Re: [Buildroot] [PATCH] package/python-django: security bump to 6.0.4

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Marcus Hoffmann <buildroot@bubu1.eu>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/python-django: security bump to 6.0.4
Date: Mon,  4 May 2026 16:48:13 +0200	[thread overview]
Message-ID: <20260504144813.11252-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260422215427.186961-1-buildroot@bubu1.eu>

In reply of:
> Django 6.0.4 fixes one security issue with severity “moderate”, four
> security issues with severity “low”, and several bugs in 6.0.3.
> 
> Security issues:
> * CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
>     ASGIRequest normalizes header names following WSGI conventions, mapping
>     hyphens to underscores. As a result, even in configurations where
>     reverse proxies carefully strip security-sensitive headers named with
>     hyphens, such a header could be spoofed by supplying a header named with
>     underscores.
> 
>     Under WSGI, it is the responsibility of the server or proxy to avoid
>     ambiguous mappings. (Django’s runserver was patched in CVE 2015-0219.)
>     But under ASGI, there is not the same uniform expectation, even if many
>     proxies protect against this under default configuration (including
>     nginx via underscores_in_headers off;).
> 
>     Headers containing underscores are now ignored by ASGIRequest, matching
>     the behavior of Daphne, the reference server for ASGI.
> 
>     This issue has severity “low” according to the Django security policy.
> 
> * CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin¶
> 
>     Add permissions on inline model instances were not validated on
>     submission of forged POST data in GenericInlineModelAdmin.
> 
>     This issue has severity “low” according to the Django security policy.
> 
> * CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable¶
> 
>     Admin changelist forms using list_editable incorrectly allowed new
>     instances to be created via forged POST data.
> 
>     This issue has severity “low” according to the Django security policy.
> 
> * CVE-2026-33033: Potential denial-of-service vulnerability in
>     MultiPartParser via base64-encoded file upload¶
> 
>     When using django.http.multipartparser.MultiPartParser, multipart
>     uploads with Content-Transfer-Encoding: base64 that include excessive
>     whitespace may trigger repeated memory copying, potentially degrading
>     performance.
> 
>     This issue has severity “moderate” according to the Django security policy.
> 
> * CVE-2026-33034: Potential denial-of-service vulnerability in
>     ASGI requests via memory upload limit bypass¶
> 
>     ASGI requests with a missing or understated Content-Length header could
>     bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading
>     HttpRequest.body, potentially loading an unbounded request body into
>     memory and causing service degradation.
> 
>     This issue has severity “low” according to the Django security policy.
> 
> Bugfixes:
> * Fixed a regression in Django 6.0 where alogin() and alogout() did not
>   respectively set or clear request.user if it had already been
>   materialized (e.g., by sync middleware) (#37017).
> * Fixed a regression in Django 6.0 in admin forms where
>   RelatedFieldWidgetWrapper incorrectly wrapped all widgets in a
>   <fieldset> (#36949).
> * Fixed a bug in Django 6.0 where the fields.E348 system check did not
>   detect name clashes between model managers and related_names for
>   non-self-referential relationships (#36973).
> 
> Release Notes:
> https://docs.djangoproject.com/en/6.0/releases/6.0.4/
> 
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>

Applied to 2026.02.x. Thanks

> ---
>  package/python-django/python-django.hash | 4 ++--
>  package/python-django/python-django.mk   | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index dca77f02e2..6c317cf6e0 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,6 +1,6 @@
>  # md5, sha256 from https://pypi.org/pypi/django/json
> -md5  0bb395b518e2f2f17e1a936deb7ba74c  django-6.0.3.tar.gz
> -sha256  90be765ee756af8a6cbd6693e56452404b5ad15294f4d5e40c0a55a0f4870fe1  django-6.0.3.tar.gz
> +md5  9d429cbef8c8357a480d0b920dd9a956  django-6.0.4.tar.gz
> +sha256  8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac  django-6.0.4.tar.gz
>  # Locally computed sha256 checksums
>  sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
>  sha256  be30dc0e3f7010af6c453d205feaece1f89494789b6e92f0c255ef597a1e6864  django/contrib/gis/measure.py
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index 0cc68129ee..201eece164 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,9 +4,9 @@
>  #
>  ################################################################################
>  
> -PYTHON_DJANGO_VERSION = 6.0.3
> +PYTHON_DJANGO_VERSION = 6.0.4
>  PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/80/e1/894115c6bd70e2c8b66b0c40a3c367d83a5a48c034a4d904d31b62f7c53a
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django
>  PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)
>  PYTHON_DJANGO_LICENSE_FILES = LICENSE \
>  	django/contrib/gis/measure.py \
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot