Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/2226949/?format=api
{ "id": 2226949, "url": "http://patchwork.ozlabs.org/api/1.2/patches/2226949/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260422215427.186961-1-buildroot@bubu1.eu/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/1.2/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260422215427.186961-1-buildroot@bubu1.eu>", "list_archive_url": null, "date": "2026-04-22T21:54:25", "name": "package/python-django: security bump to 6.0.4", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "442fd63f4e6d7f50e334a6e96ee4c95134c0665c", "submitter": { "id": 87807, "url": "http://patchwork.ozlabs.org/api/1.2/people/87807/?format=api", "name": "Marcus Hoffmann", "email": "buildroot@bubu1.eu" }, "delegate": { "id": 89618, "url": "http://patchwork.ozlabs.org/api/1.2/users/89618/?format=api", "username": "juju", "first_name": "Julien", "last_name": "Olivain", "email": "juju@cotds.org" }, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260422215427.186961-1-buildroot@bubu1.eu/mbox/", "series": [ { "id": 501118, "url": "http://patchwork.ozlabs.org/api/1.2/series/501118/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=501118", "date": "2026-04-22T21:54:25", "name": "package/python-django: security bump to 6.0.4", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501118/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2226949/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2226949/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=HKMF5kKW;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1Cgg5lvKz1yGs\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 23 Apr 2026 07:54:55 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id C5C8C80638;\n\tWed, 22 Apr 2026 21:54:53 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 3a_3NvDSd-Bv; Wed, 22 Apr 2026 21:54:52 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id C7DA980656;\n\tWed, 22 Apr 2026 21:54:52 +0000 (UTC)", "from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n by lists1.osuosl.org (Postfix) with ESMTP id 9D9DC231\n for <buildroot@buildroot.org>; Wed, 22 Apr 2026 21:54:51 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 8350680646\n for <buildroot@buildroot.org>; Wed, 22 Apr 2026 21:54:51 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id DOrCVi6CIIJF for <buildroot@buildroot.org>;\n Wed, 22 Apr 2026 21:54:50 +0000 (UTC)", "from smtp.bubu1.eu (smtp.bubu1.eu [176.9.145.28])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 8B84D80638\n for <buildroot@buildroot.org>; Wed, 22 Apr 2026 21:54:48 +0000 (UTC)", "from bubutux.fritz.box (unknown [212.37.174.96])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519MLKEM768 server-signature RSA-PSS (4096 bits)\n server-digest\n SHA256) (No client certificate requested)\n by smtp.bubu1.eu (Postfix) with ESMTPSA id EED912C80C0F;\n Wed, 22 Apr 2026 23:54:45 +0200 (CEST)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp1.osuosl.org C7DA980656", "OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8B84D80638" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776894892;\n\tbh=au0qm9ttnLFmA9lC79fVoXl6Ht+siCqvBljIX1IyZ8U=;\n\th=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:\n\t List-Help:List-Subscribe:From:Reply-To:Cc:From;\n\tb=HKMF5kKWEiJcWVnJ4T4deELyM1go3q2i5Hk3/vsIxqlCuiH8ZDWVYgUVllzJ/qmZY\n\t CAhoZsaZCMZKZ4TNrvSg7TSgXf8UbJW+WxjmSM1UXewGmv039VZuask2vK18u0eHg6\n\t JuhwEpdHG9kftmY8XP9XcApTyDxgeIegtcXifbR3rL+rKWVrXzzINwO7SUSrBhnvC9\n\t BRAuisIY7KcYIue/fsfMLAuQJ6mfcLF52qL2zFtgI/94Yn5x8lYrXnXbKepuY8O6QC\n\t yAsj3oztuNMjEEq27EqyGlD6jhWs79dQGohTFGwywNanL/cYMp3B9Szm3L/Ln0EpDP\n\t yqeFGfS4mZiVw==", "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=176.9.145.28;\n helo=smtp.bubu1.eu; envelope-from=buildroot@bubu1.eu; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp1.osuosl.org 8B84D80638", "To": "buildroot@buildroot.org", "Date": "Wed, 22 Apr 2026 23:54:25 +0200", "Message-ID": "<20260422215427.186961-1-buildroot@bubu1.eu>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple;\n d=bubu1.eu; s=bubu;\n t=1776894886; bh=JlzAPiJPHqK0uAPHkJEJg01EegAc2cWcZ5CCYxecNBc=;\n h=From:To:Cc:Subject:Date;\n b=hdrUhNHwnGwDn3cGARmYhwjCuInlLDYsImVLe2E2uPvCZHFUFY1Pc7xw11ct0pkRf\n Hkyfu/aqV/Bj4tvF4TI1NLB3xr9o65kTeshDWx11RuW0udn343Ke3nPdOqIC3Z533d\n 0sz+FtXSFFPKD/Cz8MNIchgPRQlgNbACC4JNTilW/rJJdKj+GTb5SU6bgTnfliHxir\n UubQxDKVh7XjdgrcElfLlzOb+VJvJXqH6oN/l0osP3VvNJutTnilGRzx40T1gwI5BE\n xLdppD8szRiBw71Y7Igt9V6RkmeuHepiT1p98zZ04dJ9vYB69Zkxq9ooeC8uvUm6/C\n H0VVhblGreELw==", "X-Mailman-Original-Authentication-Results": [ "smtp1.osuosl.org;\n dmarc=pass (p=reject dis=none)\n header.from=bubu1.eu", "smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=bubu1.eu header.i=@bubu1.eu header.a=rsa-sha256\n header.s=bubu header.b=hdrUhNHw" ], "Subject": "[Buildroot] [PATCH] package/python-django: security bump to 6.0.4", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Marcus Hoffmann via buildroot <buildroot@buildroot.org>", "Reply-To": "Marcus Hoffmann <buildroot@bubu1.eu>", "Cc": "James Hilliard <james.hilliard1@gmail.com>,\n Manuel Diener <manuel.diener@oss.othermo.de>,\n Oli Vogt <oli.vogt.pub01@gmail.com>, Marcus Hoffmann <bubu@bubu1.eu>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "Django 6.0.4 fixes one security issue with severity “moderate”, four\nsecurity issues with severity “low”, and several bugs in 6.0.3.