[Buildroot] [PATCH] package/python-django: security bump to 6.0.4

* [Buildroot] [PATCH] package/python-django: security bump to 6.0.4
@ 2026-04-22 21:54 Marcus Hoffmann via buildroot
  2026-04-23 19:10 ` Julien Olivain via buildroot
  2026-05-04 14:48 ` Thomas Perale via buildroot
  0 siblings, 2 replies; 3+ messages in thread
From: Marcus Hoffmann via buildroot @ 2026-04-22 21:54 UTC (permalink / raw)
  To: buildroot; +Cc: James Hilliard, Manuel Diener, Oli Vogt, Marcus Hoffmann

Django 6.0.4 fixes one security issue with severity “moderate”, four
security issues with severity “low”, and several bugs in 6.0.3.

Security issues:
* CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
    ASGIRequest normalizes header names following WSGI conventions, mapping
    hyphens to underscores. As a result, even in configurations where
    reverse proxies carefully strip security-sensitive headers named with
    hyphens, such a header could be spoofed by supplying a header named with
    underscores.

    Under WSGI, it is the responsibility of the server or proxy to avoid
    ambiguous mappings. (Django’s runserver was patched in CVE 2015-0219.)
    But under ASGI, there is not the same uniform expectation, even if many
    proxies protect against this under default configuration (including
    nginx via underscores_in_headers off;).

    Headers containing underscores are now ignored by ASGIRequest, matching
    the behavior of Daphne, the reference server for ASGI.

    This issue has severity “low” according to the Django security policy.

* CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin¶

    Add permissions on inline model instances were not validated on
    submission of forged POST data in GenericInlineModelAdmin.

    This issue has severity “low” according to the Django security policy.

* CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable¶

    Admin changelist forms using list_editable incorrectly allowed new
    instances to be created via forged POST data.

    This issue has severity “low” according to the Django security policy.

* CVE-2026-33033: Potential denial-of-service vulnerability in
    MultiPartParser via base64-encoded file upload¶

    When using django.http.multipartparser.MultiPartParser, multipart
    uploads with Content-Transfer-Encoding: base64 that include excessive
    whitespace may trigger repeated memory copying, potentially degrading
    performance.

    This issue has severity “moderate” according to the Django security policy.

* CVE-2026-33034: Potential denial-of-service vulnerability in
    ASGI requests via memory upload limit bypass¶

    ASGI requests with a missing or understated Content-Length header could
    bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading
    HttpRequest.body, potentially loading an unbounded request body into
    memory and causing service degradation.

    This issue has severity “low” according to the Django security policy.

Bugfixes:
* Fixed a regression in Django 6.0 where alogin() and alogout() did not
  respectively set or clear request.user if it had already been
  materialized (e.g., by sync middleware) (#37017).
* Fixed a regression in Django 6.0 in admin forms where
  RelatedFieldWidgetWrapper incorrectly wrapped all widgets in a
  <fieldset> (#36949).
* Fixed a bug in Django 6.0 where the fields.E348 system check did not
  detect name clashes between model managers and related_names for
  non-self-referential relationships (#36973).

Release Notes:
https://docs.djangoproject.com/en/6.0/releases/6.0.4/

Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
 package/python-django/python-django.hash | 4 ++--
 package/python-django/python-django.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index dca77f02e2..6c317cf6e0 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,6 +1,6 @@
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5  0bb395b518e2f2f17e1a936deb7ba74c  django-6.0.3.tar.gz
-sha256  90be765ee756af8a6cbd6693e56452404b5ad15294f4d5e40c0a55a0f4870fe1  django-6.0.3.tar.gz
+md5  9d429cbef8c8357a480d0b920dd9a956  django-6.0.4.tar.gz
+sha256  8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac  django-6.0.4.tar.gz
 # Locally computed sha256 checksums
 sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
 sha256  be30dc0e3f7010af6c453d205feaece1f89494789b6e92f0c255ef597a1e6864  django/contrib/gis/measure.py
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 0cc68129ee..201eece164 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 6.0.3
+PYTHON_DJANGO_VERSION = 6.0.4
 PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/80/e1/894115c6bd70e2c8b66b0c40a3c367d83a5a48c034a4d904d31b62f7c53a
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django
 PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)
 PYTHON_DJANGO_LICENSE_FILES = LICENSE \
 	django/contrib/gis/measure.py \
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread