From 2fbfb5271e3e7b93fa57ef13de14e54e265e9136 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Wed, 16 Feb 2022 21:54:00 +0100 Subject: [PATCH] package/python-django: security bump to version 3.2.12 Fixes the following security issues: - CVE-2022-22818: Possible XSS via {% debug %} template tag The {% debug %} template tag didn't properly encode the current context, posing an XSS attack vector. In order to avoid this vulnerability, {% debug %} no longer outputs information when the DEBUG setting is False, and it ensures all context variables are correctly escaped when the DEBUG setting is True. - CVE-2022-23833: Denial-of-service possibility in file uploads Passing certain inputs to multipart forms could result in an infinite loop when parsing files. Signed-off-by: Peter Korsgaard --- package/python-django/python-django.hash | 4 ++-- package/python-django/python-django.mk | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash index 89bc5ffb19..a54c22a101 100644 --- a/package/python-django/python-django.hash +++ b/package/python-django/python-django.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/django/json -md5 6c4a53d2ccb464bc3dd772c6f2f07df9 Django-3.2.11.tar.gz -sha256 69c94abe5d6b1b088bf475e09b7b74403f943e34da107e798465d2045da27e75 Django-3.2.11.tar.gz +md5 1847b2f286930a9d84e820a757e3a7ec Django-3.2.12.tar.gz +sha256 9772e6935703e59e993960832d66a614cf0233a1c5123bc6224ecc6ad69e41e2 Django-3.2.12.tar.gz # Locally computed sha256 checksums sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk index 25a645823b..676aa780c3 100644 --- a/package/python-django/python-django.mk +++ b/package/python-django/python-django.mk @@ -4,10 +4,10 @@ # ################################################################################ -PYTHON_DJANGO_VERSION = 3.2.11 +PYTHON_DJANGO_VERSION = 3.2.12 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz # The official Django site has an unpractical URL -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/20/86/e4348aac45bc83fc8e9dda2cfd81004b007c65b68c1499a4233acabdaa3b +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/83/d9/7f28811ff78ce1903dc9a32ac439e4e6c98298cd2e99cb01f528e51dd796 PYTHON_DJANGO_LICENSE = BSD-3-Clause PYTHON_DJANGO_LICENSE_FILES = LICENSE