From c47ac4aa466de8e8b6ffc592f5fffbef4c8b73e7 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Thu, 14 Apr 2022 23:59:14 +0200 Subject: [PATCH] package/python-django: security bump to version 4.0.4 Fixes the following security issues: CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods. CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument. For more details, see the advisory: https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ Signed-off-by: Peter Korsgaard (cherry picked from commit 87b8676fbfe57253696864cc3bf20e85852b9c8b) Signed-off-by: Peter Korsgaard --- package/python-django/python-django.hash | 4 ++-- package/python-django/python-django.mk | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash index f78df56c5f..8d9f0aafdb 100644 --- a/package/python-django/python-django.hash +++ b/package/python-django/python-django.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/django/json -md5 a86339c0e87241597afa8744704d9965 Django-4.0.2.tar.gz -sha256 110fb58fb12eca59e072ad59fc42d771cd642dd7a2f2416582aa9da7a8ef954a Django-4.0.2.tar.gz +md5 153fcb5dd7360b7ad219d65cb53e2d57 Django-4.0.4.tar.gz +sha256 4e8177858524417563cc0430f29ea249946d831eacb0068a1455686587df40b5 Django-4.0.4.tar.gz # Locally computed sha256 checksums sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk index 652ca477ce..b4d6ec21c9 100644 --- a/package/python-django/python-django.mk +++ b/package/python-django/python-django.mk @@ -4,10 +4,10 @@ # ################################################################################ -PYTHON_DJANGO_VERSION = 4.0.2 +PYTHON_DJANGO_VERSION = 4.0.4 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz # The official Django site has an unpractical URL -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/61/84/676c840e8f1188a6c836e3224b97aa8be4c2e6857c690d6c564eb23a4975 +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/d2/95/93d1f75da95624bf89e373d079fa72debf77f9b10acc31998cc52a5ff3f9 PYTHON_DJANGO_LICENSE = BSD-3-Clause PYTHON_DJANGO_LICENSE_FILES = LICENSE