* [Buildroot] [PATCH] package/python-django: security bump to version 5.0.8
@ 2024-08-07 8:22 Marcus Hoffmann via buildroot
2024-08-07 10:24 ` Thomas Petazzoni via buildroot
2024-09-03 19:31 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Marcus Hoffmann via buildroot @ 2024-08-07 8:22 UTC (permalink / raw)
To: buildroot; +Cc: James Hilliard, Oli Vogt, Asaf Kahlon
Django 5.0.7 fixes the following CVEs:
* CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize()
* CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
* CVE-2024-39330: Potential directory-traversal via Storage.save()
* CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant()
Django 5.0.8 fixes the following CVEs:
* CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()
* CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize()
* CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
* CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
Further release Notes: https://docs.djangoproject.com/en/5.0/releases/
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index d5684a083c..a5a8c7426d 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 1009c48d70060cadb40000cc15a8058a Django-5.0.3.tar.gz
-sha256 5fb37580dcf4a262f9258c1f4373819aacca906431f505e4688e37f3a99195df Django-5.0.3.tar.gz
+md5 fb167eef987a98421cad62036868a1ca Django-5.0.8.tar.gz
+sha256 ebe859c9da6fead9c9ee6dbfa4943b04f41342f4cea2c4d8c978ef0d10694f2b Django-5.0.8.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 258ff9e0c1..2c5c20ee4d 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 5.0.3
+PYTHON_DJANGO_VERSION = 5.0.8
PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/e1/b1/ac6a16aaf0049637b50afbcf06b8ec2fa5c6ce42d4ae6ba66bbaf4c3609a
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/79/1c/55733805bb735e26fee0430045efdb61df6fd704b6aebf2154875ef9e6a9
PYTHON_DJANGO_LICENSE = BSD-3-Clause
PYTHON_DJANGO_LICENSE_FILES = LICENSE
PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/python-django: security bump to version 5.0.8
2024-08-07 8:22 [Buildroot] [PATCH] package/python-django: security bump to version 5.0.8 Marcus Hoffmann via buildroot
@ 2024-08-07 10:24 ` Thomas Petazzoni via buildroot
2024-09-03 19:31 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2024-08-07 10:24 UTC (permalink / raw)
To: Marcus Hoffmann via buildroot
Cc: James Hilliard, Marcus Hoffmann, Asaf Kahlon, Oli Vogt
On Wed, 7 Aug 2024 10:22:50 +0200
Marcus Hoffmann via buildroot <buildroot@buildroot.org> wrote:
> Django 5.0.7 fixes the following CVEs:
>
> * CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize()
> * CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
> * CVE-2024-39330: Potential directory-traversal via Storage.save()
> * CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant()
>
> Django 5.0.8 fixes the following CVEs:
>
> * CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()
> * CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize()
> * CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
> * CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
>
> Further release Notes: https://docs.djangoproject.com/en/5.0/releases/
>
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
> ---
> package/python-django/python-django.hash | 4 ++--
> package/python-django/python-django.mk | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/python-django: security bump to version 5.0.8
2024-08-07 8:22 [Buildroot] [PATCH] package/python-django: security bump to version 5.0.8 Marcus Hoffmann via buildroot
2024-08-07 10:24 ` Thomas Petazzoni via buildroot
@ 2024-09-03 19:31 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-09-03 19:31 UTC (permalink / raw)
To: Marcus Hoffmann via buildroot
Cc: James Hilliard, Marcus Hoffmann, Asaf Kahlon, Oli Vogt
>>>>> "Marcus" == Marcus Hoffmann via buildroot <buildroot@buildroot.org> writes:
> Django 5.0.7 fixes the following CVEs:
> * CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize()
> * CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
> * CVE-2024-39330: Potential directory-traversal via Storage.save()
> * CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant()
> Django 5.0.8 fixes the following CVEs:
> * CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()
> * CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize()
> * CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
> * CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
> Further release Notes: https://docs.djangoproject.com/en/5.0/releases/
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Committed to 2024.02.x and 2024.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-09-03 19:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-07 8:22 [Buildroot] [PATCH] package/python-django: security bump to version 5.0.8 Marcus Hoffmann via buildroot
2024-08-07 10:24 ` Thomas Petazzoni via buildroot
2024-09-03 19:31 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox