* [Buildroot] [PATCH] package/python-django: security bump to 6.0.5
@ 2026-05-06 12:17 Marcus Hoffmann via buildroot
2026-05-06 17:21 ` Peter Korsgaard
2026-05-15 17:45 ` Thomas Perale via buildroot
0 siblings, 2 replies; 3+ messages in thread
From: Marcus Hoffmann via buildroot @ 2026-05-06 12:17 UTC (permalink / raw)
To: buildroot; +Cc: James Hilliard, Manuel Diener, Oli Vogt, Marcus Hoffmann
Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.
Security Fixes:
* CVE-2026-5766: Potential denial-of-service vulnerability in ASGI
requests via file upload limit bypass ASGI requests with a missing
or understated Content-Length header could bypass the
FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server
level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
This issue has severity “low” according to the Django security policy
* CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
Response headers did not vary on cookies if a session was not modified,
but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a
user’s session after that user visits a cached public page.
This issue has severity “low” according to the Django security policy.
* CVE-2026-6907: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
Previously, UpdateCacheMiddleware would erroneously cache requests where
the Vary header contained an asterisk ('*'). This could lead to private
data being stored and served.
This issue has severity “low” according to the Django security policy.
Bugfixes:
* Fixed a misplaced </div> in the
django/contrib/admin/templates/admin/change_list.html template added
in Django 6.0 that could be problematic when overriding the pagination
block (#37029).
* Fixed a bug in Django 6.0 where deprecation warnings incorrectly
skipped lines from third-party packages prefixed with “django”
(#37067).
Release notes: https://docs.djangoproject.com/en/6.0/releases/6.0.5/
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 6c317cf6e0..5af043f2c2 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,6 +1,6 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 9d429cbef8c8357a480d0b920dd9a956 django-6.0.4.tar.gz
-sha256 8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac django-6.0.4.tar.gz
+md5 44c18a8f264c1326e6fe4f1053fea5fc django-6.0.5.tar.gz
+sha256 bc6d6872e98a2864c836e42edd644b362db311147dd5aa8d5b82ba7a032f5269 django-6.0.5.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
sha256 be30dc0e3f7010af6c453d205feaece1f89494789b6e92f0c255ef597a1e6864 django/contrib/gis/measure.py
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 201eece164..fe88128e24 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,7 +4,7 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 6.0.4
+PYTHON_DJANGO_VERSION = 6.0.5
PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django
PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)
--
2.54.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [Buildroot] [PATCH] package/python-django: security bump to 6.0.5
2026-05-06 12:17 [Buildroot] [PATCH] package/python-django: security bump to 6.0.5 Marcus Hoffmann via buildroot
@ 2026-05-06 17:21 ` Peter Korsgaard
2026-05-15 17:45 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2026-05-06 17:21 UTC (permalink / raw)
To: Marcus Hoffmann via buildroot
Cc: Marcus Hoffmann, James Hilliard, Manuel Diener, Oli Vogt,
Marcus Hoffmann
>>>>> "Marcus" == Marcus Hoffmann via buildroot <buildroot@buildroot.org> writes:
> Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.
> Security Fixes:
> * CVE-2026-5766: Potential denial-of-service vulnerability in ASGI
> requests via file upload limit bypass ASGI requests with a missing
> or understated Content-Length header could bypass the
> FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
> memory and causing service degradation.
> As a reminder, Django expects a limit to be configured at the web server
> level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
> This issue has severity “low” according to the Django security policy
> * CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
> Response headers did not vary on cookies if a session was not modified,
> but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a
> user’s session after that user visits a cached public page.
> This issue has severity “low” according to the Django security policy.
> * CVE-2026-6907: Potential exposure of private data due to incorrect
> handling of Vary: * in UpdateCacheMiddleware
> Previously, UpdateCacheMiddleware would erroneously cache requests where
> the Vary header contained an asterisk ('*'). This could lead to private
> data being stored and served.
> This issue has severity “low” according to the Django security policy.
> Bugfixes:
> * Fixed a misplaced </div> in the
> django/contrib/admin/templates/admin/change_list.html template added
> in Django 6.0 that could be problematic when overriding the pagination
> block (#37029).
> * Fixed a bug in Django 6.0 where deprecation warnings incorrectly
> skipped lines from third-party packages prefixed with “django”
> (#37067).
> Release notes: https://docs.djangoproject.com/en/6.0/releases/6.0.5/
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [Buildroot] [PATCH] package/python-django: security bump to 6.0.5
2026-05-06 12:17 [Buildroot] [PATCH] package/python-django: security bump to 6.0.5 Marcus Hoffmann via buildroot
2026-05-06 17:21 ` Peter Korsgaard
@ 2026-05-15 17:45 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-05-15 17:45 UTC (permalink / raw)
To: Marcus Hoffmann; +Cc: Thomas Perale, buildroot
In reply of:
> Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.
>
> Security Fixes:
> * CVE-2026-5766: Potential denial-of-service vulnerability in ASGI
> requests via file upload limit bypass ASGI requests with a missing
> or understated Content-Length header could bypass the
> FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
> memory and causing service degradation.
>
> As a reminder, Django expects a limit to be configured at the web server
> level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
>
> This issue has severity “low” according to the Django security policy
>
> * CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
> Response headers did not vary on cookies if a session was not modified,
> but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a
> user’s session after that user visits a cached public page.
>
> This issue has severity “low” according to the Django security policy.
>
> * CVE-2026-6907: Potential exposure of private data due to incorrect
> handling of Vary: * in UpdateCacheMiddleware
>
> Previously, UpdateCacheMiddleware would erroneously cache requests where
> the Vary header contained an asterisk ('*'). This could lead to private
> data being stored and served.
>
> This issue has severity “low” according to the Django security policy.
>
> Bugfixes:
> * Fixed a misplaced </div> in the
> django/contrib/admin/templates/admin/change_list.html template added
> in Django 6.0 that could be problematic when overriding the pagination
> block (#37029).
> * Fixed a bug in Django 6.0 where deprecation warnings incorrectly
> skipped lines from third-party packages prefixed with “django”
> (#37067).
>
> Release notes: https://docs.djangoproject.com/en/6.0/releases/6.0.5/
>
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Applied to 2026.02.x. Thanks
> ---
> package/python-django/python-django.hash | 4 ++--
> package/python-django/python-django.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index 6c317cf6e0..5af043f2c2 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,6 +1,6 @@
> # md5, sha256 from https://pypi.org/pypi/django/json
> -md5 9d429cbef8c8357a480d0b920dd9a956 django-6.0.4.tar.gz
> -sha256 8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac django-6.0.4.tar.gz
> +md5 44c18a8f264c1326e6fe4f1053fea5fc django-6.0.5.tar.gz
> +sha256 bc6d6872e98a2864c836e42edd644b362db311147dd5aa8d5b82ba7a032f5269 django-6.0.5.tar.gz
> # Locally computed sha256 checksums
> sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
> sha256 be30dc0e3f7010af6c453d205feaece1f89494789b6e92f0c255ef597a1e6864 django/contrib/gis/measure.py
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index 201eece164..fe88128e24 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -PYTHON_DJANGO_VERSION = 6.0.4
> +PYTHON_DJANGO_VERSION = 6.0.5
> PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
> PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django
> PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)
> --
> 2.54.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-15 17:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-06 12:17 [Buildroot] [PATCH] package/python-django: security bump to 6.0.5 Marcus Hoffmann via buildroot
2026-05-06 17:21 ` Peter Korsgaard
2026-05-15 17:45 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox