* GZipMiddleware now supports streaming responses. As part of the 1.4.18 security release, the django.views.static.serve() function was altered to stream the files it serves. Unfortunately, the GZipMiddleware consumed the stream prematurely and prevented files from being served properly.
Security fixes:
* Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
* Issue: file upload denial of service (CVE-2014-0481)
* Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)
* Issue: data leakage via querystring manipulation in admin (CVE-2014-0483)
- caching framework may expose private data and/or allow cache poisoning
- stricter checking for valid URLs when redirecting based on user input,
e.g. on the login page
- fix a potential execution of undesired code via reverse()
- avoid leaking the CSRF token via caching of anonymous requests
- fix missing explicit typecasts for MySQL
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
