Features Download
From: <updates <at> fedoraproject.org>
Subject: [SECURITY] Fedora 18 Update: python-djblets-0.7.23-1.fc18
Newsgroups: gmane.linux.redhat.fedora.package.announce
Date: Tuesday 26th November 2013 03:59:43 UTC (over 2 years ago)
Fedora Update Notification
2013-11-07 02:32:01

Name        : python-djblets
Product     : Fedora 18
Version     : 0.7.23
Release     : 1.fc18
URL         : http://www.review-board.org
Summary     : A collection of useful classes and functions for Django
Description :
A collection of useful classes and functions for Django

Update Information:

- Fix JavaScript errors

- New upstream security release 1.7.17
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.17/
- Resolves: CVE-2013-4519
- Security Fixes:
  * Fixed XSS vulnerabilities for the 'Branch' field and uploaded file
  * Added a 'X-Frame-Options' header to prevent clickjacking.
- New Features:
  * Remove the need for SSH keys for GitHub repositories.
  * Improved validation for GitHub repositories.
  * Added support for permissions on Local Sites.
- Performance Improvements:
  * Reduced query counts on all pages.
  * Reduced query counts in the web API when returning empty lists.
- Extensibility:
  * Extensions using the ``configure_extension`` view an now pass in a
custom ``template_name`` pointing to a template for the configuration page,
if it needs additional customization.
  * Enabling, disabling or reconfiguring extensions will now invalidate the
caches for pages, ensuring that hooks will take affect.
  * Extension configuration now works properly on subdirectory installs.
- Bug Fixes:
  * Fixed showing private review requests on a submitter page.
  * The description for submitted or discarded review requests is now shown
on the diff viewer.
  * Discarding, reopening and then closing a review request no longer makes
the review request private.
  * Fixed a naming conflict with older PyCrypto packages, such as the
default package on CentOS 6.4.
  * Users with the 'can_change_status' permission no longer need the
'can_edit_reviewrequest' permission in order to close or reopen review
  * Switching a repository from using a hosting service to Custom no longer
reverts back to the hosting service.
  * Fixed editing a repository if its associated hosting service can't be
loaded (such as if an extension providing that hosting service is
  * Many diff validation errors weren't being shown on the New Review
Request page, generating 500 errors instead.
  * Fixed caching issues with the Blocks field on review requests.
  * Editing JSON text fields in the administration UI now works, validates,
and won't result in warnings in the log.
  * Fixed breakages with looking up URLs internally with Local Sites.

* Tue Nov  5 2013 Stephen Gallagher  - 0.7.23-1
- New upstream release 0.7.23
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.21.NEWS
  * djblets.webapi:
    * Added a has_list_access_permissions function, which is used to
      access to a list resource.
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.22.NEWS
  * djblets.extensions:
    * AJAX_SERIAL is updated when extensions are enabled/disabled or their
      configuration changes, allowing templates using AJAX_SERIAL as part
      their cache to invalidate.
  * djblets.siteconfig:
    * Reduced query counts for installs using siteconfig.
  * djblets.webapi:
    * Reduced query counts when returning payloads for list resources  with
    * Common attribute lookups on WebAPIResource are now cached.
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.23.NEWS
  * djblets.extensions:
    * Fix URL errors when configuring extensions with a custom SITE_ROOT.
  * djblets.util.fields:
    * JSONFields can now be safely edited through the administration UI,
      complete with validation.
  * jquery.gravy:
    * Fixed hiding the pencil icons on an inlineEditor when disabled.
* Sun Oct 13 2013 Patrick Uiterwijk  - 0.7.21-1
- New upstream bugfix release 0.7.21
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.21.NEWS
- Added a has_list_access_permissions function, which is used to
          determine access to a list resource.
* Fri Oct 11 2013 Stephen Gallagher  - 0.7.20-1
- New upstream bugfix release 0.7.20
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.20.NEWS
- Fixed regression with pagination on the datagrid
* Thu Oct 10 2013 Stephen Gallagher  - 0.7.19-1
- New upstream security release 0.7.19
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.19.NEWS
- Resolves: CVE-2013-4409
- Resolves unsanitized eval() vulnerability
* Mon Sep 23 2013 Stephen Gallagher  - 0.7.18-1
- New upstream security release 0.7.18
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.18.NEWS
- Web API resource lists are now more careful about access permissions.
* Thu Aug 15 2013 Stephen Gallagher  - 0.7.17-1
- New upstream release 0.7.17
- http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.17.NEWS
* Mon Jul 29 2013 Stephen Gallagher  - 0.7.16-1
- New upstream release 0.7.16
- This release contains security fixes in the datagrid
- JavaScript:
    * autoSizeTextArea now cleans up its hidden proxy elements when
    * inlineEditor can be told not to focus a textarea by default by
      'focusOnOpen' to false.
    * modalBox can place itself in an element other than  by setting
      'container' option to the element.
    * modalBox takes a 'boxID' option that, if specified, will set the ID
      the modalBox element.
    * funcQueue now takes an optional context parameter for callback
- djblets.datagrid:
    * Data pulled from the database and rendered into cells are always
    * Columns can now specify an image_class instead of an image_url.
    * Added a JavaScript reload() function that can be called on a datagrid
      element to trigger a dynamic reload from the server.
- djblets.extensions:
    * Extensions can now specify their list of app directories.
    * Extensions can now specify the author's URL.
    * Improved the look and feel for extension configuration.
    * Improved the functionality for extension configuration.
    * Improved the list of available extensions.
* Mon Jun  3 2013 Stephen Gallagher  - 0.7.15-1
- New upstream release 0.7.15
- djblets.log:
    * Added enhanced request logging
- djblets.siteconfig:
    * Changing and loading the site_static_url setting will now actually
      static media files to be loaded from that URL
- JavaScript:
    * inlineEditor now emits a "cancel" event when pressing OK without any
      modifications. Previously, there was no indication that it had
    * inlineEditor's "complete" event now has the initialValue parameter
      comes after the new value) set correctly. Previously, it was always
      same as the value, making it hard to determine if anything had
    * $.fn.html() now works with setting empty strings.
- djblets.gravatars:
    * Added get_gravatar_url_for_email
- djblets.webapi:
    * The cache of known URI templates for a RootResource now works
      when the path leading to the RootResource can change
    * When serializing an object while using ?expand, any QuerySet will be
      converted to a list. This prevents any changes from happening between
      serializing and rendering
    * Added a "is_webapi_handler" attribute to WebAPIResource
- djblets.extensions:
    * Extension classes can now define a 'metadata' variable to override
      package's metadata. This uses standard PyPI metadata fields. Using
      single Python package can provide several extensions.
    * TemplateHooks subclasses can now override a new render_to_string
      to do their own processing and rendering, instead of simply rendering
      the provided template_name.
    * The template_name parameter to TemplateHook is now optional.
    * The Django template loader cache is now reset when syncing extension
      settings or enabling/disabling an extension
* Mon Apr 22 2013 Stephen Gallagher  - 0.7.12-1
- New upstream release 0.7.12
- djblets.datagrid:
    * Massively speed up datagrid rendering
- djblets.extensions:
    * Added an install_extension function to ExtensionManager
- djblets.util.fields:
    * CounterField now allows incrementing/decrementing by values other
than 1
- djblets.util.templatetags:
    * The thumbnail and crop_image template tags now work with Django
    * Added a save_image_to_storage function in djblets_images that makes
      easy to save image data to Storage backends
- djblets.webapi:
    * Resources now consider both Last Modified and ETag headers
      when determining if a cached payload is still valid. Previously, if
      Last Modified timestamps were the same, the ETag check would fail
* Wed Apr 10 2013 Stephen Gallagher  - 0.7.11-2
- Guarantee that Djblets builds against the correct version of Django
* Thu Feb 21 2013 Stephen Gallagher  - 0.7.11-1
- New upstream release 0.7.11
- djblets.util.fields:
    * CounterField was failing to use the initializers for brand new
      instances of a model, defaulting to None instead
- General:
    * Require Django 1.4.5 as a minimum
- djblets.extensions:
    * "config/" and "db/" links for extensions are now generated
      properly when specifying a custom SITE_ROOT
- djblets.log:
    * Added an Admin UI setting for changing log levels
- djblets.siteconfig:
    * Added new 'list-siteconfig', 'get-siteconfig', and 'set-siteconfig'
      management commands for manipulating siteconfig configuration
      from the shell
* Thu Feb  7 2013 Stephen Gallagher  - 0.7.9-2
- Fix version requirement to protect against django-pipeline 1.3.0
* Mon Jan 28 2013 Stephen Gallagher  - 0.7.9-1
- New upstream release 0.7.9
- JavaScript:
    * modalBoxes now use z-indexes of 99 and 100 for the box and content,
      instead of 11000 and 11001.
- djblets.datagrid:
    * Columns data by way of field access can now span field relationships.
- djblets.extensions:
    * Fixed a failure when clearing extension info.
- djblets.siteconfig:
    * When loading the stored timezone, we're now longer setting
      os.environ['TZ'] to that timezone. Instead, we're just activating
      that timezone for Django only.
- djblets.webapi:
    * Fixed a bug where list resources that had an unknown ID in the URL
      could end up throwing an exception instead of returning a 404.
* Thu Dec 20 2012 Stephen Gallagher  - 0.7.8-1
- New upstream release 0.7.8
- JavaScript:
    * Fixed a crash when enabling/disabling an inlineEditor without an edit
* Wed Dec 19 2012 Stephen Gallagher  - 0.7.7-1
- New upstream release 0.7.7
- djblets.datagrid:
    * Fixed a possible XSS exploit in datagrids
    * Failures during rendering the datagrid now results in a traceback
- JavaScript:
    * The second display of an inlineEditor no longer breaks the size of
* Thu Dec 13 2012 Stephen Gallagher  - 0.7.6-1
- New upstream release 0.7.6
- General:
-  * Django 1.4.2 is now required
-  * All admin-related templates have been changed to better fit the admin
     template structure and styles. This includes siteconfig and logs.
- djblets.extensions:
-  * Extension lists and state are now synchronized across
-  * Extension subclasses now must capture all variable arguments
     (*args, **kwargs) and pass them to the parent constructor
-  * URLHook, admin URLs, and API resource URLs are all now added and
     properly when an extension is enabled or disabled
- djblets.util:
-  * Cache keys are now bound to the SITE_ROOT, if one is set, to prevent
     leakage across instances
-  * Added DynamicURLResolver in djblets.util.urlresolvers
- djblets.util.cache:
-  * Added normalize_cache_backend
- djblets.webapi:
-  * API handler functions that specify allow_unknown=True in
     @webapi_request_fields can now retrieve all extra fields as an
     'extra_fields' argument
-  * Added unregister_resource_for_model
- djblets.siteconfig:
-  * The stored cache_backend setting is now deserialized into
-  * Fixed a couple missing imports
-  * Siteconfig now handles old-style CACHE_BACKEND values and new-style
     CACHES[cachename] dictionaries in the 'cache_backend' setting
- JavaScript:
-  * The jQuery dependency has been updated to 1.8.2, and jQuery-UI to
-  * inlineEditor's animation speed has increased, and is now customizable
     through options.fadeSpeedMS
-  * inlineEditor now does a better job of matching the parent container's
-  * inlineEditor no longer activates when simply selecting text
-  * Added a $.fn.retinaGravatar function that, on Retina-capable displays,
     requests a larger gravatar for the given URL specified in an \
-  * inlineEditor now supports changing an "enabled" option, allowing
     to start out enabled or disabled, or dynamically change that state
* Wed Oct  3 2012 Stephen Gallagher  - 0.7.2-1
- New upstream release 0.7.2
- Drop upstreamed patch to use system feedparser
- General:
-     Styled all admin UI templates to add a "title" class to 

page titles. This affects extensions, log viewer, and siteconfig. - djblets.log: - Fixed the columns to match the style of other admin UI columns. - djblets.pipeline: - Our 'bless' compiler is now compatible with the latest versions of pipeline - JavaScript: - modalBox's positioning is now properly centered -------------------------------------------------------------------------------- References: [ 1 ] Bug #1027010 - CVE-2013-4519 ReviewBoard: two XSS vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=1027010 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update python-djblets' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce

CD: 4ms