From acf885f9f7147ad24e398487e5e2ddf5ae7746e5 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Tue, 19 Jul 2022 00:11:02 +0200 Subject: [PATCH] package/python-django: security bump to version 4.0.6 Fix CVE-2022-34265: An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. https://www.djangoproject.com/weblog/2022/jul/04/security-releases Signed-off-by: Fabrice Fontaine Signed-off-by: Arnout Vandecappelle (Essensium/Mind) (cherry picked from commit 3e4f6e1b205a8e3ebb3c82ac704627618a8400a3) Signed-off-by: Peter Korsgaard --- package/python-django/python-django.hash | 4 ++-- package/python-django/python-django.mk | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash index 8d9f0aafdb..bfc9219c7e 100644 --- a/package/python-django/python-django.hash +++ b/package/python-django/python-django.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/django/json -md5 153fcb5dd7360b7ad219d65cb53e2d57 Django-4.0.4.tar.gz -sha256 4e8177858524417563cc0430f29ea249946d831eacb0068a1455686587df40b5 Django-4.0.4.tar.gz +md5 ad4e850c7110a45a6c7778d5bd01b85e Django-4.0.6.tar.gz +sha256 a67a793ff6827fd373555537dca0da293a63a316fe34cb7f367f898ccca3c3ae Django-4.0.6.tar.gz # Locally computed sha256 checksums sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk index b4d6ec21c9..d49c845d54 100644 --- a/package/python-django/python-django.mk +++ b/package/python-django/python-django.mk @@ -4,10 +4,10 @@ # ################################################################################ -PYTHON_DJANGO_VERSION = 4.0.4 +PYTHON_DJANGO_VERSION = 4.0.6 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz # The official Django site has an unpractical URL -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/d2/95/93d1f75da95624bf89e373d079fa72debf77f9b10acc31998cc52a5ff3f9 +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/a4/17/b10aa26d7a566a3c19e9d29fac39c8643cbceb6cd7649a378d676839b5db PYTHON_DJANGO_LICENSE = BSD-3-Clause PYTHON_DJANGO_LICENSE_FILES = LICENSE