Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2229649/?format=api
{ "id": 2229649, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2229649/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260428151136.78922-1-titouan.christophe@mind.be/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/1.1/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260428151136.78922-1-titouan.christophe@mind.be>", "date": "2026-04-28T15:11:36", "name": "[for,2025.02.x] package/python-django: security bump to v5.2.13", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "4a37cfba5d20ea35865c60543710e615ce2c8c3d", "submitter": { "id": 90763, "url": "http://patchwork.ozlabs.org/api/1.1/people/90763/?format=api", "name": "Titouan Christophe", "email": "titouan.christophe@mind.be" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260428151136.78922-1-titouan.christophe@mind.be/mbox/", "series": [ { "id": 501875, "url": "http://patchwork.ozlabs.org/api/1.1/series/501875/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=501875", "date": "2026-04-28T15:11:36", "name": "[for,2025.02.x] package/python-django: security bump to v5.2.13", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501875/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2229649/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2229649/checks/", "tags": {}, "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=U4LMHGcb;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4kRv5kQKz1yHv\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Wed, 29 Apr 2026 01:11:55 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 1CCAA410A7;\n\tTue, 28 Apr 2026 15:11:54 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id C20lRnaDfXUP; Tue, 28 Apr 2026 15:11:53 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 2350B410AB;\n\tTue, 28 Apr 2026 15:11:53 +0000 (UTC)", "from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n by lists1.osuosl.org (Postfix) with ESMTP id 59B501B8\n for <buildroot@buildroot.org>; Tue, 28 Apr 2026 15:11:51 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 4B479817FD\n for <buildroot@buildroot.org>; Tue, 28 Apr 2026 15:11:51 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id OXU9ZR5O5bmp for <buildroot@buildroot.org>;\n Tue, 28 Apr 2026 15:11:50 +0000 (UTC)", "from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com\n [IPv6:2a00:1450:4864:20::32f])\n by smtp1.osuosl.org (Postfix) with ESMTPS id D217E817EB\n for <buildroot@buildroot.org>; Tue, 28 Apr 2026 15:11:49 +0000 (UTC)", "by mail-wm1-x32f.google.com with SMTP id\n 5b1f17b1804b1-488e1a8ac40so142455875e9.2\n for <buildroot@buildroot.org>; Tue, 28 Apr 2026 08:11:49 -0700 (PDT)", "from dragon.home ([2a02:a03f:73a7:c001:1291:d1ff:fe92:3b5a])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48a774d7be0sm34046475e9.5.2026.04.28.08.11.46\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 28 Apr 2026 08:11:46 -0700 (PDT)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp4.osuosl.org 2350B410AB", "OpenDKIM Filter v2.11.0 smtp1.osuosl.org D217E817EB" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777389113;\n\tbh=sTwQDAN5vbnPegOE+2RwdyovSC3Prj7UK4E5+coTBIc=;\n\th=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:\n\t List-Help:List-Subscribe:From:Reply-To:Cc:From;\n\tb=U4LMHGcbCyCheyx/ACrnjQXA2VrdRmvBYyc+AO6kynl5DdLNYMU1Caxz3oAGmwr7y\n\t L3OBGrrAcPhnLTgAcKeEM18fmFYX1IFzs8L/PxV3KfkLjFuKGEmYkLHPPjHUm8acer\n\t vMZ85crt+7PwAqHVMkUKOsYwbW4M9qJDlo8VkFzV+opRSzt8SHedKyQw7q+sj3aKys\n\t nVH8ibVYBo+avl6+tRo9ReXIw4hf0XM8kdYAAXOOR/DYm047xTXQrpbzhgURnV7QEn\n\t FaDJfaEdG9bo04rLOMh/sIoFL3BNebDDFfz9zk0dwKaidB3kq7KTNUUEPHoEpFOmIO\n\t fLxxoUV12nIlw==", "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::32f; helo=mail-wm1-x32f.google.com;\n envelope-from=titouan.christophe@essensium.com; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp1.osuosl.org D217E817EB", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777389107; x=1777993907;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=X1fB4hDkT+k4yBrwHwQ+3eEBxA6pYrM516a87OTLa8E=;\n b=hpD+NWh8kvXpI0cFQifb49Vrdt256J2ONiEkiQCiuf3VyMCe8M2dy4PlnYEfug/dKa\n lz439CePc7Jb7m+w1a/AN9/DcsWm7KPWcrwEDv02p2Sf7NfoGoyBXSCgAxYAd2QutQ4l\n vcRQKc5K33W62Lv8b1jbn6E0ohKiVAB/OjlfQ2QekOo7o06QnhI9BKwHtuNMHHi/o4tG\n X8GqVeOZVVyPcoIvMNne16479WQcIWkZuLhYM3w83TBTrbcfRbyQYFIrNgxJ38QC1D9m\n 9fJidfBhsqdx7l6r9ynYctgHXFuuzHpvW+ae0j4eyHx2pVsCc1On4L5xP53F30HbZbhC\n V9Uw==", "X-Gm-Message-State": "AOJu0Yx/KZhiiwdAJwIJ6kPyelF7RQCw+2nlTi8lrETw2uZCwdFguFYG\n tvB87+cBVjtcz4Qa+3H78zH/sGbK4eVuVsA62GB9HCLSqgVc2J1/JRMMFgGZwz2h7p8dkWDDCpF\n ja3kCNeM=", "X-Gm-Gg": "AeBDieubM9JcN2IRfw+E/Czh8lUw45oFHmBx9aDWYg0tpEHRVHXsNAGLFrly7Y+b5La\n +7bcVs6k/uPVQBlGn/ltA+JaMdbyOcwP5SHjGZKRJDK3hrNnaQwnoJcajJ0bYAZyc6G3mduoq1P\n YknSzRQwRvo5KY6ppazQ0oc6q6Fml1NU9FFPXvwf0D4iiTJXhEdcqzdGZvpS/kxG0qasu7UROEf\n mr66d8GDJqPZ0YtKKVHl7O/1kSmFZAh53oHXvBi3bPy8YLqz3Ab2AlENmqhVO3I1qSqaLWwB8SF\n KnwKnA5f1zFdhTWYVnnPyJfMuc9ES7Vf396OdQmdND+PCMa2FsdDfXqsvW9T+nfK7UBKrk8Brbt\n DkmYE4wMfC2Aq4giau2dsvo43q7Y+kSR2I/FYHmcxT3dELgfdteXuWzsIbIQDjMKConu1baSax8\n 7HCjJKVaTgmfZQYcdR6Bg+emE4d8E9FkFrgjlUj55RM7VcK9Y=", "X-Received": "by 2002:a05:600c:4745:b0:488:9bf8:7f17 with SMTP id\n 5b1f17b1804b1-48a77b054d8mr50329745e9.14.1777389107225;\n Tue, 28 Apr 2026 08:11:47 -0700 (PDT)", "To": "buildroot@buildroot.org", "Date": "Tue, 28 Apr 2026 17:11:36 +0200", "Message-ID": "<20260428151136.78922-1-titouan.christophe@mind.be>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1777389107; x=1777993907; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=X1fB4hDkT+k4yBrwHwQ+3eEBxA6pYrM516a87OTLa8E=;\n b=CsRBFvnlLUOKIpwKhxzOcFN96db1KjKQIfL1a/ga5doMuovDWG05eZ1AUQKoXJUlsg\n PJV3ClUbYi03LonaU7ZSGHKqZNqcSxFlBFTBfrlKZnZgD77BGcNjYGMmK86BvZ4mUSIN\n k6OEUAz1vP57AHEY03cz22PSn2l72wtIrFWHLhBR1F+dQQoOPniGeEin8+hnx92ZkjLe\n aE96jN5Ch4+YvBNY1aHwb2xnd5QaB69AkO+nE6dl4nZ4QTmpR8hEgPBrOvJ4rWXDknOF\n 7I0s0Z0hYSJqXSb0cBXs6ha0VdwPpwX/eAQ8YOq0D430OJWbdldMSlYJIvJQHxLMzoiW\n PMJA==", "X-Mailman-Original-Authentication-Results": [ "smtp1.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be", "smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=CsRBFvnl" ], "Subject": "[Buildroot] [PATCH for 2025.02.x] package/python-django: security\n bump to v5.2.13", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Titouan Christophe via buildroot <buildroot@buildroot.org>", "Reply-To": "Titouan Christophe <titouan.christophe@mind.be>", "Cc": "Manuel Diener <manuel.diener@oss.othermo.de>,\n Oli Vogt <oli.vogt.pub01@gmail.com>,\n James Hilliard <james.hilliard1@gmail.com>, thomas.perale@mind.be,\n Marcus Hoffmann <bubu@bubu1.eu>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "See the release notes:\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.13/\n\nIn addition, update the pypi url to a stable one, which shouldn't change\nin each and every release (similar to the url change in commit\nhttps://gitlab.com/buildroot.org/buildroot/-/commit/60ce218196281d76606849037986b275c4619ae9)\n\nFinally, one hash file has changed because of upstream commit\nhttps://github.com/django/django/commit/0ee44c674cf61efbca2056c40f3e4f2335aaeee6\n\nDjango 5.2.13 fixes one security issue with severity \"moderate\",\nand four security issues with severity \"low\":\n- CVE-2026-3902:\n An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and\n 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof\n headers by exploiting an ambiguous mapping of two header variants\n (with hyphens or with underscores) to a single version with\n underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,\n and 3.2.x) were not evaluated and may also be affected. Django would\n like to thank Tarek Nakkouch for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2026-3902\n\n- CVE-2026-4277:\n An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and\n 4.2 before 4.2.30. Add permissions on inline model instances were not\n validated on submission of forged `POST` data