Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH for 2025.02.x] package/python-django: security bump to v5.2.13
@ 2026-04-28 15:11 Titouan Christophe via buildroot
  2026-05-04 14:47 ` Thomas Perale via buildroot
  0 siblings, 1 reply; 2+ messages in thread
From: Titouan Christophe via buildroot @ 2026-04-28 15:11 UTC (permalink / raw)
  To: buildroot
  Cc: Manuel Diener, Oli Vogt, James Hilliard, thomas.perale,
	Marcus Hoffmann

See the release notes:
https://docs.djangoproject.com/en/5.2/releases/5.2.13/

In addition, update the pypi url to a stable one, which shouldn't change
in each and every release (similar to the url change in commit
https://gitlab.com/buildroot.org/buildroot/-/commit/60ce218196281d76606849037986b275c4619ae9)

Finally, one hash file has changed because of upstream commit
https://github.com/django/django/commit/0ee44c674cf61efbca2056c40f3e4f2335aaeee6

Django 5.2.13 fixes one security issue with severity "moderate",
and four security issues with severity "low":
- CVE-2026-3902:
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
    4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof
    headers by exploiting an ambiguous mapping of two header variants
    (with hyphens or with underscores) to a single version with
    underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,
    and 3.2.x) were not evaluated and may also be affected. Django would
    like to thank Tarek Nakkouch for reporting this issue.
    https://www.cve.org/CVERecord?id=CVE-2026-3902

- CVE-2026-4277:
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
    4.2 before 4.2.30. Add permissions on inline model instances were not
    validated on submission of  forged `POST` data in
    `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as
    5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
    Django would like to thank N05ec@LZU-DSLab for reporting this issue.
    https://www.cve.org/CVERecord?id=CVE-2026-4277

- CVE-2026-4292:
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
    4.2 before 4.2.30. Admin changelist forms using
    `ModelAdmin.list_editable` incorrectly allowed new  instances to be
    created via forged `POST` data. Earlier, unsupported Django series
    (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
    affected. Django would like to thank Cantina for reporting this issue.
    https://www.cve.org/CVERecord?id=CVE-2026-4292

- CVE-2026-33033:
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
    4.2 before 4.2.30. `MultiPartParser` allows remote attackers to
    degrade performance by submitting multipart uploads with `Content-
    Transfer-Encoding: base64` including excessive whitespace. Earlier,
    unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not
    evaluated and may also be affected. Django would like to thank
    Seokchan Yoon for reporting this issue.
    https://www.cve.org/CVERecord?id=CVE-2026-33033

- CVE-2026-33034:
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
    4.2 before 4.2.30. ASGI requests with a missing or understated
    `Content-Length` header could  bypass the
    `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading  `HttpRequest.body`,
    allowing remote attackers to load an unbounded request body into
    memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and
    3.2.x) were not evaluated and may also be affected. Django would like
    to thank Superior for reporting this issue.
    https://www.cve.org/CVERecord?id=CVE-2026-33034

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 package/python-django/python-django.hash | 6 +++---
 package/python-django/python-django.mk   | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index b1859b0647..a7bf2aed8b 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,9 +1,9 @@
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5  9b60bb1145abcc97d276694f3f82a3b8  django-5.2.12.tar.gz
-sha256  6b809af7165c73eff5ce1c87fdae75d4da6520d6667f86401ecf55b681eb1eeb  django-5.2.12.tar.gz
+md5  4af55cc09a3d1a828259ad0c05330e6b  django-5.2.13.tar.gz
+sha256  a31589db5188d074c63f0945c3888fad104627dfcc236fb2b97f71f89da33bc4  django-5.2.13.tar.gz
 # Locally computed sha256 checksums
 sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
-sha256  dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17  django/contrib/gis/measure.py
+sha256  a6fa72074c31928128aaa18162204507938b7a9a8b819bd833fa82467441800d  django/contrib/gis/measure.py
 sha256  570a045a8372b6cd6a00e30ebafe8e3e8dfc0a7fe3d4ef2cc5f16d419eb63aeb  django/contrib/gis/gdal/LICENSE
 sha256  08bf24b7551238ae325295245425b1caeb9ad0f42f9e2d303c7b353502632045  django/contrib/gis/geos/LICENSE
 sha256  d48633adb736dac091477ec2206feebeee88e3e6e486aedb21c584e4b49be0ec  django/contrib/admin/static/admin/js/inlines.js
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 52d0a2b740..a478c95f95 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 5.2.12
+PYTHON_DJANGO_VERSION = 5.2.13
 PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
 # The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/bd/55/b9445fc0695b03746f355c05b2eecc54c34e05198c686f4fc4406b722b52
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django
 PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)
 PYTHON_DJANGO_LICENSE_FILES = LICENSE \
 	django/contrib/gis/measure.py \
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH for 2025.02.x] package/python-django: security bump to v5.2.13
  2026-04-28 15:11 [Buildroot] [PATCH for 2025.02.x] package/python-django: security bump to v5.2.13 Titouan Christophe via buildroot
@ 2026-05-04 14:47 ` Thomas Perale via buildroot
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Perale via buildroot @ 2026-05-04 14:47 UTC (permalink / raw)
  To: Titouan Christophe; +Cc: Thomas Perale, buildroot

In reply of:
> See the release notes:
> https://docs.djangoproject.com/en/5.2/releases/5.2.13/
> 
> In addition, update the pypi url to a stable one, which shouldn't change
> in each and every release (similar to the url change in commit
> https://gitlab.com/buildroot.org/buildroot/-/commit/60ce218196281d76606849037986b275c4619ae9)
> 
> Finally, one hash file has changed because of upstream commit
> https://github.com/django/django/commit/0ee44c674cf61efbca2056c40f3e4f2335aaeee6
> 
> Django 5.2.13 fixes one security issue with severity "moderate",
> and four security issues with severity "low":
> - CVE-2026-3902:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof
>     headers by exploiting an ambiguous mapping of two header variants
>     (with hyphens or with underscores) to a single version with
>     underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,
>     and 3.2.x) were not evaluated and may also be affected. Django would
>     like to thank Tarek Nakkouch for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-3902
> 
> - CVE-2026-4277:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. Add permissions on inline model instances were not
>     validated on submission of  forged `POST` data in
>     `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as
>     5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
>     Django would like to thank N05ec@LZU-DSLab for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-4277
> 
> - CVE-2026-4292:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. Admin changelist forms using
>     `ModelAdmin.list_editable` incorrectly allowed new  instances to be
>     created via forged `POST` data. Earlier, unsupported Django series
>     (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
>     affected. Django would like to thank Cantina for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-4292
> 
> - CVE-2026-33033:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. `MultiPartParser` allows remote attackers to
>     degrade performance by submitting multipart uploads with `Content-
>     Transfer-Encoding: base64` including excessive whitespace. Earlier,
>     unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not
>     evaluated and may also be affected. Django would like to thank
>     Seokchan Yoon for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-33033
> 
> - CVE-2026-33034:
>     An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and
>     4.2 before 4.2.30. ASGI requests with a missing or understated
>     `Content-Length` header could  bypass the
>     `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading  `HttpRequest.body`,
>     allowing remote attackers to load an unbounded request body into
>     memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and
>     3.2.x) were not evaluated and may also be affected. Django would like
>     to thank Superior for reporting this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-33034
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to 2025.02.x. Thanks

> ---
>  package/python-django/python-django.hash | 6 +++---
>  package/python-django/python-django.mk   | 4 ++--
>  2 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index b1859b0647..a7bf2aed8b 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,9 +1,9 @@
>  # md5, sha256 from https://pypi.org/pypi/django/json
> -md5  9b60bb1145abcc97d276694f3f82a3b8  django-5.2.12.tar.gz
> -sha256  6b809af7165c73eff5ce1c87fdae75d4da6520d6667f86401ecf55b681eb1eeb  django-5.2.12.tar.gz
> +md5  4af55cc09a3d1a828259ad0c05330e6b  django-5.2.13.tar.gz
> +sha256  a31589db5188d074c63f0945c3888fad104627dfcc236fb2b97f71f89da33bc4  django-5.2.13.tar.gz
>  # Locally computed sha256 checksums
>  sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
> -sha256  dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17  django/contrib/gis/measure.py
> +sha256  a6fa72074c31928128aaa18162204507938b7a9a8b819bd833fa82467441800d  django/contrib/gis/measure.py
>  sha256  570a045a8372b6cd6a00e30ebafe8e3e8dfc0a7fe3d4ef2cc5f16d419eb63aeb  django/contrib/gis/gdal/LICENSE
>  sha256  08bf24b7551238ae325295245425b1caeb9ad0f42f9e2d303c7b353502632045  django/contrib/gis/geos/LICENSE
>  sha256  d48633adb736dac091477ec2206feebeee88e3e6e486aedb21c584e4b49be0ec  django/contrib/admin/static/admin/js/inlines.js
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index 52d0a2b740..a478c95f95 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,10 +4,10 @@
>  #
>  ################################################################################
>  
> -PYTHON_DJANGO_VERSION = 5.2.12
> +PYTHON_DJANGO_VERSION = 5.2.13
>  PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
>  # The official Django site has an unpractical URL
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/bd/55/b9445fc0695b03746f355c05b2eecc54c34e05198c686f4fc4406b722b52
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django
>  PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)
>  PYTHON_DJANGO_LICENSE_FILES = LICENSE \
>  	django/contrib/gis/measure.py \
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-04 14:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-28 15:11 [Buildroot] [PATCH for 2025.02.x] package/python-django: security bump to v5.2.13 Titouan Christophe via buildroot
2026-05-04 14:47 ` Thomas Perale via buildroot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox