_type() did not account for media type parameters in Accept headers, reducing specificity in content negotiation Fixed a regression in Django 5.2 that caused a crash when using QuerySet.prefetch_related() to prefetch a foreign key with a Prefetch queryset for a subclass of the foreign target @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.143 2025/05/10 18:20:17 adam Exp $ d3 1 a3 1 DISTNAME= django-5.2.2 @ 1.143 log @py-django: updated to 5.2.1 Django 5.2.1 fixes a security issue with severity “moderate” and several bugs in 5.2. CVE-2025-32873: Denial-of-service possibility in strip_tags() Bugfixes Fixed a regression in Django 5.2 that caused a crash when annotating aggregate expressions over query that uses explicit grouping by transforms followed by field references Fixed a regression in Django 5.2 that caused unnecessary queries when prefetching nullable foreign key relationships Fixed a regression in Django 5.2 that caused a crash of QuerySet.bulk_create() with nullable geometry fields on PostGIS Fixed a regression in Django 5.2 that caused fields to be incorrectly selected when using QuerySet.alias() after values() Fixed a data corruption possibility in file_move_safe() when allow_overwrite=True, where leftover content from a previously larger file could remain after overwriting with a smaller one due to lack of truncation Fixed a regression in Django 5.2 that caused a crash when using QuerySet.select_for_update(of=(…)) with values()/values_list() including expressions Fixed a regression in Django 5.2 that caused improper values to be returned from QuerySet.values_list() when duplicate field names were specified Fixed a regression in Django 5.2 where the password validation error message from MinimumLengthValidator was not translated when using non-English locales Fixed a regression in Django 5.2 that caused the object-tools block to be rendered twice when using custom admin templates with overridden blocks due to changes in the base admin page block structure Fixed a regression in Django 5.2, introduced when fixing CVE 2025-26699, where the wordwrap template filter did not preserve empty lines between paragraphs after wrapping text Fixed a regression in Django 5.2 that caused a crash when serializing email alternatives or attachments due to named tuple mismatches Fixed a regression in Django 5.2 that caused a crash when using update() on a QuerySet filtered against a related model and including references to annotations through values() Fixed a bug in Django 5.2 that caused composite primary key introspection to wrongly identify IntegerField as AutoField on SQLite Fixed a bug in Django 5.2 that caused a redundant unique_together constraint to be generated for composite primary keys when using inspectdb @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.142 2025/04/14 14:20:53 adam Exp $ d3 1 a3 1 DISTNAME= django-5.2.1 a21 1 WHEEL_NAME= ${DISTNAME:tl} @ 1.142 log @py-django: updated to 5.2 Django 5.2. The release notes showcase a composite of new features. A few highlights are: All models are automatically imported in the shell by default. Django now supports composite primary keys! The new django.db.models.CompositePrimaryKey allows tables to be created with a primary key consisting of multiple fields. Overriding a BoundField got a lot easier: this can now be set on a form, field or project level. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.141 2025/03/06 16:05:55 adam Exp $ d3 2 a4 2 DISTNAME= Django-5.2 PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl} @ 1.141 log @py-django: updated to 5.1.7 Django 5.1.7 fixes a security issue with severity “moderate” and several bugs in 5.1.6. CVE-2025-26699: Potential denial-of-service vulnerability in django.utils.text.wrap() The wrap() and wordwrap template filter were subject to a potential denial-of-service attack when used with very long strings. Bugfixes Fixed a bug in Django 5.1 where the {% querystring %} template tag returned an empty string rather than "?" when all parameters had been removed from the query string Fixed a bug in Django 5.1 where FileSystemStorage, with allow_overwrite set to True, did not truncate the overwritten file content Fixed a regression in Django 5.1 where the count and exists methods of ManyToManyField related managers would always return 0 and False when the intermediary model back references used to_field Fixed a regression in Django 5.1 where the pre_save and post_save signals for LogEntry were not sent when deleting a single object in the admin @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.140 2025/03/05 10:40:59 wiz Exp $ d3 1 a3 1 DISTNAME= Django-5.1.7 d14 1 a14 1 TOOL_DEPENDS+= ${PYPKGPREFIX}-setuptools>=75.8.2:../../devel/py-setuptools @ 1.140 log @py-django: fix wheel name for latest setuptools and depend on it Bump PKGREVISION. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.139 2025/02/05 20:51:59 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.1.6 a4 1 PKGREVISION= 1 @ 1.139 log @py-django: updated to 5.1.6 Django 5.1.6 fixes several bugs in 5.1.5. Bugfixes Fixed a regression in Django 5.1.5 that caused validate_ipv6_address() and validate_ipv46_address() to crash when handling non-string values Fixed a regression in Django 5.1 where password fields, despite being set to required=False, were still treated as required in forms derived from BaseUserCreationForm @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.138 2025/01/14 15:55:07 adam Exp $ d5 1 d15 1 a15 1 TOOL_DEPENDS+= ${PYPKGPREFIX}-setuptools>=40.8.0:../../devel/py-setuptools d23 1 @ 1.138 log @py-django: updated to 5.1.5 Django 5.1.5 fixes a security issue with severity “moderate” and one bug in 5.1.4. CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation Lack of upper bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address were vulnerable, as was the django.forms.GenericIPAddressField form field, which has now been updated to define a max_length of 39 characters. The django.db.models.GenericIPAddressField model field was not affected. Bugfixes Fixed a crash when applying migrations with references to the removed Meta.index_together option @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.137 2024/12/04 20:19:44 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.1.5 @ 1.137 log @py-django: updated to 5.1.4 5.1.4 Django 5.1.4 fixes one security issue with severity “high”, one security issue with severity “moderate”, and several bugs in 5.1.3. CVE-2024-53907: Denial-of-service possibility in strip_tags() strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. strip_tags() now has an upper limit of recursive calls to HTMLParser before raising a SuspiciousOperation exception. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape(). CVE-2024-53908: Potential SQL injection via HasKey(lhs, rhs) on Oracle Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle was subject to SQL injection if untrusted data was used as a lhs value. Applications that use the has_key lookup through the __ syntax are unaffected. Bugfixes Fixed a crash in createsuperuser on Python 3.13+ caused by an unhandled OSError when the username could not be determined Fixed a regression in Django 5.1 where relational fields were not updated when calling Model.refresh_from_db() on instances with deferred fields @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.136 2024/11/11 07:29:17 wiz Exp $ d3 1 a3 1 DISTNAME= Django-5.1.4 @ 1.136 log @py-*: remove unused tool dependency py-setuptools includes the py-wheel functionality nowadays @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.135 2024/11/05 08:35:58 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.1.3 @ 1.135 log @py-django: updated to 5.1.3 Django 5.1.3 fixes several bugs in 5.1.2 and adds compatibility with Python 3.13. Bugfixes Fixed a bug in Django 5.1 where DomainNameValidator accepted any input value that contained a valid domain name, rather than only input values that were a valid domain name Fixed a regression in Django 5.1 that prevented the use of DB-IP databases with GeoIP2 Fixed a regression in Django 5.1 where non-ASCII fieldset names were not displayed when rendering admin fieldsets @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.134 2024/10/14 06:46:05 wiz Exp $ a14 1 TOOL_DEPENDS+= ${PYPKGPREFIX}-wheel-[0-9]*:../../devel/py-wheel @ 1.134 log @*: clean-up after python38 removal @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.133 2024/10/08 17:42:20 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.1.2 @ 1.133 log @py-django: updated to 5.1.2 5.1.2 Fixed a regression in Django 5.1 that caused a crash when using the PostgreSQL lookup trigram_similar on output fields from Concat Fixed a regression in Django 5.1 that caused a crash of JSONObject() when using server-side binding with PostgreSQL 16+ Fixed a regression in Django 5.1 that made selected items in multi-select widgets indistinguishable from non-selected items in the admin dark theme @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.132 2024/09/06 07:08:44 adam Exp $ d21 1 a21 1 PYTHON_VERSIONS_INCOMPATIBLE= 38 39 @ 1.132 log @py-django: updated to 5.1.1 Django 5.1.1 fixes one security issue with severity “moderate”, one security issue with severity “low”, and several bugs in 5.1. CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-45231: Potential user email enumeration via response status on password reset Due to unhandled email sending failures, the PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger. Bugfixes Fixed a regression in Django 5.1 that caused a crash of Window() when passing an empty sequence to the order_by parameter, and a crash of Prefetch() for a sliced queryset without ordering. Fixed a regression in Django 5.1 where a new usable_password field was included in BaseUserCreationForm (and children). A new AdminUserCreationForm including this field was added, isolating the feature to the admin where it was intended. Adjusted the deprecation warning stacklevel in Model.save() and Model.asave() to correctly point to the offending call site. Adjusted the deprecation warning stacklevel when using OS_OPEN_FLAGS in FileSystemStorage to correctly point to the offending call site. Adjusted the deprecation warning stacklevel in FieldCacheMixin.get_cache_name() to correctly point to the offending call site. Restored, following a regression in Django 5.1, the ability to override the timezone and role setting behavior used within the init_connection_state method of the PostgreSQL backend. Fixed a bug in Django 5.1 where variable lookup errors were logged when rendering admin fieldsets. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.131 2024/08/06 20:14:10 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.1.1 @ 1.131 log @py-django: updated to 5.0.8 Django 5.0.8 fixes three security issues with severity “moderate”, one security issue with severity “high”, and several bugs in 5.0.7. CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat() If floatformat received a string representation of a number in scientific notation with a large exponent, it could lead to significant memory consumption. To avoid this, decimals with more than 200 digits are now returned as is. CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget urlize, urlizetrunc, and AdminURLFieldWidget were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() QuerySet.values() and values_list() methods on models with a JSONField were subject to SQL injection in column aliases, via a crafted JSON object key as a passed *arg. Bugfixes Added missing validation for UniqueConstraint(nulls_distinct=False) when using *expressions Fixed a regression in Django 5.0 where ModelAdmin.action_checkbox could break the admin changelist HTML page when rendering a model instance with a __html__ method Fixed a crash when creating a model with a Field.db_default and a Meta.constraints constraint composed of __endswith, __startswith, or __contains lookups Fixed a regression in Django 5.0.7 that caused a crash in LocaleMiddleware when processing a language code over 500 characters Fixed a bug in Django 5.0 that caused a system check crash when ModelAdmin.date_hierarchy was a GeneratedField with an output_field of DateField or DateTimeField Fixed a bug in Django 5.0 which caused constraint validation to either crash or incorrectly raise validation errors for constraints referring to fields using Field.db_default Fixed a crash in Django 5.0 when saving a model containing a FileField with a db_default set @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.130 2024/07/11 18:51:35 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.0.8 d16 1 a16 1 DEPENDS+= ${PYPKGPREFIX}-asgiref>=3.7.0:../../www/py-asgiref d21 1 a21 1 PYTHON_VERSIONS_INCOMPATIBLE= 27 38 39 @ 1.130 log @py-django: updated to 5.0.7 Django 5.0.7 fixes two security issues with severity “moderate”, two security issues with severity “low”, and one bug in 5.0.6. CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords The authenticate() method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. CVE-2024-39330: Potential directory-traversal via Storage.save() Derived classes of the Storage base class which override generate_filename() without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via certain inputs when calling save(). Built-in Storage sub-classes were not affected by this vulnerability. CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant() get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant() is now parsed up to a maximum length of 500 characters. When the language code is over 500 characters, a ValueError will now be raised if strict is True, or if there is no generic variant and strict is False. Bugfixes Fixed a bug in Django 5.0 that caused a crash of Model.full_clean() on unsaved model instances with a GeneratedField and certain defined Meta.constraints. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.129 2024/05/07 18:16:55 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.0.7 @ 1.129 log @py-django: updated to 5.0.6 Django 5.0.6 fixes a packaging error in 5.0.5. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.128 2024/05/07 03:55:16 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.0.6 @ 1.128 log @py-django: updated to 5.0.5 Django 5.0.5 fixes several bugs in 5.0.4. Fixed a bug in Django 5.0 that caused a crash of Model.save() when creating an instance of a model with a GeneratedField and providing a primary key Fixed a compatibility issue encountered in Python 3.11.9+ and 3.12.3+ when validating email max line lengths with content decoded using the surrogateescape error handling scheme Fixed a bug in Django 5.0 that caused a crash when applying migrations including alterations to GeneratedField such as setting db_index=True on SQLite Allowed importing aprefetch_related_objects from django.db.models Fixed a bug in Django 5.0 that caused a migration crash when a GeneratedField was added before any of the referenced fields from its expression definition Fixed a bug in Django 5.0 that caused a migration crash when altering a GeneratedField referencing a renamed field Fixed a bug in Django 5.0 where the querysets argument of GenericPrefetch was not required @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.127 2024/04/05 10:40:17 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.0.5 a13 2 WRKSRC= ${WRKDIR}/${DISTNAME:tl} @ 1.127 log @py-django: updated to 5.0.4 Django 5.0.4 fixes several bugs in 5.0.3. Bugfixes Fixed a bug in Django 5.0 that caused a crash of Model.full_clean() on fields with expressions in db_default. As a consequence, Model.full_clean() no longer validates for empty values in fields with db_default Fixed a regression in Django 5.0 where the AdminFileWidget could be rendered with two id attributes on the “Clear” checkbox Fixed a bug in Django 5.0 that caused a migration crash on PostgreSQL 15+ when adding a partial UniqueConstraint with nulls_distinct Fixed a crash in Django 5.0 when performing queries involving table aliases and lookups on a GeneratedField of the aliased table Fixed a bug in Django 5.0 that caused a migration crash when adding a GeneratedField relying on the __contains or __icontains lookups or using a Value containing a "%" @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.126 2024/03/04 15:49:51 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.0.4 d14 2 @ 1.126 log @py-django: updated to 5.0.3 Django 5.0.3 fixes a security issue with severity “moderate” and several bugs in 5.0.2. CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words() django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). Bugfixes Fixed a regression in Django 5.0.2 where intcomma template filter could return a leading comma for string representation of floats. Fixed a bug in Django 5.0 that caused a crash of Signal.asend() and asend_robust() when all receivers were asynchronous functions. Fixed a regression in Django 5.0.1 where ModelAdmin.lookup_allowed() would prevent filtering against foreign keys using lookups like __isnull when the field was not included in ModelAdmin.list_filter. Fixed a regression in Django 5.0 that caused a crash of @@sensitive_variables and @@sensitive_post_parameters decorators on functions loaded from .pyc files. Fixed a regression in Django 5.0 that caused a crash when reloading a test database and a base queryset for a base manager used prefetch_related(). Fixed a bug in Django 5.0 where facet filters in the admin would crash on a SimpleListFilter using a queryset without primary keys. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.125 2024/02/08 22:43:53 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.0.3 @ 1.125 log @py-django: updated to 5.0.2 Django 5.0.2 fixes a security issue with severity “moderate” and several bugs in 5.0.1. Also, the latest string translations from Transifex are incorporated. CVE-2024-24680: Potential denial-of-service in intcomma template filter The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. Bugfixes Reallowed, following a regression in Django 5.0.1, filtering against local foreign keys not included in ModelAdmin.list_filter Fixed a regression in Django 5.0 where links in the admin had an incorrect color Fixed a bug in Django 5.0 that caused a crash of Model.full_clean() on models with a GeneratedField Fixed a regression in Django 5.0 that caused a crash of FilteredRelation() with querysets as right-hand sides Fixed a regression in Django 5.0 that caused a crash of the dumpdata management command when a base queryset used prefetch_related() Fixed a regression in Django 5.0 that caused the request_finished signal to sometimes not be fired when running Django through an ASGI server, resulting in potential resource leaks Fixed a bug in Django 5.0 that caused a migration crash on MySQL when adding a BinaryField, TextField, JSONField, or GeometryField with a db_default Fixed a bug in Django 5.0 that caused a migration crash on models with a literal db_default of a complex type such as dict instance of a JSONField. Running makemigrations might generate no-op AlterField operations for fields using db_default @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.124 2024/01/09 12:56:11 adam Exp $ d3 1 a3 1 DISTNAME= Django-5.0.2 @ 1.124 log @py-django: updated to 4.2.9 4.2.9 Bugfixes Fixed a regression in Django 4.2.8 where admin fields on the same line could overflow the page and become non-interactive @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.123 2023/12/04 17:25:15 adam Exp $ d3 1 a3 1 DISTNAME= Django-4.2.9 d16 1 a16 1 DEPENDS+= ${PYPKGPREFIX}-asgiref>=3.6.0:../../www/py-asgiref d21 1 a21 6 PYTHON_VERSIONS_INCOMPATIBLE= 27 .include "../../lang/python/pyversion.mk" .if ${PYTHON_VERSION} < 309 DEPENDS+= ${PYPKGPREFIX}-backports.zoneinfo-[0-9]*:../../time/py-backports.zoneinfo .endif @ 1.123 log @py-django: updated to 4.2.8 Django 4.2.8 fixes several bugs in 4.2.7 and adds compatibility with Python 3.12. Bugfixes Fixed a regression in Django 4.2 that caused makemigrations --check to stop displaying pending migrations Fixed a regression in Django 4.2 that caused a crash of QuerySet.aggregate() with aggregates referencing other aggregates or window functions through conditional expressions Fixed a regression in Django 4.2 that caused a crash when annotating a QuerySet with a Window expressions composed of a partition_by clause mixing field types and aggregation expressions Fixed a regression in Django 4.2 where the admin’s change list page had misaligned pagination links and inputs when using list_editable Fixed a regression in Django 4.2 where checkboxes in the admin would be centered on narrower screen widths Fixed a regression in Django 4.2 that caused a crash of querysets with aggregations on MariaDB when the ONLY_FULL_GROUP_BY SQL mode was enabled Fixed a regression in Django 4.2 where the admin’s read-only password widget and some help texts were incorrectly aligned at tablet widths Fixed a regression in Django 4.2 that caused a migration crash on SQLite when altering unsupported Meta.db_table_comment @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.122 2023/11/01 20:14:51 adam Exp $ d3 1 a3 1 DISTNAME= Django-4.2.8 @ 1.122 log @py-django: updated to 4.2.7 4.2.7 CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.121 2023/10/04 21:37:14 adam Exp $ d3 1 a3 1 DISTNAME= Django-4.2.7 a20 2 USE_PKG_RESOURCES= yes @ 1.121 log @py-django: added version 4.2.6 What’s new in Django 4.2 Psycopg 3 support Comments on columns and tables Mitigation for the BREACH attack In-memory file storage Custom file storages @ text @d1 1 a1 1 # $NetBSD$ d3 1 a3 1 DISTNAME= Django-4.2.6 d14 2 d37 1 a37 1 .include "../../lang/python/egg.mk" @ 1.120 log @py-django, py-django14, py-django2: remove old django versions Unsupported upstream (support ended 2020, 2013, 2022 resp.) As proposed on pkgsrc-users on July 3. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.119 2022/11/09 13:14:17 joerg Exp $ d3 1 a3 1 DISTNAME= Django-1.11.29 a4 1 PKGREVISION= 3 d7 1 d14 2 a15 1 DEPENDS+= ${PYPKGPREFIX}-pytz-[0-9]*:../../time/py-pytz d19 9 a27 1 REPLACE_PYTHON+= django/bin/django-admin.py a29 2 USE_PKG_RESOURCES= yes d32 1 a32 2 ${MV} django-admin django-admin-${PYVERSSUFFIX} && \ ${MV} django-admin.py django-admin-${PYVERSSUFFIX}.py || ${TRUE} @ 1.119 log @Reset MAINTAINER @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.118 2022/01/05 15:51:59 wiz Exp $ @ 1.118 log @py-django*: switch to USE_PKG_RESOURCES @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.117 2022/01/05 15:41:29 wiz Exp $ d9 1 a9 1 MAINTAINER= joerg@@NetBSD.org @ 1.117 log @python: egg.mk: add USE_PKG_RESOURCES flag This flag should be set for packages that import pkg_resources and thus need setuptools after the build step. Set this flag for packages that need it and bump PKGREVISION. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.116 2022/01/05 10:09:53 wiz Exp $ a13 1 DEPENDS+= ${PYPKGPREFIX}-setuptools-[0-9]*:../../devel/py-setuptools @ 1.116 log @py-django*: add dependency on py-setuptools These use pkg_resources. Noted by joerg. Bump PKGREVISION. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.115 2022/01/04 20:55:17 wiz Exp $ d5 1 a5 1 PKGREVISION= 2 d22 2 @ 1.115 log @*: bump PKGREVISION for egg.mk users They now have a tool dependency on py-setuptools instead of a DEPENDS @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.114 2020/03/12 16:22:38 adam Exp $ d5 1 a5 1 PKGREVISION= 1 d14 1 @ 1.114 log @py-django: updated to 1.11.29 Django 1.11.29 fixes a security issue in 1.11.28. CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.113 2020/02/04 17:23:11 adam Exp $ d5 1 @ 1.113 log @py-django: updated to 1.11.28 Django 1.11.28 fixes a security issue: CVE-2020-7471: Potential SQL injection via StringAgg(delimiter) StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.112 2019/12/19 13:39:50 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.28 @ 1.112 log @py-django: updated to 1.11.27 Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26. CVE-2019-19844: Potential account hijack via password reset form By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account. In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address. Bugfixes * Fixed a data loss possibility in SplitArrayField. When using with ArrayField(BooleanField()), all values after the first True value were marked as checked instead of preserving passed values @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.111 2019/11/05 07:40:16 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.27 @ 1.111 log @py-django: updated to 1.11.26 Django 1.11.26: Fixed a crash when using a contains, contained_by, has_key, has_keys, or has_any_keys lookup on JSONField, if the right or left hand side of an expression is a key transform. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.110 2019/10/01 17:56:03 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.26 @ 1.110 log @py-django: updated to 1.11.25 Django 1.11.25: Fixed a crash when filtering with a Subquery() annotation of a queryset containing JSONField or HStoreField @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.109 2019/09/04 08:31:06 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.25 @ 1.109 log @py-django: updated to 1.11.24 Django 1.11.24 fixes a regression in 1.11.23. Bugfixes Fixed crash of KeyTransform() for JSONField and HStoreField when using on expressions with params @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.108 2019/08/06 09:30:46 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.24 @ 1.108 log @py-django: updated to 1.11.23 Django 1.11.23: * CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator * CVE-2019-14233: Denial-of-service possibility in strip_tags() * CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField * CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri() @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.107 2019/07/01 18:23:52 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.23 @ 1.107 log @py-django: updated to 1.11.22 Django 1.11.22: Fix CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.106 2019/06/03 12:33:00 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.22 @ 1.106 log @py-django: updated to 1.11.21 Django 1.11.21 release notes CVE-2019-12308: AdminURLFieldWidget XSS The clickable “Current URL” link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using formfield_overrides. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.105 2019/02/12 13:11:56 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.21 @ 1.105 log @py-django: updated to 1.11.20 1.11.20: Bugfixes Corrected packaging error from 1.11.19 1.11.19: CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() If django.utils.numberformat.format() – used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters – received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.104 2019/01/04 22:07:35 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.20 d22 2 a23 2 ${MV} django-admin django-admin-${PYVERSSUFFIX} && \ ${MV} django-admin.py django-admin-${PYVERSSUFFIX}.py || ${TRUE} @ 1.105.2.1 log @Pullup ticket #5976 - requested by adam www/py-django: security fix www/py-django2: security fix Revisions pulled up: - www/py-django/Makefile 1.106 - www/py-django/distinfo 1.85 - www/py-django2/Makefile 1.17 - www/py-django2/PLIST 1.6 - www/py-django2/distinfo 1.15 --- Module Name: pkgsrc Committed By: adam Date: Mon Jun 3 12:33:00 UTC 2019 Modified Files: pkgsrc/www/py-django: Makefile distinfo Log Message: py-django: updated to 1.11.21 Django 1.11.21 release notes CVE-2019-12308: AdminURLFieldWidget XSS The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using formfield_overrides. --- Module Name: pkgsrc Committed By: adam Date: Mon Jun 3 12:39:46 UTC 2019 Modified Files: pkgsrc/www/py-django2: Makefile PLIST distinfo Log Message: py-django2: updated to 2.2.2 2.2.2: CVE-2019-12308: AdminURLFieldWidget XSS The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides. 2.2.1: Bugfixes Fixed a regression in Django 2.1 that caused the incorrect quoting of database user password when using dbshell on Oracle Added compatibility for psycopg2 2.8 Fixed a regression in Django 2.2 that caused a crash when loading the template for the technical 500 debug page Fixed crash of ordering argument in ArrayAgg and StringAgg when it contains an expression with params Fixed a regression in Django 2.2 that caused a single instance fast-delete to not set the primary key to None Prevented makemigrations from generating infinite migrations for check constraints and partial indexes when condition contains a range object Reverted an optimization in Django 2.2 Fixed a regression in Django 2.2 where Paginator crashes if object_list is a queryset ordered or aggregated over a nested JSONField key transform Fixed a regression in Django 2.2 where IntegerField validation of database limits crashes if limit_value attribute in a custom validator is callable Fixed a regression in Django 2.2 where SearchVector generates SQL that is not indexable Fixed a regression in Django 2.2 that caused an exception to be raised when a custom error handler could not be imported Relaxed the system check added in Django 2.2 for the admin app’s dependencies to reallow use of SessionMiddleware subclasses, rather than requiring django.contrib.sessions to be in INSTALLED_APPS Increased the default timeout when using Watchman to 5 seconds to prevent falling back to StatReloader on larger projects and made it customizable via the DJANGO_WATCHMAN_TIMEOUT environment variable Fixed a regression in Django 2.2 that caused a crash when migrating permissions for proxy models if the target permissions already existed. For example, when a permission had been created manually or a model had been migrated from concrete to proxy Fixed a regression in Django 2.2 that caused a crash of runserver when URLConf modules raised exceptions Fixed a regression in Django 2.2 where changes were not reliably detected by auto-reloader when using StatReloader Fixed a migration crash on Oracle and PostgreSQL when adding a check constraint with a contains, startswith, or endswith lookup (or their case-insensitive variant) Fixed a migration crash on Oracle and SQLite when adding a check constraint with condition contains | (OR) operator Django 2.2.2 release notesDjango 2.2 release notes 2.2: This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2019. As always, the release notes cover the salmagundi of new features in detail, but a few highlights are: * HttpRequest.headers to allow simple access to a request’s headers. * Database-level constraints on models. * Watchman compatibility for runserver to improve the performance of watching a large number of files for changes. @ text @d1 1 a1 1 # $NetBSD$ d3 1 a3 1 DISTNAME= Django-1.11.21 d22 2 a23 2 ${MV} django-admin django-admin-${PYVERSSUFFIX} && \ ${MV} django-admin.py django-admin-${PYVERSSUFFIX}.py || ${TRUE} @ 1.104 log @py-django: updated to 1.11.18 Django 1.11.18 fixes a security issue in 1.11.17. CVE-2019-3498: Content spoofing possibility in the default 404 page @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.103 2018/12/03 18:59:35 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.18 @ 1.103 log @py-django: updated to 1.11.17 Django 1.11.17 fixes several bugs in 1.11.16 and adds compatibility with Python 3.7. Bugfixes: Prevented repetitive calls to geos_version_tuple() in the WKBWriter class in an attempt to fix a random crash involving LooseVersion since Django 1.11.14. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.102 2018/10/02 08:06:44 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.17 @ 1.102 log @py-django: updated to 1.11.16 Django 1.11.16: Fixed a race condition in QuerySet.update_or_create() that could result in data loss @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.101 2018/08/02 14:02:21 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.16 a19 3 post-patch: ${RM} ${WRKSRC}/django/contrib/admin/widgets.py.orig d22 2 a23 2 ${MV} django-admin django-admin${PYVERSSUFFIX} && \ ${MV} django-admin.py django-admin${PYVERSSUFFIX}.py || ${TRUE} @ 1.101 log @py-django: updated to 1.11.5 1.11.5: Fix CVE-2018-14574: Open redirect possibility in CommonMiddleware If the CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks. CommonMiddleware now escapes leading slashes to prevent redirects to other domains. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.100 2018/07/03 06:42:27 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.15 @ 1.100 log @py-django: updated to 1.11.4 Django 1.11.14: Bugfixes: Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+. Fixed a regression in Django 1.10 that could result in large memory usage when making edits using ModelAdmin.list_editable @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.99 2018/05/02 06:28:35 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.14 @ 1.99 log @py-django: updated to 1.11.13 1.11.13: Bugfixes * Fixed a regression in Django 1.11.8 where altering a field with a unique constraint may drop and rebuild more foreign keys than necessary. * Fixed crashes in django.contrib.admindocs when a view is a callable object, such as django.contrib.syndication.views.Feed. * Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection() crashed due to mismatching columns @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.98 2018/04/03 08:58:32 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.13 d20 3 @ 1.98 log @py-django: updated to 1.11.12 Django 1.11.12: Bugfixes: Fixed a regression in Django 1.11.8 where combining two annotated values_list() querysets with union(), difference(), or intersection() crashed due to mismatching columns. Fixed a regression in Django 1.11 where an empty choice could be initially selected for the SelectMultiple and CheckboxSelectMultiple widgets @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.97 2018/03/06 20:04:06 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.12 @ 1.97 log @py-django: updated to 1.11.11 1.11.11: CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.96 2018/02/02 07:55:34 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.11 @ 1.96 log @py-django: updated to 1.11.10 1.11.10: CVE-2018-6188: Information leakage in AuthenticationForm A regression in Django 1.11.8 made AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn’t overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked. This issue is fixed with the caveat that AuthenticationForm can no longer raise the “This account is inactive.” error if the authentication backend rejects inactive users (the default authentication backend, ModelBackend, has done that since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address the caveat will likely be too invasive for inclusion in older versions. Bugfixes: Fixed incorrect foreign key nullification if a model has two foreign keys to the same model and a target model is deleted. Fixed a regression where contrib.auth.authenticate() crashes if an authentication backend doesn’t accept request and a later one does. Fixed crash when entering an invalid uuid in ModelAdmin.raw_id_fields @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.95 2018/01/03 07:23:45 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.10 @ 1.95 log @py-django: updated to 1.11.9 Bugfixes: Fixed a regression in Django 1.11 that added newlines between MultiWidget’s subwidgets. Fixed incorrect class-based model index name generation for models with quoted db_table. Fixed incorrect foreign key constraint name for models with quoted db_table. Fixed a regression in caching of a GenericForeignKey when the referenced model instance uses more than one level of multi-table inheritance. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.94 2017/12/25 09:18:24 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.9 d17 2 a18 2 REPLACE_PYTHON= django/bin/django-admin.py REPLACE_PYTHON+=django/conf/project_template/manage.py-tpl @ 1.94 log @REPLACE_PYTHON does not need WRKSRC @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.93 2017/12/04 14:23:00 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.8 @ 1.93 log @py-django: updated to 1.11.8 Django 1.11.8 fixes several bugs in 1.11.7: * Reallowed, following a regression in Django 1.10, AuthenticationForm to raise the inactive user error when using ModelBackend. * Added support for QuerySet.values() and values_list() for union(), difference(), and intersection() queries. * Fixed incorrect index name truncation when using a namespaced db_table. * Made QuerySet.iterator() use server-side cursors on PostgreSQL after values() and values_list(). * Fixed crash on SQLite and MySQL when ordering by a filtered subquery that uses nulls_first or nulls_last. * Made query lookups for CICharField, CIEmailField, and CITextField use a citext cast. * Fixed a regression in caching of a GenericForeignKey when the referenced model instance uses multi-table inheritance. * Fixed “Cannot change column ‘x’: used in a foreign key constraint” crash on MySQL with a sequence of AlterField and/or RenameField operations in a migration @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.92 2017/11/02 09:38:43 adam Exp $ d13 3 a15 3 USE_LANGUAGES= # empty REPLACE_PYTHON= ${WRKSRC}/django/bin/django-admin.py REPLACE_PYTHON+= ${WRKSRC}/django/conf/project_template/manage.py-tpl d17 2 a18 1 DEPENDS+= ${PYPKGPREFIX}-pytz-[0-9]*:../../time/py-pytz @ 1.92 log @py-django: updated to 1.11.7 1.11.7: Bugfixes * Prevented cache.get_or_set() from caching None if the default argument is a callable that returns None. * Fixed the Basque DATE_FORMAT string. * Made QuerySet.reverse() affect nulls_first and nulls_last. * Fixed unquoted table names in Subquery SQL when using OuterRef @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.91 2017/10/06 08:52:58 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.7 @ 1.91 log @py-django: update to 1.11.6 Bugfixes: * Made the CharField form field convert whitespace-only values to the empty_value when strip is enabled. * Fixed crash when using the name of a model’s autogenerated primary key (id) in an Index’s fields. * Fixed a regression in Django 1.9 where a custom view error handler such as handler404 that accesses csrf_token could cause CSRF verification failures on other pages @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.90 2017/09/06 15:19:17 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.6 @ 1.90 log @Django 1.11.5: CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page¶ In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn’t affect most production sites since you shouldn’t run with DEBUG = True (which makes this page accessible) in your production settings. Bugfixes: Fixed GEOS version parsing if the version has a commit hash at the end (new in GEOS 3.6.2). Added compatibility for cx_Oracle 6. Fixed select widget rendering when option values are tuples. Django 1.11 inadvertently changed the sequence and trigger naming scheme on Oracle. This causes errors on INSERTs for some tables if 'use_returning_into': False is in the OPTIONS part of DATABASES. The pre-1.11 naming scheme is now restored. Unfortunately, it necessarily requires an update to Oracle tables created with Django 1.11.[1-4]. Use the upgrade script in 28451 comment 8 to update sequence and trigger names to use the pre-1.11 naming scheme. Added POST request support to LogoutView, for equivalence with the function-based logout() view. Omitted pages_per_range from BrinIndex.deconstruct() if it’s None. Fixed a regression where SelectDateWidget localized the years in the select box. Fixed a regression in 1.11.4 where runserver crashed with non-Unicode system encodings on Python 2 + Windows. Fixed a regression in Django 1.10 where changes to a ManyToManyField weren’t logged in the admin change history and prevented ManyToManyField initial data in model forms from being affected by subsequent model changes. Fixed non-deterministic results or an AssertionError crash in some queries with multiple joins. Fixed a regression in contrib.auth’s login() and logout() views where they ignored positional arguments @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.89 2017/09/04 18:08:30 wiz Exp $ d3 1 a3 1 DISTNAME= Django-1.11.5 @ 1.89 log @Follow some redirects. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.88 2017/08/02 10:45:09 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.4 @ 1.88 log @Django 1.11.4: Bugfixes: Fixed a regression in 1.11.3 on Python 2 where non-ASCII format values for date/time widgets results in an empty value in the widget’s HTML. Fixed QuerySet.union() and difference() when combining with a queryset raising EmptyResultSet. Fixed a regression in pickling of LazyObject on Python 2 when the wrapped object doesn’t have __reduce__(). Fixed crash in runserver’s autoreload with Python 2 on Windows with non-str environment variables. Corrected Field.has_changed() to return False for disabled form fields: BooleanField, MultipleChoiceField, MultiValueField, FileField, ModelChoiceField, and ModelMultipleChoiceField. Fixed QuerySet.count() for union(), difference(), and intersection() queries.. Fixed ClearableFileInput rendering as a subwidget of MultiWidget. Custom clearable_file_input.html widget templates will need to adapt for the fact that context values checkbox_name, checkbox_id, is_initial, input_text, initial_text, and clear_checkbox_label are now attributes of widget rather than appearing in the top-level context. Fixed queryset crash when using a GenericRelation to a proxy model @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.87 2017/07/03 11:10:41 adam Exp $ d6 1 a6 1 MASTER_SITES= http://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/ d9 1 a9 1 HOMEPAGE= http://www.djangoproject.com/ @ 1.87 log @Changes 1.11.3: Bugfixes Removed an incorrect deprecation warning about a missing renderer argument if a Widget.render() method accepts **kwargs. Fixed a regression causing Model.__init__() to crash if a field has an instance only descriptor. Fixed an incorrect DisallowedModelAdminLookup exception when using a nested reverse relation in list_filter. Fixed admin’s FieldListFilter.get_queryset() crash on invalid input. Fixed invalid HTML for a required AdminFileWidget. Fixed model initialization to set the name of class-based model indexes for models that only inherit models.Model. Fixed crash in admin’s inlines when a model has an inherited non-editable primary key. Fixed QuerySet.union(), intersection(), and difference() when combining with an EmptyQuerySet. Prevented Paginator’s unordered object list warning from evaluating a QuerySet. Fixed the value of redirect_field_name in LoginView’s template context. It’s now an empty string (as it is for the original function-based login() view) if the corresponding parameter isn’t sent in a request (in particular, when the login page is accessed directly). Prevented attribute values in the django/forms/widgets/attrs.html template from being localized so that numeric attributes (e.g. max and min) of NumberInput work correctly. Removed casting of the option value to a string in the template context of the CheckboxSelectMultiple, NullBooleanSelect, RadioSelect, SelectMultiple, and Select widgets. In Django 1.11.1, casting was added in Python to avoid localization of numeric values in Django templates, but this made some use cases more difficult. Casting is now done in the template using the |stringformat:'s' filter. Prevented a primary key alteration from adding a foreign key constraint if db_constraint=False. Fixed UnboundLocalError crash in RenameField with nonexistent field. Fixed a regression preventing a model field’s limit_choices_to from being evaluated when a ModelForm is instantiated. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.86 2017/06/02 07:19:55 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.3 d20 3 a22 4 ${MV} ${DESTDIR}${PREFIX}/bin/django-admin \ ${DESTDIR}${PREFIX}/bin/django-admin${PYVERSSUFFIX} || ${TRUE} ${MV} ${DESTDIR}${PREFIX}/bin/django-admin.py \ ${DESTDIR}${PREFIX}/bin/django-admin${PYVERSSUFFIX}.py || ${TRUE} @ 1.86 log @Django 1.11.2 release notes Django 1.11.2 adds a minor feature and fixes several bugs in 1.11.1. Also, the latest string translations from Transifex are incorporated. Minor feature: * The new LiveServerTestCase.port attribute reallows the use case of binding to a specific port following the bind to port zero change in Django 1.11. Bugfixes: * Added detection for GDAL 2.1 and 2.0, and removed detection for unsupported versions 1.7 and 1.8. * Changed contrib.gis to raise ImproperlyConfigured rather than GDALException if gdal isn’t installed, to allow third-party apps to catch that exception. * Fixed django.utils.http.is_safe_url() crash on invalid IPv6 URLs. * Fixed regression causing pickling of model fields to crash. * Fixed django.contrib.auth.authenticate() when multiple authentication backends don’t accept a positional request argument. * Fixed introspection of index field ordering on PostgreSQL. * Fixed a regression where Model._state.adding wasn’t set correctly on multi-table inheritance parent models after saving a child model. * Allowed DjangoJSONEncoder to serialize django.utils.deprecation.CallableBool. * Relaxed the validation added in Django 1.11 of the fields in the defaults argument of QuerySet.get_or_create() and update_or_create() to reallow settable model properties. * Fixed MultipleObjectMixin.paginate_queryset() crash on Python 2 if the InvalidPage message contains non-ASCII. * Prevented Subquery from adding an unnecessary CAST which resulted in invalid SQL. * Corrected detection of GDAL 2.1 on Windows. * Made date-based generic views return a 404 rather than crash when given an out of range date. * Fixed a regression where file_move_safe() crashed when moving files to a CIFS mount. * Moved the ImageField file extension validation added in Django 1.11 from the model field to the form field to reallow the use case of storing images without an extension @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.85 2017/05/08 04:58:58 adam Exp $ d3 1 a3 1 DISTNAME= Django-1.11.2 @ 1.85 log @Changes 1.11.1: Allowed disabling server-side cursors on PostgreSQL Bugfixes: Made migrations respect Index’s name argument. If you created a named index with Django 1.11, makemigrations will create a migration to recreate the index with the correct name. Fixed a crash when using a __icontains lookup on a ArrayField. Fixed a crash when using a two-tuple in EmailMessage’s attachments argument. Fixed QuerySet.filter() crash when it references the name of a OneToOneField primary key. Fixed empty POST data table appearing instead of “No POST data” in HTML debug page. Restored BoundFields without any choices evaluating to True. Prevented SessionBase.cycle_key() from losing session data if _session_cache isn’t populated. Fixed layout of ReadOnlyPasswordHashWidget (used in the admin’s user change page). Allowed prefetch calls on managers with custom ModelIterable subclasses. Fixed change password link in the contrib.auth admin for el, es_MX, and pt translations. Restored the output of the class attribute in the