From 90cd6b3574b9425b0534e11a199331a0950b8856 Mon Sep 17 00:00:00 2001 From: Marcus Hoffmann Date: Wed, 7 Aug 2024 10:22:50 +0200 Subject: [PATCH] package/python-django: security bump to version 5.0.8 Django 5.0.7 fixes the following CVEs: * CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize() * CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords * CVE-2024-39330: Potential directory-traversal via Storage.save() * CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant() Django 5.0.8 fixes the following CVEs: * CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat() * CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize() * CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget * CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() Further release Notes: https://docs.djangoproject.com/en/5.0/releases/ Signed-off-by: Marcus Hoffmann Signed-off-by: Thomas Petazzoni (cherry picked from commit f777ce1fd6b9e0537593a70940dc23f4ca177054) Signed-off-by: Peter Korsgaard --- package/python-django/python-django.hash | 4 ++-- package/python-django/python-django.mk | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash index d5684a083c..a5a8c7426d 100644 --- a/package/python-django/python-django.hash +++ b/package/python-django/python-django.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/django/json -md5 1009c48d70060cadb40000cc15a8058a Django-5.0.3.tar.gz -sha256 5fb37580dcf4a262f9258c1f4373819aacca906431f505e4688e37f3a99195df Django-5.0.3.tar.gz +md5 fb167eef987a98421cad62036868a1ca Django-5.0.8.tar.gz +sha256 ebe859c9da6fead9c9ee6dbfa4943b04f41342f4cea2c4d8c978ef0d10694f2b Django-5.0.8.tar.gz # Locally computed sha256 checksums sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk index 258ff9e0c1..2c5c20ee4d 100644 --- a/package/python-django/python-django.mk +++ b/package/python-django/python-django.mk @@ -4,10 +4,10 @@ # ################################################################################ -PYTHON_DJANGO_VERSION = 5.0.3 +PYTHON_DJANGO_VERSION = 5.0.8 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz # The official Django site has an unpractical URL -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/e1/b1/ac6a16aaf0049637b50afbcf06b8ec2fa5c6ce42d4ae6ba66bbaf4c3609a +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/79/1c/55733805bb735e26fee0430045efdb61df6fd704b6aebf2154875ef9e6a9 PYTHON_DJANGO_LICENSE = BSD-3-Clause PYTHON_DJANGO_LICENSE_FILES = LICENSE PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject