Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2233415/?format=api
{ "id": 2233415, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2233415/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260506121800.507252-1-buildroot@bubu1.eu/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/1.1/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260506121800.507252-1-buildroot@bubu1.eu>", "date": "2026-05-06T12:17:58", "name": "package/python-django: security bump to 6.0.5", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "4bf2c01eeb5e6e72bdee8e85edc23b89d37c7eeb", "submitter": { "id": 87807, "url": "http://patchwork.ozlabs.org/api/1.1/people/87807/?format=api", "name": "Marcus Hoffmann", "email": "buildroot@bubu1.eu" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260506121800.507252-1-buildroot@bubu1.eu/mbox/", "series": [ { "id": 502976, "url": "http://patchwork.ozlabs.org/api/1.1/series/502976/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=502976", "date": "2026-05-06T12:17:58", "name": "package/python-django: security bump to 6.0.5", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/502976/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2233415/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2233415/checks/", "tags": {}, "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=RV+53kR+;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9ZCx0LGyz1y04\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Wed, 06 May 2026 22:18:20 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id E68BA80E07;\n\tWed, 6 May 2026 12:18:18 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id K1jSrbeWhh10; Wed, 6 May 2026 12:18:18 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id F13CF81230;\n\tWed, 6 May 2026 12:18:17 +0000 (UTC)", "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists1.osuosl.org (Postfix) with ESMTP id EFBBE11B\n for <buildroot@buildroot.org>; Wed, 6 May 2026 12:18:16 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id D606140591\n for <buildroot@buildroot.org>; Wed, 6 May 2026 12:18:16 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id bwqyRRw_xxVW for <buildroot@buildroot.org>;\n Wed, 6 May 2026 12:18:16 +0000 (UTC)", "from smtp.bubu1.eu (smtp.bubu1.eu [176.9.145.28])\n by smtp2.osuosl.org (Postfix) with ESMTPS id DA8584058F\n for <buildroot@buildroot.org>; Wed, 6 May 2026 12:18:15 +0000 (UTC)", "from bubutux.fritz.box (unknown [212.37.174.96])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519MLKEM768 server-signature RSA-PSS (4096 bits)\n server-digest\n SHA256) (No client certificate requested)\n by smtp.bubu1.eu (Postfix) with ESMTPSA id 213F02C84123;\n Wed, 06 May 2026 14:18:13 +0200 (CEST)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp1.osuosl.org F13CF81230", "OpenDKIM Filter v2.11.0 smtp2.osuosl.org DA8584058F" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1778069898;\n\tbh=GCLm3MAzZ/ODh+UsIVFwZMA/iC+xFzzqlvBvroyDD8s=;\n\th=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:\n\t List-Help:List-Subscribe:From:Reply-To:Cc:From;\n\tb=RV+53kR+jPILJlxuH1SkSejrjpxFQWlXxcHueGRI9uVYbmx+hORRzlG6uX8VmyrUV\n\t mIotPUldQDWTKATVwaU4UK1XIG4l8uCmPgrGaCXY1G3UD/CBGJkqjj+tVRVCqaKwv6\n\t iIUR7b3x5QFIFVeEKecAExah8/NRzGuteLzzcHQ5WoSQ57Z5jStwtM81g8eHF2QBLH\n\t JACk43pQ73YQanm3red00aZu6ze+vzmIYNeQjXaxRUuW/vhbDvQTa5mapmtvRUe+Eq\n\t 2iRXB+nPwFIzhCYrmcNTbYje8VqSfY3IzbIo4GqObIOG9BhoiLwvhTxgserj9OW6Et\n\t j2uqWOQy+aqiw==", "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=176.9.145.28;\n helo=smtp.bubu1.eu; envelope-from=buildroot@bubu1.eu; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp2.osuosl.org DA8584058F", "To": "buildroot@buildroot.org", "Date": "Wed, 6 May 2026 14:17:58 +0200", "Message-ID": "<20260506121800.507252-1-buildroot@bubu1.eu>", "X-Mailer": "git-send-email 2.54.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple;\n d=bubu1.eu; s=bubu;\n t=1778069893; bh=HLggiZprFI6O53H12p/SQGqnywdTBOPc7at2KXCHzNc=;\n h=From:To:Cc:Subject:Date;\n b=GwlAepNM5qe4fvwSbb8mmoHJAZstMFIUXTn+5/3m/v16jqHmWf4Ri9nkZtPMjUcKV\n lN066B+gX9jawHha8JX0QPVkmdG+kFVeMf202/77AxeiioBgKJoq31HU0hfF5owXqC\n f0WNldP9cZrweF0i6N+Yec/UZSNOfsafgF64AgYQU1YmoXRe+sw+61ElwPCSGFBqGZ\n HVd8+r3Xjnmp/VQADWlIJzGwtmblSVP/LLL220D5cCJrKTza84zH8O+0UaCCHl1tez\n iJULkAlFLds2X8kiA7Z9caalMNgwzB3yG/iYt2TQpaMt1/xFZXsJNGVI6jeU7/S9We\n QIzVi/HZAvOaw==", "X-Mailman-Original-Authentication-Results": [ "smtp2.osuosl.org;\n dmarc=pass (p=reject dis=none)\n header.from=bubu1.eu", "smtp2.osuosl.org;\n dkim=pass (2048-bit key) header.d=bubu1.eu header.i=@bubu1.eu\n header.a=rsa-sha256 header.s=bubu header.b=GwlAepNM" ], "Subject": "[Buildroot] [PATCH] package/python-django: security bump to 6.0.5", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Marcus Hoffmann via buildroot <buildroot@buildroot.org>", "Reply-To": "Marcus Hoffmann <buildroot@bubu1.eu>", "Cc": "James Hilliard <james.hilliard1@gmail.com>,\n Manuel Diener <manuel.diener@oss.othermo.de>,\n Oli Vogt <oli.vogt.pub01@gmail.com>, Marcus Hoffmann <bubu@bubu1.eu>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.\n\nSecurity Fixes:\n* CVE-2026-5766: Potential denial-of-service vulnerability in ASGI\n requests via file upload limit bypass ASGI requests with a missing\n or understated Content-Length header could bypass the\n FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into\n memory and causing service degradation.\n\n As a reminder, Django expects a limit to be configured at the web server\n level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.\n\n This issue has severity “low” according to the Django security policy\n\n* CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST\n Response headers did not vary on cookies if a session was not modified,\n but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a\n user’s session after that user visits a cached public page.\n\n This issue has severity “low” according to the Django security policy.\n\n* CVE-2026-6907: Potential exposure of private data due to incorrect\n handling of Vary: * in UpdateCacheMiddleware\n\n Previously, UpdateCacheMiddleware would erroneously cache requests where\n the Vary header contained an asterisk ('*'). This could lead to private\n data being stored and served.\n\n This issue has severity “low” according to the Django security policy.\n\nBugfixes:\n* Fixed a misplaced </div> in the\n django/contrib/admin/templates/admin/change_list.html template added\n in Django 6.0 that could be problematic when overriding the pagination\n block (#37029).\n* Fixed a bug in Django 6.0 where deprecation warnings incorrectly\n skipped lines from third-party packages prefixed with “django”\n (#37067).\n\nRelease notes: https://docs.djangoproject.com/en/6.0/releases/6.0.5/\n\nSigned-off-by: Marcus Hoffmann <buildroot@bubu1.eu>\n---\n package/python-django/python-django.hash | 4 ++--\n package/python-django/python-django.mk | 2 +-\n 2 files changed, 3 insertions(+), 3 deletions(-)", "diff": "diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash\nindex 6c317cf6e0..5af043f2c2 100644\n--- a/package/python-django/python-django.hash\n+++ b/package/python-django/python-django.hash\n@@ -1,6 +1,6 @@\n # md5, sha256 from https://pypi.org/pypi/django/json\n-md5 9d429cbef8c8357a480d0b920dd9a956 django-6.0.4.tar.gz\n-sha256 8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac django-6.0.4.tar.gz\n+md5 44c18a8f264c1326e6fe4f1053fea5fc django-6.0.5.tar.gz\n+sha256 bc6d6872e98a2864c836e42edd644b362db311147dd5aa8d5b82ba7a032f5269 django-6.0.5.tar.gz\n # Locally computed sha256 checksums\n sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE\n sha256 be30dc0e3f7010af6c453d205feaece1f89494789b6e92f0c255ef597a1e6864 django/contrib/gis/measure.py\ndiff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk\nindex 201eece164..fe88128e24 100644\n--- a/package/python-django/python-django.mk\n+++ b/package/python-django/python-django.mk\n@@ -4,7 +4,7 @@\n #\n ################################################################################\n \n-PYTHON_DJANGO_VERSION = 6.0.4\n+PYTHON_DJANGO_VERSION = 6.0.5\n PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz\n PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django\n PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)\n", "prefixes": [] }