\n\nSecurity issues:\n* CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation\n ASGIRequest normalizes header names following WSGI conventions, mapping\n hyphens to underscores. As a result, even in configurations where\n reverse proxies carefully strip security-sensitive headers named with\n hyphens, such a header could be spoofed by supplying a header named with\n underscores.\n\n Under WSGI, it is the responsibility of the server or proxy to avoid\n ambiguous mappings. (Django’s runserver was patched in CVE 2015-0219.)\n But under ASGI, there is not the same uniform expectation, even if many\n proxies protect against this under default configuration (including\n nginx via underscores_in_headers off;).\n\n Headers containing underscores are now ignored by ASGIRequest, matching\n the behavior of Daphne, the reference server for ASGI.\n\n This issue has severity “low” according to the Django security policy.\n\n* CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin¶\n\n Add permissions on inline model instances were not validated on\n submission of forged POST data in GenericInlineModelAdmin.\n\n This issue has severity “low” according to the Django security policy.\n\n* CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable¶\n\n Admin changelist forms using list_editable incorrectly allowed new\n instances to be created via forged POST data.\n\n This issue has severity “low” according to the Django security policy.\n\n* CVE-2026-33033: Potential denial-of-service vulnerability in\n MultiPartParser via base64-encoded file upload¶\n\n When using django.http.multipartparser.MultiPartParser, multipart\n uploads with Content-Transfer-Encoding: base64 that include excessive\n whitespace may trigger repeated memory copying, potentially degrading\n performance.\n\n This issue has severity “moderate” according to the Django security policy.\n\n* CVE-2026-33034: Potential denial-of-service vulnerability in\n ASGI requests via memory upload limit bypass¶\n\n ASGI requests with a missing or understated Content-Length header could\n bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading\n HttpRequest.body, potentially loading an unbounded request body into\n memory and causing service degradation.\n\n This issue has severity “low” according to the Django security policy.\n\nBugfixes:\n* Fixed a regression in Django 6.0 where alogin() and alogout() did not\n respectively set or clear request.user if it had already been\n materialized (e.g., by sync middleware) (#37017).\n* Fixed a regression in Django 6.0 in admin forms where\n RelatedFieldWidgetWrapper incorrectly wrapped all widgets in a\n <fieldset> (#36949).\n* Fixed a bug in Django 6.0 where the fields.E348 system check did not\n detect name clashes between model managers and related_names for\n non-self-referential relationships (#36973).\n\nRelease Notes:\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.4/\n\nSigned-off-by: Marcus Hoffmann <buildroot@bubu1.eu>\n---\n package/python-django/python-django.hash | 4 ++--\n package/python-django/python-django.mk | 4 ++--\n 2 files changed, 4 insertions(+), 4 deletions(-)", "diff": "diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash\nindex dca77f02e2..6c317cf6e0 100644\n--- a/package/python-django/python-django.hash\n+++ b/package/python-django/python-django.hash\n@@ -1,6 +1,6 @@\n # md5, sha256 from https://pypi.org/pypi/django/json\n-md5 0bb395b518e2f2f17e1a936deb7ba74c django-6.0.3.tar.gz\n-sha256 90be765ee756af8a6cbd6693e56452404b5ad15294f4d5e40c0a55a0f4870fe1 django-6.0.3.tar.gz\n+md5 9d429cbef8c8357a480d0b920dd9a956 django-6.0.4.tar.gz\n+sha256 8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac django-6.0.4.tar.gz\n # Locally computed sha256 checksums\n sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE\n sha256 be30dc0e3f7010af6c453d205feaece1f89494789b6e92f0c255ef597a1e6864 django/contrib/gis/measure.py\ndiff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk\nindex 0cc68129ee..201eece164 100644\n--- a/package/python-django/python-django.mk\n+++ b/package/python-django/python-django.mk\n@@ -4,9 +4,9 @@\n #\n ################################################################################\n \n-PYTHON_DJANGO_VERSION = 6.0.3\n+PYTHON_DJANGO_VERSION = 6.0.4\n PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz\n-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/80/e1/894115c6bd70e2c8b66b0c40a3c367d83a5a48c034a4d904d31b62f7c53a\n+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django\n PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)\n PYTHON_DJANGO_LICENSE_FILES = LICENSE \\\n \tdjango/contrib/gis/measure.py \\\n", "prefixes": [] }