in\n `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as\n 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\n Django would like to thank N05ec@LZU-DSLab for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2026-4277\n\n- CVE-2026-4292:\n An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and\n 4.2 before 4.2.30. Admin changelist forms using\n `ModelAdmin.list_editable` incorrectly allowed new instances to be\n created via forged `POST` data. Earlier, unsupported Django series\n (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be\n affected. Django would like to thank Cantina for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2026-4292\n\n- CVE-2026-33033:\n An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and\n 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to\n degrade performance by submitting multipart uploads with `Content-\n Transfer-Encoding: base64` including excessive whitespace. Earlier,\n unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not\n evaluated and may also be affected. Django would like to thank\n Seokchan Yoon for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2026-33033\n\n- CVE-2026-33034:\n An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and\n 4.2 before 4.2.30. ASGI requests with a missing or understated\n `Content-Length` header could bypass the\n `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`,\n allowing remote attackers to load an unbounded request body into\n memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and\n 3.2.x) were not evaluated and may also be affected. Django would like\n to thank Superior for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2026-33034\n\nSigned-off-by: Titouan Christophe <titouan.christophe@mind.be>\n---\n package/python-django/python-django.hash | 6 +++---\n package/python-django/python-django.mk | 4 ++--\n 2 files changed, 5 insertions(+), 5 deletions(-)", "diff": "diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash\nindex b1859b0647..a7bf2aed8b 100644\n--- a/package/python-django/python-django.hash\n+++ b/package/python-django/python-django.hash\n@@ -1,9 +1,9 @@\n # md5, sha256 from https://pypi.org/pypi/django/json\n-md5 9b60bb1145abcc97d276694f3f82a3b8 django-5.2.12.tar.gz\n-sha256 6b809af7165c73eff5ce1c87fdae75d4da6520d6667f86401ecf55b681eb1eeb django-5.2.12.tar.gz\n+md5 4af55cc09a3d1a828259ad0c05330e6b django-5.2.13.tar.gz\n+sha256 a31589db5188d074c63f0945c3888fad104627dfcc236fb2b97f71f89da33bc4 django-5.2.13.tar.gz\n # Locally computed sha256 checksums\n sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE\n-sha256 dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17 django/contrib/gis/measure.py\n+sha256 a6fa72074c31928128aaa18162204507938b7a9a8b819bd833fa82467441800d django/contrib/gis/measure.py\n sha256 570a045a8372b6cd6a00e30ebafe8e3e8dfc0a7fe3d4ef2cc5f16d419eb63aeb django/contrib/gis/gdal/LICENSE\n sha256 08bf24b7551238ae325295245425b1caeb9ad0f42f9e2d303c7b353502632045 django/contrib/gis/geos/LICENSE\n sha256 d48633adb736dac091477ec2206feebeee88e3e6e486aedb21c584e4b49be0ec django/contrib/admin/static/admin/js/inlines.js\ndiff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk\nindex 52d0a2b740..a478c95f95 100644\n--- a/package/python-django/python-django.mk\n+++ b/package/python-django/python-django.mk\n@@ -4,10 +4,10 @@\n #\n ################################################################################\n \n-PYTHON_DJANGO_VERSION = 5.2.12\n+PYTHON_DJANGO_VERSION = 5.2.13\n PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz\n # The official Django site has an unpractical URL\n-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/bd/55/b9445fc0695b03746f355c05b2eecc54c34e05198c686f4fc4406b722b52\n+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django\n PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)\n PYTHON_DJANGO_LICENSE_FILES = LICENSE \\\n \tdjango/contrib/gis/measure.py \\\n", "prefixes": [ "for", "2025.02.x" ] }