Re: [Buildroot] [PATCH] package/python-django: security bump to 5.2.1

From: Peter Korsgaard <peter@korsgaard.com>
To: Marcus Hoffmann via buildroot <buildroot@buildroot.org>
Cc: Marcus Hoffmann <buildroot@bubu1.eu>,
	 James Hilliard <james.hilliard1@gmail.com>,
	 Oli Vogt <oli.vogt.pub01@gmail.com>
Subject: Re: [Buildroot] [PATCH] package/python-django: security bump to 5.2.1
Date: Tue, 13 May 2025 19:01:25 +0200	[thread overview]
Message-ID: <87msbgtpga.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20250512191216.234165-1-buildroot@bubu1.eu> (Marcus Hoffmann via buildroot's message of "Mon, 12 May 2025 21:12:15 +0200")

>>>>> "Marcus" == Marcus Hoffmann via buildroot <buildroot@buildroot.org> writes:

 > Fixes CVE-2025-32873 [1].
 > Django 5.2.1. also updates setuptools[2], so we can remove the --skip-dependency-check
 > flag and need to update the package archive capitalization accordingly.

 > [1] https://www.djangoproject.com/weblog/2025/may/07/security-releases/
 > [2] https://github.com/django/django/commit/3ae049b26b995c650c41ef918d5f60beed52b4ba

 > Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>

For a security fix we would prefer to instead bump to 5.1.9 for easy
backporting to the 2025.02.x branch. If needed, a later patch can then
bump to the 5.2.x series.

Care to send such patch(es)?

> ---
 >  package/python-django/python-django.hash | 4 ++--
 >  package/python-django/python-django.mk   | 7 +++----
 >  2 files changed, 5 insertions(+), 6 deletions(-)

 > diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
 > index 1e197004d0..836307f6b8 100644
 > --- a/package/python-django/python-django.hash
 > +++ b/package/python-django/python-django.hash
 > @@ -1,5 +1,5 @@
 >  # md5, sha256 from https://pypi.org/pypi/django/json
 > -md5  80247a8b48cdac55e5ad3fb682ab71a3  Django-5.1.8.tar.gz
 > -sha256  42e92a1dd2810072bcc40a39a212b693f94406d0ba0749e68eb642f31dc770b4  Django-5.1.8.tar.gz
 > +md5  317174c6e0593c40e58ec1bd428b1091  django-5.2.1.tar.gz
 > +sha256  57fe1f1b59462caed092c80b3dd324fd92161b620d59a9ba9181c34746c97284  django-5.2.1.tar.gz
 >  # Locally computed sha256 checksums
 >  sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
 > diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
 > index b64d8e4cd1..62c8a00313 100644
 > --- a/package/python-django/python-django.mk
 > +++ b/package/python-django/python-django.mk
 > @@ -4,15 +4,14 @@
 >  #
 >  ################################################################################

 > -PYTHON_DJANGO_VERSION = 5.1.8
 > -PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 > +PYTHON_DJANGO_VERSION = 5.2.1
 > +PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
 >  # The official Django site has an unpractical URL
 > -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/00/40/45adc1b93435d1b418654a734b68351bb6ce0a0e5e37b2f0e9aeb1a2e233
 > +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/ac/10/0d546258772b8f31398e67c85e52c66ebc2b13a647193c3eef8ee433f1a8
 >  PYTHON_DJANGO_LICENSE = BSD-3-Clause
 >  PYTHON_DJANGO_LICENSE_FILES = LICENSE
 >  PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject
 >  PYTHON_DJANGO_CPE_ID_PRODUCT = django
 >  PYTHON_DJANGO_SETUP_TYPE = setuptools
 > -PYTHON_DJANGO_BUILD_OPTS = --skip-dependency-check

 >  $(eval $(python-package))
 > -- 

 > 2.43.0

 > _______________________________________________
 > buildroot mailing list
 > buildroot@buildroot.org
 > https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot