[SECURITY] Fedora 18 Update: python-djblets-0.7.23-1.fc18

updates at fedoraproject.org updates at fedoraproject.org
Tue Nov 26 03:59:43 UTC 2013

Fedora Update Notification
2013-11-07 02:32:01

Name        : python-djblets
Product     : Fedora 18
Version     : 0.7.23
Release     : 1.fc18
URL         : http://www.review-board.org
Summary     : A collection of useful classes and functions for Django
Description :
A collection of useful classes and functions for Django

Update Information:

- Fix JavaScript errors

- New upstream security release 1.7.17
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.17/
- Resolves: CVE-2013-4519
- Security Fixes:
  * Fixed XSS vulnerabilities for the 'Branch' field and uploaded file captions.
  * Added a 'X-Frame-Options' header to prevent clickjacking.
- New Features:
  * Remove the need for SSH keys for GitHub repositories.
  * Improved validation for GitHub repositories.
  * Added support for permissions on Local Sites.
- Performance Improvements:
  * Reduced query counts on all pages.
  * Reduced query counts in the web API when returning empty lists.
- Extensibility:
  * Extensions using the ``configure_extension`` view an now pass in a custom ``template_name`` pointing to a template for the configuration page, if it needs additional customization.
  * Enabling, disabling or reconfiguring extensions will now invalidate the caches for pages, ensuring that hooks will take affect.
  * Extension configuration now works properly on subdirectory installs.
- Bug Fixes:
  * Fixed showing private review requests on a submitter page.
  * The description for submitted or discarded review requests is now shown on the diff viewer.
  * Discarding, reopening and then closing a review request no longer makes the review request private.
  * Fixed a naming conflict with older PyCrypto packages, such as the default package on CentOS 6.4.
  * Users with the 'can_change_status' permission no longer need the 'can_edit_reviewrequest' permission in order to close or reopen review requests.
  * Switching a repository from using a hosting service to Custom no longer reverts back to the hosting service.
  * Fixed editing a repository if its associated hosting service can't be loaded (such as if an extension providing that hosting service is disabled).
  * Many diff validation errors weren't being shown on the New Review Request page, generating 500 errors instead.
  * Fixed caching issues with the Blocks field on review requests.
  * Editing JSON text fields in the administration UI now works, validates, and won't result in warnings in the log.
  * Fixed breakages with looking up URLs internally with Local Sites.

* Tue Nov  5 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.23-1
- New upstream release 0.7.23
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.21.NEWS
  * djblets.webapi:
    * Added a has_list_access_permissions function, which is used to determine
      access to a list resource.
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.22.NEWS
  * djblets.extensions:
    * AJAX_SERIAL is updated when extensions are enabled/disabled or their
      configuration changes, allowing templates using AJAX_SERIAL as part of
      their cache to invalidate.
  * djblets.siteconfig:
    * Reduced query counts for installs using siteconfig.
  * djblets.webapi:
    * Reduced query counts when returning payloads for list resources  with no
    * Common attribute lookups on WebAPIResource are now cached.
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.23.NEWS
  * djblets.extensions:
    * Fix URL errors when configuring extensions with a custom SITE_ROOT.
  * djblets.util.fields:
    * JSONFields can now be safely edited through the administration UI,
      complete with validation.
  * jquery.gravy:
    * Fixed hiding the pencil icons on an inlineEditor when disabled.
* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk at gmail.com> - 0.7.21-1
- New upstream bugfix release 0.7.21
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.21.NEWS
- Added a has_list_access_permissions function, which is used to
          determine access to a list resource.
* Fri Oct 11 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.20-1
- New upstream bugfix release 0.7.20
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.20.NEWS
- Fixed regression with pagination on the datagrid
* Thu Oct 10 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.19-1
- New upstream security release 0.7.19
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.19.NEWS
- Resolves: CVE-2013-4409
- Resolves unsanitized eval() vulnerability
* Mon Sep 23 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.18-1
- New upstream security release 0.7.18
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.18.NEWS
- Web API resource lists are now more careful about access permissions.
* Thu Aug 15 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.17-1
- New upstream release 0.7.17
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.17.NEWS
* Mon Jul 29 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.16-1
- New upstream release 0.7.16
- This release contains security fixes in the datagrid
- JavaScript:
    * autoSizeTextArea now cleans up its hidden proxy elements when destroyed.
    * inlineEditor can be told not to focus a textarea by default by setting
      'focusOnOpen' to false.
    * modalBox can place itself in an element other than <body> by setting the
      'container' option to the element.
    * modalBox takes a 'boxID' option that, if specified, will set the ID of
      the modalBox element.
    * funcQueue now takes an optional context parameter for callback functions.
- djblets.datagrid:
    * Data pulled from the database and rendered into cells are always escaped
    * Columns can now specify an image_class instead of an image_url.
    * Added a JavaScript reload() function that can be called on a datagrid
      element to trigger a dynamic reload from the server.
- djblets.extensions:
    * Extensions can now specify their list of app directories.
    * Extensions can now specify the author's URL.
    * Improved the look and feel for extension configuration.
    * Improved the functionality for extension configuration.
    * Improved the list of available extensions.
* Mon Jun  3 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.15-1
- New upstream release 0.7.15
- djblets.log:
    * Added enhanced request logging
- djblets.siteconfig:
    * Changing and loading the site_static_url setting will now actually cause
      static media files to be loaded from that URL
- JavaScript:
    * inlineEditor now emits a "cancel" event when pressing OK without any
      modifications. Previously, there was no indication that it had finished.
    * inlineEditor's "complete" event now has the initialValue parameter (which
      comes after the new value) set correctly. Previously, it was always the
      same as the value, making it hard to determine if anything had changed.
    * $.fn.html() now works with setting empty strings.
- djblets.gravatars:
    * Added get_gravatar_url_for_email
- djblets.webapi:
    * The cache of known URI templates for a RootResource now works properly
      when the path leading to the RootResource can change
    * When serializing an object while using ?expand, any QuerySet will be
      converted to a list. This prevents any changes from happening between
      serializing and rendering
    * Added a "is_webapi_handler" attribute to WebAPIResource
- djblets.extensions:
    * Extension classes can now define a 'metadata' variable to override the
      package's metadata. This uses standard PyPI metadata fields. Using this,
      single Python package can provide several extensions.
    * TemplateHooks subclasses can now override a new render_to_string function
      to do their own processing and rendering, instead of simply rendering
      the provided template_name.
    * The template_name parameter to TemplateHook is now optional.
    * The Django template loader cache is now reset when syncing extension
      settings or enabling/disabling an extension
* Mon Apr 22 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.12-1
- New upstream release 0.7.12
- djblets.datagrid:
    * Massively speed up datagrid rendering
- djblets.extensions:
    * Added an install_extension function to ExtensionManager
- djblets.util.fields:
    * CounterField now allows incrementing/decrementing by values other than 1
- djblets.util.templatetags:
    * The thumbnail and crop_image template tags now work with Django Storage
    * Added a save_image_to_storage function in djblets_images that makes it
      easy to save image data to Storage backends
- djblets.webapi:
    * Resources now consider both Last Modified and ETag headers simultaneously
      when determining if a cached payload is still valid. Previously, if the
      Last Modified timestamps were the same, the ETag check would fail
* Wed Apr 10 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.11-2
- Guarantee that Djblets builds against the correct version of Django
* Thu Feb 21 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.11-1
- New upstream release 0.7.11
- djblets.util.fields:
    * CounterField was failing to use the initializers for brand new
      instances of a model, defaulting to None instead
- General:
    * Require Django 1.4.5 as a minimum
- djblets.extensions:
    * "config/" and "db/" links for extensions are now generated
      properly when specifying a custom SITE_ROOT
- djblets.log:
    * Added an Admin UI setting for changing log levels
- djblets.siteconfig:
    * Added new 'list-siteconfig', 'get-siteconfig', and 'set-siteconfig'
      management commands for manipulating siteconfig configuration
      from the shell
* Thu Feb  7 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.9-2
- Fix version requirement to protect against django-pipeline 1.3.0
* Mon Jan 28 2013 Stephen Gallagher <sgallagh at redhat.com> - 0.7.9-1
- New upstream release 0.7.9
- JavaScript:
    * modalBoxes now use z-indexes of 99 and 100 for the box and content,
      instead of 11000 and 11001.
- djblets.datagrid:
    * Columns data by way of field access can now span field relationships.
- djblets.extensions:
    * Fixed a failure when clearing extension info.
- djblets.siteconfig:
    * When loading the stored timezone, we're now longer setting
      os.environ['TZ'] to that timezone. Instead, we're just activating
      that timezone for Django only.
- djblets.webapi:
    * Fixed a bug where list resources that had an unknown ID in the URL
      could end up throwing an exception instead of returning a 404.
* Thu Dec 20 2012 Stephen Gallagher <sgallagh at redhat.com> - 0.7.8-1
- New upstream release 0.7.8
- JavaScript:
    * Fixed a crash when enabling/disabling an inlineEditor without an edit
* Wed Dec 19 2012 Stephen Gallagher <sgallagh at redhat.com> - 0.7.7-1
- New upstream release 0.7.7
- djblets.datagrid:
    * Fixed a possible XSS exploit in datagrids
    * Failures during rendering the datagrid now results in a traceback
- JavaScript:
    * The second display of an inlineEditor no longer breaks the size of the
* Thu Dec 13 2012 Stephen Gallagher <sgallagh at redhat.com> - 0.7.6-1
- New upstream release 0.7.6
- General:
-  * Django 1.4.2 is now required
-  * All admin-related templates have been changed to better fit the admin
     template structure and styles. This includes siteconfig and logs.
- djblets.extensions:
-  * Extension lists and state are now synchronized across
-  * Extension subclasses now must capture all variable arguments
     (*args, **kwargs) and pass them to the parent constructor
-  * URLHook, admin URLs, and API resource URLs are all now added and removed
     properly when an extension is enabled or disabled
- djblets.util:
-  * Cache keys are now bound to the SITE_ROOT, if one is set, to prevent
     leakage across instances
-  * Added DynamicURLResolver in djblets.util.urlresolvers
- djblets.util.cache:
-  * Added normalize_cache_backend
- djblets.webapi:
-  * API handler functions that specify allow_unknown=True in
     @webapi_request_fields can now retrieve all extra fields as an
     'extra_fields' argument
-  * Added unregister_resource_for_model
- djblets.siteconfig:
-  * The stored cache_backend setting is now deserialized into
-  * Fixed a couple missing imports
-  * Siteconfig now handles old-style CACHE_BACKEND values and new-style
     CACHES[cachename] dictionaries in the 'cache_backend' setting
- JavaScript:
-  * The jQuery dependency has been updated to 1.8.2, and jQuery-UI to 1.8.24
-  * inlineEditor's animation speed has increased, and is now customizable
     through options.fadeSpeedMS
-  * inlineEditor now does a better job of matching the parent container's
-  * inlineEditor no longer activates when simply selecting text
-  * Added a $.fn.retinaGravatar function that, on Retina-capable displays,
     requests a larger gravatar for the given URL specified in an <img/>\
-  * inlineEditor now supports changing an "enabled" option, allowing editors
     to start out enabled or disabled, or dynamically change that state
* Wed Oct  3 2012 Stephen Gallagher <sgallagh at redhat.com> - 0.7.2-1
- New upstream release 0.7.2
- Drop upstreamed patch to use system feedparser
- General:
-     Styled all admin UI templates to add a "title" class to <h1> page
      titles. This affects extensions, log viewer, and siteconfig.
- djblets.log:
-     Fixed the columns to match the style of other admin UI columns.
- djblets.pipeline:
-     Our 'bless' compiler is now compatible with the latest versions
      of pipeline
- JavaScript:
-     modalBox's positioning is now properly centered

  [ 1 ] Bug #1027010 - CVE-2013-4519 ReviewBoard: two XSS vulnerabilities

This update can be installed with the "yum" update program.  Use 
su -c 'yum update python-djblets' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list