From 310d70cb08b5443934defb51fed05abf4b48ab42 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Thu, 19 Dec 2024 09:44:32 +0100 Subject: [PATCH] package/python-django: security bump to version 5.0.10 Fixes the following security issues: CVE-2024-53907: Potential denial-of-service in django.utils.html.strip_tags() The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is subject to SQL injection if untrusted data is used as a lhs value. Applications that use the jsonfield.has_key lookup through the __ syntax are unaffected. https://www.djangoproject.com/weblog/2024/dec/04/security-releases/ Signed-off-by: Peter Korsgaard --- package/python-django/python-django.hash | 4 ++-- package/python-django/python-django.mk | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash index 413745e133..463ca4d4f7 100644 --- a/package/python-django/python-django.hash +++ b/package/python-django/python-django.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/django/json -md5 8669004de8eb7f1a558400f9103c0001 Django-5.0.9.tar.gz -sha256 6333870d342329b60174da3a60dbd302e533f3b0bb0971516750e974a99b5a39 Django-5.0.9.tar.gz +md5 9e539af55750660a1095775fac910d1a Django-5.0.10.tar.gz +sha256 0f6cbc56cc298b0451d20a5120c6a8731e9073330fb5d84295c23c151a1eb300 Django-5.0.10.tar.gz # Locally computed sha256 checksums sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk index 8232a90026..7c64c65d00 100644 --- a/package/python-django/python-django.mk +++ b/package/python-django/python-django.mk @@ -4,10 +4,10 @@ # ################################################################################ -PYTHON_DJANGO_VERSION = 5.0.9 +PYTHON_DJANGO_VERSION = 5.0.10 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz # The official Django site has an unpractical URL -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/fa/7b/176ce335cba42342b8f20efbdd5eb27067a0b34ee2203e051b34bedca0d9 +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/a8/52/06fedfe94a2610e2ea94ba3786c5475088e1e422b31c0ecd5b4c2ae6a561 PYTHON_DJANGO_LICENSE = BSD-3-Clause PYTHON_DJANGO_LICENSE_FILES = LICENSE PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject