Re: [Buildroot] [PATCH] package/python-django: security bump to 6.0.5

From: Peter Korsgaard <peter@korsgaard.com>
To: Marcus Hoffmann via buildroot <buildroot@buildroot.org>
Cc: Marcus Hoffmann <buildroot@bubu1.eu>,
	 James Hilliard <james.hilliard1@gmail.com>,
	 Manuel Diener <manuel.diener@oss.othermo.de>,
	 Oli Vogt <oli.vogt.pub01@gmail.com>,
	Marcus Hoffmann <bubu@bubu1.eu>
Subject: Re: [Buildroot] [PATCH] package/python-django: security bump to 6.0.5
Date: Wed, 06 May 2026 19:21:07 +0200	[thread overview]
Message-ID: <873404qwsc.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20260506121800.507252-1-buildroot@bubu1.eu> (Marcus Hoffmann via buildroot's message of "Wed, 6 May 2026 14:17:58 +0200")

>>>>> "Marcus" == Marcus Hoffmann via buildroot <buildroot@buildroot.org> writes:

 > Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.
 > Security Fixes:
 > * CVE-2026-5766: Potential denial-of-service vulnerability in ASGI
 >     requests via file upload limit bypass ASGI requests with a missing
 >     or understated Content-Length header could bypass the
 >     FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
 >     memory and causing service degradation.

 >     As a reminder, Django expects a limit to be configured at the web server
 >     level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.

 >     This issue has severity “low” according to the Django security policy

 > * CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
 >     Response headers did not vary on cookies if a session was not modified,
 >     but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a
 >     user’s session after that user visits a cached public page.

 >     This issue has severity “low” according to the Django security policy.

 > * CVE-2026-6907: Potential exposure of private data due to incorrect
 >     handling of Vary: * in UpdateCacheMiddleware

 >     Previously, UpdateCacheMiddleware would erroneously cache requests where
 >     the Vary header contained an asterisk ('*'). This could lead to private
 >     data being stored and served.

 >     This issue has severity “low” according to the Django security policy.

 > Bugfixes:
 > * Fixed a misplaced </div> in the
 >   django/contrib/admin/templates/admin/change_list.html template added
 >   in Django 6.0 that could be problematic when overriding the pagination
 >   block (#37029).
 > * Fixed a bug in Django 6.0 where deprecation warnings incorrectly
 >   skipped lines from third-party packages prefixed with “django”
 >   (#37067).

 > Release notes: https://docs.djangoproject.com/en/6.0/releases/6.0.5/

 > Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot