* [Buildroot] [PATCH] package/python-django: security bump to 6.0.4
@ 2026-04-22 21:54 Marcus Hoffmann via buildroot
2026-04-23 19:10 ` Julien Olivain via buildroot
2026-05-04 14:48 ` Thomas Perale via buildroot
0 siblings, 2 replies; 3+ messages in thread
From: Marcus Hoffmann via buildroot @ 2026-04-22 21:54 UTC (permalink / raw)
To: buildroot; +Cc: James Hilliard, Manuel Diener, Oli Vogt, Marcus Hoffmann
Django 6.0.4 fixes one security issue with severity “moderate”, four
security issues with severity “low”, and several bugs in 6.0.3.
Security issues:
* CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
ASGIRequest normalizes header names following WSGI conventions, mapping
hyphens to underscores. As a result, even in configurations where
reverse proxies carefully strip security-sensitive headers named with
hyphens, such a header could be spoofed by supplying a header named with
underscores.
Under WSGI, it is the responsibility of the server or proxy to avoid
ambiguous mappings. (Django’s runserver was patched in CVE 2015-0219.)
But under ASGI, there is not the same uniform expectation, even if many
proxies protect against this under default configuration (including
nginx via underscores_in_headers off;).
Headers containing underscores are now ignored by ASGIRequest, matching
the behavior of Daphne, the reference server for ASGI.
This issue has severity “low” according to the Django security policy.
* CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin¶
Add permissions on inline model instances were not validated on
submission of forged POST data in GenericInlineModelAdmin.
This issue has severity “low” according to the Django security policy.
* CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable¶
Admin changelist forms using list_editable incorrectly allowed new
instances to be created via forged POST data.
This issue has severity “low” according to the Django security policy.
* CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload¶
When using django.http.multipartparser.MultiPartParser, multipart
uploads with Content-Transfer-Encoding: base64 that include excessive
whitespace may trigger repeated memory copying, potentially degrading
performance.
This issue has severity “moderate” according to the Django security policy.
* CVE-2026-33034: Potential denial-of-service vulnerability in
ASGI requests via memory upload limit bypass¶
ASGI requests with a missing or understated Content-Length header could
bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading
HttpRequest.body, potentially loading an unbounded request body into
memory and causing service degradation.
This issue has severity “low” according to the Django security policy.
Bugfixes:
* Fixed a regression in Django 6.0 where alogin() and alogout() did not
respectively set or clear request.user if it had already been
materialized (e.g., by sync middleware) (#37017).
* Fixed a regression in Django 6.0 in admin forms where
RelatedFieldWidgetWrapper incorrectly wrapped all widgets in a
<fieldset> (#36949).
* Fixed a bug in Django 6.0 where the fields.E348 system check did not
detect name clashes between model managers and related_names for
non-self-referential relationships (#36973).
Release Notes:
https://docs.djangoproject.com/en/6.0/releases/6.0.4/
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index dca77f02e2..6c317cf6e0 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,6 +1,6 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 0bb395b518e2f2f17e1a936deb7ba74c django-6.0.3.tar.gz
-sha256 90be765ee756af8a6cbd6693e56452404b5ad15294f4d5e40c0a55a0f4870fe1 django-6.0.3.tar.gz
+md5 9d429cbef8c8357a480d0b920dd9a956 django-6.0.4.tar.gz
+sha256 8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac django-6.0.4.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
sha256 be30dc0e3f7010af6c453d205feaece1f89494789b6e92f0c255ef597a1e6864 django/contrib/gis/measure.py
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 0cc68129ee..201eece164 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,9 +4,9 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 6.0.3
+PYTHON_DJANGO_VERSION = 6.0.4
PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/80/e1/894115c6bd70e2c8b66b0c40a3c367d83a5a48c034a4d904d31b62f7c53a
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django
PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)
PYTHON_DJANGO_LICENSE_FILES = LICENSE \
django/contrib/gis/measure.py \
--
2.53.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/python-django: security bump to 6.0.4
2026-04-22 21:54 [Buildroot] [PATCH] package/python-django: security bump to 6.0.4 Marcus Hoffmann via buildroot
@ 2026-04-23 19:10 ` Julien Olivain via buildroot
2026-05-04 14:48 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Julien Olivain via buildroot @ 2026-04-23 19:10 UTC (permalink / raw)
To: Marcus Hoffmann
Cc: buildroot, James Hilliard, Manuel Diener, Oli Vogt,
Marcus Hoffmann
On 22/04/2026 23:54, Marcus Hoffmann via buildroot wrote:
> Django 6.0.4 fixes one security issue with severity “moderate”, four
> security issues with severity “low”, and several bugs in 6.0.3.
>
> Security issues:
> * CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
> ASGIRequest normalizes header names following WSGI conventions,
> mapping
> hyphens to underscores. As a result, even in configurations where
> reverse proxies carefully strip security-sensitive headers named
> with
> hyphens, such a header could be spoofed by supplying a header named
> with
> underscores.
>
> Under WSGI, it is the responsibility of the server or proxy to
> avoid
> ambiguous mappings. (Django’s runserver was patched in CVE
> 2015-0219.)
> But under ASGI, there is not the same uniform expectation, even if
> many
> proxies protect against this under default configuration (including
> nginx via underscores_in_headers off;).
>
> Headers containing underscores are now ignored by ASGIRequest,
> matching
> the behavior of Daphne, the reference server for ASGI.
>
> This issue has severity “low” according to the Django security
> policy.
>
> * CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin¶
>
> Add permissions on inline model instances were not validated on
> submission of forged POST data in GenericInlineModelAdmin.
>
> This issue has severity “low” according to the Django security
> policy.
>
> * CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable¶
>
> Admin changelist forms using list_editable incorrectly allowed new
> instances to be created via forged POST data.
>
> This issue has severity “low” according to the Django security
> policy.
>
> * CVE-2026-33033: Potential denial-of-service vulnerability in
> MultiPartParser via base64-encoded file upload¶
>
> When using django.http.multipartparser.MultiPartParser, multipart
> uploads with Content-Transfer-Encoding: base64 that include
> excessive
> whitespace may trigger repeated memory copying, potentially
> degrading
> performance.
>
> This issue has severity “moderate” according to the Django security
> policy.
>
> * CVE-2026-33034: Potential denial-of-service vulnerability in
> ASGI requests via memory upload limit bypass¶
>
> ASGI requests with a missing or understated Content-Length header
> could
> bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading
> HttpRequest.body, potentially loading an unbounded request body
> into
> memory and causing service degradation.
>
> This issue has severity “low” according to the Django security
> policy.
>
> Bugfixes:
> * Fixed a regression in Django 6.0 where alogin() and alogout() did not
> respectively set or clear request.user if it had already been
> materialized (e.g., by sync middleware) (#37017).
> * Fixed a regression in Django 6.0 in admin forms where
> RelatedFieldWidgetWrapper incorrectly wrapped all widgets in a
> <fieldset> (#36949).
> * Fixed a bug in Django 6.0 where the fields.E348 system check did not
> detect name clashes between model managers and related_names for
> non-self-referential relationships (#36973).
>
> Release Notes:
> https://docs.djangoproject.com/en/6.0/releases/6.0.4/
>
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/python-django: security bump to 6.0.4
2026-04-22 21:54 [Buildroot] [PATCH] package/python-django: security bump to 6.0.4 Marcus Hoffmann via buildroot
2026-04-23 19:10 ` Julien Olivain via buildroot
@ 2026-05-04 14:48 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-05-04 14:48 UTC (permalink / raw)
To: Marcus Hoffmann; +Cc: Thomas Perale, buildroot
In reply of:
> Django 6.0.4 fixes one security issue with severity “moderate”, four
> security issues with severity “low”, and several bugs in 6.0.3.
>
> Security issues:
> * CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
> ASGIRequest normalizes header names following WSGI conventions, mapping
> hyphens to underscores. As a result, even in configurations where
> reverse proxies carefully strip security-sensitive headers named with
> hyphens, such a header could be spoofed by supplying a header named with
> underscores.
>
> Under WSGI, it is the responsibility of the server or proxy to avoid
> ambiguous mappings. (Django’s runserver was patched in CVE 2015-0219.)
> But under ASGI, there is not the same uniform expectation, even if many
> proxies protect against this under default configuration (including
> nginx via underscores_in_headers off;).
>
> Headers containing underscores are now ignored by ASGIRequest, matching
> the behavior of Daphne, the reference server for ASGI.
>
> This issue has severity “low” according to the Django security policy.
>
> * CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin¶
>
> Add permissions on inline model instances were not validated on
> submission of forged POST data in GenericInlineModelAdmin.
>
> This issue has severity “low” according to the Django security policy.
>
> * CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable¶
>
> Admin changelist forms using list_editable incorrectly allowed new
> instances to be created via forged POST data.
>
> This issue has severity “low” according to the Django security policy.
>
> * CVE-2026-33033: Potential denial-of-service vulnerability in
> MultiPartParser via base64-encoded file upload¶
>
> When using django.http.multipartparser.MultiPartParser, multipart
> uploads with Content-Transfer-Encoding: base64 that include excessive
> whitespace may trigger repeated memory copying, potentially degrading
> performance.
>
> This issue has severity “moderate” according to the Django security policy.
>
> * CVE-2026-33034: Potential denial-of-service vulnerability in
> ASGI requests via memory upload limit bypass¶
>
> ASGI requests with a missing or understated Content-Length header could
> bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading
> HttpRequest.body, potentially loading an unbounded request body into
> memory and causing service degradation.
>
> This issue has severity “low” according to the Django security policy.
>
> Bugfixes:
> * Fixed a regression in Django 6.0 where alogin() and alogout() did not
> respectively set or clear request.user if it had already been
> materialized (e.g., by sync middleware) (#37017).
> * Fixed a regression in Django 6.0 in admin forms where
> RelatedFieldWidgetWrapper incorrectly wrapped all widgets in a
> <fieldset> (#36949).
> * Fixed a bug in Django 6.0 where the fields.E348 system check did not
> detect name clashes between model managers and related_names for
> non-self-referential relationships (#36973).
>
> Release Notes:
> https://docs.djangoproject.com/en/6.0/releases/6.0.4/
>
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Applied to 2026.02.x. Thanks
> ---
> package/python-django/python-django.hash | 4 ++--
> package/python-django/python-django.mk | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index dca77f02e2..6c317cf6e0 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,6 +1,6 @@
> # md5, sha256 from https://pypi.org/pypi/django/json
> -md5 0bb395b518e2f2f17e1a936deb7ba74c django-6.0.3.tar.gz
> -sha256 90be765ee756af8a6cbd6693e56452404b5ad15294f4d5e40c0a55a0f4870fe1 django-6.0.3.tar.gz
> +md5 9d429cbef8c8357a480d0b920dd9a956 django-6.0.4.tar.gz
> +sha256 8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac django-6.0.4.tar.gz
> # Locally computed sha256 checksums
> sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
> sha256 be30dc0e3f7010af6c453d205feaece1f89494789b6e92f0c255ef597a1e6864 django/contrib/gis/measure.py
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index 0cc68129ee..201eece164 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,9 +4,9 @@
> #
> ################################################################################
>
> -PYTHON_DJANGO_VERSION = 6.0.3
> +PYTHON_DJANGO_VERSION = 6.0.4
> PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/80/e1/894115c6bd70e2c8b66b0c40a3c367d83a5a48c034a4d904d31b62f7c53a
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django
> PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)
> PYTHON_DJANGO_LICENSE_FILES = LICENSE \
> django/contrib/gis/measure.py \
> --
> 2.53.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-04 14:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-22 21:54 [Buildroot] [PATCH] package/python-django: security bump to 6.0.4 Marcus Hoffmann via buildroot
2026-04-23 19:10 ` Julien Olivain via buildroot
2026-05-04 14:48 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox