Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Titouan Christophe <titouan.christophe@mind.be>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH for 2025.02.x] package/python-django: security bump to v5.2.13
Date: Mon,  4 May 2026 16:47:13 +0200	[thread overview]
Message-ID: <20260504144713.9022-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260428151136.78922-1-titouan.christophe@mind.be>

In reply of:
> See the release notes:
> https://docs.djangoproject.com/en/5.2/releases/5.2.13/
> 
> In addition, update the pypi url to a stable one, which shouldn't change
> in each and every release (similar to the url change in commit
> https://gitlab.com/buildroot.org/buildroot/-/commit/60ce218196281d76606849037986b275c4619ae9)
> 
> Finally, one hash file has changed because of upstream commit
> https://github.com/django/django/commit/0ee44c674cf61efbca2056c40f3e4f2335aaeee6
> 
> Django 5.2.13 fixes one security issue with severity "moderate",
> and four security issues with severity "low":
> - CVE-2026-3902:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof
>     headers by exploiting an ambiguous mapping of two header variants
>     (with hyphens or with underscores) to a single version with
>     underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,
>     and 3.2.x) were not evaluated and may also be affected. Django would
>     like to thank Tarek Nakkouch for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-3902
> 
> - CVE-2026-4277:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. Add permissions on inline model instances were not
>     validated on submission of  forged `POST` data in
>     `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as
>     5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
>     Django would like to thank N05ec@LZU-DSLab for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-4277
> 
> - CVE-2026-4292:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. Admin changelist forms using
>     `ModelAdmin.list_editable` incorrectly allowed new  instances to be
>     created via forged `POST` data. Earlier, unsupported Django series
>     (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
>     affected. Django would like to thank Cantina for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-4292
> 
> - CVE-2026-33033:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. `MultiPartParser` allows remote attackers to
>     degrade performance by submitting multipart uploads with `Content-
>     Transfer-Encoding: base64` including excessive whitespace. Earlier,
>     unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not
>     evaluated and may also be affected. Django would like to thank
>     Seokchan Yoon for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-33033
> 
> - CVE-2026-33034:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. ASGI requests with a missing or understated
>     `Content-Length` header could  bypass the
>     `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading  `HttpRequest.body`,
>     allowing remote attackers to load an unbounded request body into
>     memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and
>     3.2.x) were not evaluated and may also be affected. Django would like
>     to thank Superior for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-33034
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to 2025.02.x. Thanks

> ---
>  package/python-django/python-django.hash | 6 +++---
>  package/python-django/python-django.mk   | 4 ++--
>  2 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index b1859b0647..a7bf2aed8b 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,9 +1,9 @@
>  # md5, sha256 from https://pypi.org/pypi/django/json
> -md5  9b60bb1145abcc97d276694f3f82a3b8  django-5.2.12.tar.gz
> -sha256  6b809af7165c73eff5ce1c87fdae75d4da6520d6667f86401ecf55b681eb1eeb  django-5.2.12.tar.gz
> +md5  4af55cc09a3d1a828259ad0c05330e6b  django-5.2.13.tar.gz
> +sha256  a31589db5188d074c63f0945c3888fad104627dfcc236fb2b97f71f89da33bc4  django-5.2.13.tar.gz
>  # Locally computed sha256 checksums
>  sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
> -sha256  dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17  django/contrib/gis/measure.py
> +sha256  a6fa72074c31928128aaa18162204507938b7a9a8b819bd833fa82467441800d  django/contrib/gis/measure.py
>  sha256  570a045a8372b6cd6a00e30ebafe8e3e8dfc0a7fe3d4ef2cc5f16d419eb63aeb  django/contrib/gis/gdal/LICENSE
>  sha256  08bf24b7551238ae325295245425b1caeb9ad0f42f9e2d303c7b353502632045  django/contrib/gis/geos/LICENSE
>  sha256  d48633adb736dac091477ec2206feebeee88e3e6e486aedb21c584e4b49be0ec  django/contrib/admin/static/admin/js/inlines.js
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index 52d0a2b740..a478c95f95 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,10 +4,10 @@
>  #
>  ################################################################################
>  
> -PYTHON_DJANGO_VERSION = 5.2.12
> +PYTHON_DJANGO_VERSION = 5.2.13
>  PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
>  # The official Django site has an unpractical URL
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/bd/55/b9445fc0695b03746f355c05b2eecc54c34e05198c686f4fc4406b722b52
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django
>  PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)
>  PYTHON_DJANGO_LICENSE_FILES = LICENSE \
>  	django/contrib/gis/measure.py \
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

      reply	other threads:[~2026-05-04 14:47 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-28 15:11 [Buildroot] [PATCH for 2025.02.x] package/python-django: security bump to v5.2.13 Titouan Christophe via buildroot
2026-05-04 14:47 ` Thomas Perale via buildroot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260504144713.9022-1-thomas.perale@mind.be \
    --to=buildroot@buildroot.org \
    --cc=thomas.perale@mind.be \
    --cc=titouan.christophe@mind.be \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox