Version in base suite: 1.11.27-1~deb10u1

Base version: python-django_1.11.27-1~deb10u1
Target version: python-django_1.11.28-1~deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-django/python-django_1.11.27-1~deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-django/python-django_1.11.28-1~deb10u1.dsc

 Django.egg-info/PKG-INFO                      |    2 -
 Django.egg-info/SOURCES.txt                   |    1 
 PKG-INFO                                      |    2 -
 debian/changelog                              |   16 ++++++++++++++
 django/__init__.py                            |    2 -
 django/contrib/postgres/aggregates/general.py |    6 +++--
 docs/releases/1.11.28.txt                     |   13 ++++++++++++
 docs/releases/index.txt                       |    1 
 docs/releases/security.txt                    |   13 ++++++++++++
 tests/postgres_tests/test_aggregates.py       |    4 +++
 tests/timezones/tests.py                      |   28 ++++++++++++++++++++------
 11 files changed, 77 insertions(+), 11 deletions(-)

diff -Nru python-django-1.11.27/Django.egg-info/PKG-INFO python-django-1.11.28/Django.egg-info/PKG-INFO
--- python-django-1.11.27/Django.egg-info/PKG-INFO	2019-12-18 08:33:12.000000000 +0000
+++ python-django-1.11.28/Django.egg-info/PKG-INFO	2020-02-03 08:17:38.000000000 +0000
@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: Django
-Version: 1.11.27
+Version: 1.11.28
 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 Home-page: https://www.djangoproject.com/
 Author: Django Software Foundation
diff -Nru python-django-1.11.27/Django.egg-info/SOURCES.txt python-django-1.11.28/Django.egg-info/SOURCES.txt
--- python-django-1.11.27/Django.egg-info/SOURCES.txt	2019-12-18 08:33:13.000000000 +0000
+++ python-django-1.11.28/Django.egg-info/SOURCES.txt	2020-02-03 08:17:38.000000000 +0000
@@ -3555,6 +3555,7 @@
 docs/releases/1.11.25.txt
 docs/releases/1.11.26.txt
 docs/releases/1.11.27.txt
+docs/releases/1.11.28.txt
 docs/releases/1.11.3.txt
 docs/releases/1.11.4.txt
 docs/releases/1.11.5.txt
diff -Nru python-django-1.11.27/PKG-INFO python-django-1.11.28/PKG-INFO
--- python-django-1.11.27/PKG-INFO	2019-12-18 08:33:15.000000000 +0000
+++ python-django-1.11.28/PKG-INFO	2020-02-03 08:17:45.000000000 +0000
@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: Django
-Version: 1.11.27
+Version: 1.11.28
 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 Home-page: https://www.djangoproject.com/
 Author: Django Software Foundation
diff -Nru python-django-1.11.27/debian/changelog python-django-1.11.28/debian/changelog
--- python-django-1.11.27/debian/changelog	2020-01-06 15:35:55.000000000 +0000
+++ python-django-1.11.28/debian/changelog	2020-02-14 10:00:33.000000000 +0000
@@ -1,3 +1,19 @@
+python-django (1:1.11.28-1~deb10u1) buster-security; urgency=high
+
+  * New upstream security release. (Closes: #950581)
+    <https://www.djangoproject.com/weblog/2020/feb/03/security-releases/>
+
+    - CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)
+
+      Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3
+      allows SQL Injection if untrusted data is used as a StringAgg delimiter
+      (e.g., in Django applications that offer downloads of data as a series of
+      rows with a user-specified column delimiter). By passing a suitably
+      crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it
+      was possible to break escaping and inject malicious SQL.
+
+ -- Chris Lamb <lamby@debian.org>  Fri, 14 Feb 2020 10:00:33 +0000
+
 python-django (1:1.11.27-1~deb10u1) buster-security; urgency=high
 
   * New upstream security release. (Closes: #946937)
diff -Nru python-django-1.11.27/django/__init__.py python-django-1.11.28/django/__init__.py
--- python-django-1.11.27/django/__init__.py	2019-12-18 08:32:18.000000000 +0000
+++ python-django-1.11.28/django/__init__.py	2020-02-03 08:16:32.000000000 +0000
@@ -2,7 +2,7 @@
 
 from django.utils.version import get_version
 
-VERSION = (1, 11, 27, 'final', 0)
+VERSION = (1, 11, 28, 'final', 0)
 
 __version__ = get_version(VERSION)
 
diff -Nru python-django-1.11.27/django/contrib/postgres/aggregates/general.py python-django-1.11.28/django/contrib/postgres/aggregates/general.py
--- python-django-1.11.27/django/contrib/postgres/aggregates/general.py	2019-12-18 08:31:54.000000000 +0000
+++ python-django-1.11.28/django/contrib/postgres/aggregates/general.py	2020-02-03 08:16:09.000000000 +0000
@@ -1,4 +1,5 @@
 from django.contrib.postgres.fields import JSONField
+from django.db.models import Value
 from django.db.models.aggregates import Aggregate
 
 __all__ = [
@@ -43,11 +44,12 @@
 
 class StringAgg(Aggregate):
     function = 'STRING_AGG'
-    template = "%(function)s(%(distinct)s%(expressions)s, '%(delimiter)s')"
+    template = '%(function)s(%(distinct)s%(expressions)s)'
 
     def __init__(self, expression, delimiter, distinct=False, **extra):
         distinct = 'DISTINCT ' if distinct else ''
-        super(StringAgg, self).__init__(expression, delimiter=delimiter, distinct=distinct, **extra)
+        delimiter_expr = Value(str(delimiter))
+        super(StringAgg, self).__init__(expression, delimiter_expr, distinct=distinct, **extra)
 
     def convert_value(self, value, expression, connection, context):
         if not value:
diff -Nru python-django-1.11.27/docs/releases/1.11.28.txt python-django-1.11.28/docs/releases/1.11.28.txt
--- python-django-1.11.27/docs/releases/1.11.28.txt	1970-01-01 00:00:00.000000000 +0000
+++ python-django-1.11.28/docs/releases/1.11.28.txt	2020-02-03 07:49:13.000000000 +0000
@@ -0,0 +1,13 @@
+============================
+Django 1.11.28 release notes
+============================
+
+*February 3, 2020*
+
+Django 1.11.28 fixes a security issue in 1.11.27.
+
+CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
+===================================================================
+
+:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
+subject to SQL injection, using a suitably crafted ``delimiter``.
diff -Nru python-django-1.11.27/docs/releases/index.txt python-django-1.11.28/docs/releases/index.txt
--- python-django-1.11.27/docs/releases/index.txt	2019-12-18 08:31:54.000000000 +0000
+++ python-django-1.11.28/docs/releases/index.txt	2020-02-03 08:16:10.000000000 +0000
@@ -26,6 +26,7 @@
 .. toctree::
    :maxdepth: 1
 
+   1.11.28
    1.11.27
    1.11.26
    1.11.25
diff -Nru python-django-1.11.27/docs/releases/security.txt python-django-1.11.28/docs/releases/security.txt
--- python-django-1.11.27/docs/releases/security.txt	2019-12-18 08:31:54.000000000 +0000
+++ python-django-1.11.28/docs/releases/security.txt	2020-02-03 08:16:10.000000000 +0000
@@ -1029,3 +1029,16 @@
 * Django 2.2 :commit:`(patch) <cf694e6852b0da7799f8b53f1fb2f7d20cf17534>`
 * Django 2.1 :commit:`(patch) <5d50a2e5fa36ad23ab532fc54cf4073de84b3306>`
 * Django 1.11 :commit:`(patch) <869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79>`
+
+December 18, 2019 - :cve:`2019-19844`
+-------------------------------------
+
+Potential account hijack via password reset form. `Full description
+<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>`__
+
+Versions affected
+~~~~~~~~~~~~~~~~~
+
+* Django 3.0 :commit:`(patch) <302a4ff1e8b1c798aab97673909c7a3dfda42c26>`
+* Django 2.2 :commit:`(patch) <4d334bea06cac63dc1272abcec545b85136cca0e>`
+* Django 1.11 :commit:`(patch) <f4cff43bf921fcea6a29b726eb66767f67753fa2>`
diff -Nru python-django-1.11.27/tests/postgres_tests/test_aggregates.py python-django-1.11.28/tests/postgres_tests/test_aggregates.py
--- python-django-1.11.27/tests/postgres_tests/test_aggregates.py	2019-12-18 08:31:54.000000000 +0000
+++ python-django-1.11.28/tests/postgres_tests/test_aggregates.py	2020-02-03 08:16:11.000000000 +0000
@@ -108,6 +108,10 @@
         with self.assertRaises(TypeError):
             AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field'))
 
+    def test_string_agg_delimiter_escaping(self):
+        values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter="'"))
+        self.assertEqual(values, {'stringagg': "Foo1'Foo2'Foo3'Foo4"})
+
     def test_string_agg_charfield(self):
         values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter=';'))
         self.assertEqual(values, {'stringagg': 'Foo1;Foo2;Foo3;Foo4'})
diff -Nru python-django-1.11.27/tests/timezones/tests.py python-django-1.11.28/tests/timezones/tests.py
--- python-django-1.11.27/tests/timezones/tests.py	2019-12-18 08:31:54.000000000 +0000
+++ python-django-1.11.28/tests/timezones/tests.py	2020-02-03 08:16:11.000000000 +0000
@@ -36,6 +36,12 @@
     AllDayEvent, Event, MaybeEvent, Session, SessionEvent, Timestamp,
 )
 
+try:
+    import yaml
+    HAS_YAML = True
+except ImportError:
+    HAS_YAML = False
+
 # These tests use the EAT (Eastern Africa Time) and ICT (Indochina Time)
 # who don't have Daylight Saving Time, so we can represent them easily
 # with FixedOffset, and use them directly as tzinfo in the constructors.
@@ -662,9 +668,10 @@
 
     # Backend-specific notes:
     # - JSON supports only milliseconds, microseconds will be truncated.
-    # - PyYAML dumps the UTC offset correctly for timezone-aware datetimes,
-    #   but when it loads this representation, it subtracts the offset and
-    #   returns a naive datetime object in UTC. See ticket #18867.
+    # - PyYAML dumps the UTC offset correctly for timezone-aware datetimes.
+    #   When PyYAML < 5.3 loads this representation, it subtracts the offset
+    #   and returns a naive datetime object in UTC. PyYAML 5.3+ loads timezones
+    #   correctly.
     # Tests are adapted to take these quirks into account.
 
     def assert_python_contains_datetime(self, objects, dt):
@@ -751,7 +758,10 @@
             data = serializers.serialize('yaml', [Event(dt=dt)], default_flow_style=None)
             self.assert_yaml_contains_datetime(data, "2011-09-01 17:20:30.405060+07:00")
             obj = next(serializers.deserialize('yaml', data)).object
-            self.assertEqual(obj.dt.replace(tzinfo=UTC), dt)
+            if HAS_YAML and yaml.__version__ < '5.3':
+                self.assertEqual(obj.dt.replace(tzinfo=UTC), dt)
+            else:
+                self.assertEqual(obj.dt, dt)
 
     def test_aware_datetime_in_utc(self):
         dt = datetime.datetime(2011, 9, 1, 10, 20, 30, tzinfo=UTC)
@@ -799,7 +809,10 @@
             data = serializers.serialize('yaml', [Event(dt=dt)], default_flow_style=None)
             self.assert_yaml_contains_datetime(data, "2011-09-01 13:20:30+03:00")
             obj = next(serializers.deserialize('yaml', data)).object
-            self.assertEqual(obj.dt.replace(tzinfo=UTC), dt)
+            if HAS_YAML and yaml.__version__ < '5.3':
+                self.assertEqual(obj.dt.replace(tzinfo=UTC), dt)
+            else:
+                self.assertEqual(obj.dt, dt)
 
     def test_aware_datetime_in_other_timezone(self):
         dt = datetime.datetime(2011, 9, 1, 17, 20, 30, tzinfo=ICT)
@@ -823,7 +836,10 @@
             data = serializers.serialize('yaml', [Event(dt=dt)], default_flow_style=None)
             self.assert_yaml_contains_datetime(data, "2011-09-01 17:20:30+07:00")
             obj = next(serializers.deserialize('yaml', data)).object
-            self.assertEqual(obj.dt.replace(tzinfo=UTC), dt)
+            if HAS_YAML and yaml.__version__ < '5.3':
+                self.assertEqual(obj.dt.replace(tzinfo=UTC), dt)
+            else:
+                self.assertEqual(obj.dt, dt)
 
 
 @override_settings(DATETIME_FORMAT='c', TIME_ZONE='Africa/Nairobi', USE_L10N=False, USE_TZ=True)