Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2196951/?format=api
{ "id": 2196951, "url": "http://patchwork.ozlabs.org/api/patches/2196951/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260216171220.370985-1-titouan.christophe@mind.be/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260216171220.370985-1-titouan.christophe@mind.be>", "list_archive_url": null, "date": "2026-02-16T17:12:20", "name": "[for,2025.02.x] package/python-django: security bump to v5.2.11", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "5ae6459b3de55db67cd8c072e48340e3fe7c5f9b", "submitter": { "id": 90763, "url": "http://patchwork.ozlabs.org/api/people/90763/?format=api", "name": "Titouan Christophe", "email": "titouan.christophe@mind.be" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260216171220.370985-1-titouan.christophe@mind.be/mbox/", "series": [ { "id": 492332, "url": "http://patchwork.ozlabs.org/api/series/492332/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=492332", "date": "2026-02-16T17:12:20", "name": "[for,2025.02.x] package/python-django: security bump to v5.2.11", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492332/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2196951/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2196951/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=gVjvaxgN;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fF8V40w0xz1xwF\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Tue, 17 Feb 2026 04:12:43 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id C9E4B83BD9;\n\tMon, 16 Feb 2026 17:12:41 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id BXcjfZ5NuBeT; Mon, 16 Feb 2026 17:12:40 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 6FC84834FC;\n\tMon, 16 Feb 2026 17:12:40 +0000 (UTC)", "from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n by lists1.osuosl.org (Postfix) with ESMTP id 9C04235B\n for <buildroot@buildroot.org>; Mon, 16 Feb 2026 17:12:38 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 7D77A834FC\n for <buildroot@buildroot.org>; Mon, 16 Feb 2026 17:12:38 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id pdNseSR27iFS for <buildroot@buildroot.org>;\n Mon, 16 Feb 2026 17:12:37 +0000 (UTC)", "from mail-wr1-x433.google.com (mail-wr1-x433.google.com\n [IPv6:2a00:1450:4864:20::433])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 49A058305C\n for <buildroot@buildroot.org>; Mon, 16 Feb 2026 17:12:36 +0000 (UTC)", "by mail-wr1-x433.google.com with SMTP id\n ffacd0b85a97d-43767807da6so2380871f8f.2\n for <buildroot@buildroot.org>; Mon, 16 Feb 2026 09:12:36 -0800 (PST)", "from dragon (ptr-94-109-131-55.dyn.orange.be. [94.109.131.55])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48387ab1974sm84350625e9.3.2026.02.16.09.12.33\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 16 Feb 2026 09:12:34 -0800 (PST)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6FC84834FC", "OpenDKIM Filter v2.11.0 smtp1.osuosl.org 49A058305C" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1771261960;\n\tbh=azKdiXkPycqfi73g8zh4DF53qXjNSyWf3p18sOnKRjk=;\n\th=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:\n\t List-Help:List-Subscribe:From:Reply-To:Cc:From;\n\tb=gVjvaxgNSiFdWSzafaGp1VjWsEkMhSPxs2P1ZHdOmfs/yGnQtR2HIa2SFrL690wWy\n\t 16uiFV7I3SIvcPA4st3J57EWHpfTWveuEdHImwS91/tSlz/hfOzS2neSf9pwuYW7zV\n\t Bqt6vkxwdnSUMgIRAWAcoDtIu829M3qqtTOKMhTry+GkSwp2ydJ9Loq3wyuGf3ua0y\n\t egqPr0FVrG4Wc4aL5C5cRONPz0gncpfh7wr99dSvtf4YQ0rFa3nusQoRxbR84R3Y16\n\t +zk/hPMb8EKNYj+MWZoKTd9vomZ/k/a+R8qQMC9XswhVAgGcs4RfLOCrPlUJYZVgpP\n\t 5FvJNxBVN8miw==", "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::433; helo=mail-wr1-x433.google.com;\n envelope-from=titouan.christophe@essensium.com; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp1.osuosl.org 49A058305C", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1771261955; x=1771866755;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=MGdzy22aqwmxgwBRCq6hyAdy52iykc2TEAsK8rgY20s=;\n b=mej3k9mighr7NwrFV7tOSQEWH2R5vvnWWSo8WfMrlNXd/4d6V0XSGianHocMqjOqUL\n kID0Wfdviw/M/9h3bCl7UsQvIgVfPhxAxwnX8g6bB3H101J7ihUHd2pEC7n88CplWjD0\n ZKqdKhsWVfyIFHakTys/cPOqlfu/9FyTzQQY57H60ZVA9xBuR/wJ/8WQFnRZYqklvWDl\n sY3LX73Hk+ZXoBrNqpHk/MaJ5AALdr2/eQa3u0DsYX5rBoMwSAfZf+gboGrf0yVsRCJI\n nUKc3E1nI4XLk5NWLTuQxF0JlPwz3FScBfz5TCCYVY7+ys06ib/Oor3R572CDmvXdbcI\n Tl6w==", "X-Gm-Message-State": "AOJu0YxG4/F7j4HS7OP3C52NXSHTVrxWUb2ExZlHczRFNmgjsCPxYDKv\n BYadrkKi6MrlatDTXaxT25AyVS4jhIG01oQuXM4O8/ssAb7JleMaicOqGJkoPd6lNLtEfDN+iw2\n s7pMDvF8=", "X-Gm-Gg": "AZuq6aLqsOTm+vvazh4LkUzyjNOBHPAIxs3r305QTdiZorU3GdhIWElTu7wkdeR6qYS\n CqySgDpvKDnFCbLLsck+tsGx4+yLv/G1RMrahgdF9lfPcafDESYWvaJ4P0oTdneDN0QFbW5ioNf\n A44+0nJqVnxZMDot0NIL6McSLVAj/PWkEuTaNeX44a1eEovDkMKvlUrm0c8CsUq2Eh0dKB+kmpf\n Kpqm27eoCtHWLhvyQ6Qe25jiO5I3HVMD0kk/xIGBBwfHzS16s5bvrLnBX3ygfj4X6v4uRKEuHze\n Oi0hAwYI4mh6zLD//tPxJpt/qSl2yi8LMrg0znAkcAjx9P+X/k+zWmrFVVyOT//UnsWphSslf64\n uYdTstr965hLU3SHUfStMbztDo0b5YMJy0voOOE6GN4Pa0UrTRIJzsUvM5+RmVEY2lHbx+5nibh\n S75CXTKJ1xsZtgvdm3d0bd8cMXk1S04iSDovtlq9A8O5PlBGjavjUiKQQIRA==", "X-Received": "by 2002:a05:600c:8486:b0:47e:e076:c7a5 with SMTP id\n 5b1f17b1804b1-48373a1c41emr167871055e9.11.1771261954539;\n Mon, 16 Feb 2026 09:12:34 -0800 (PST)", "To": "buildroot@buildroot.org", "Date": "Mon, 16 Feb 2026 18:12:20 +0100", "Message-ID": "<20260216171220.370985-1-titouan.christophe@mind.be>", "X-Mailer": "git-send-email 2.51.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1771261955; x=1771866755; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=MGdzy22aqwmxgwBRCq6hyAdy52iykc2TEAsK8rgY20s=;\n b=JfbefhVY1tcPVBcURuwB5hpj07JSmQoFYgQk4c2lom6sNbi72kJQMaQH9UBoj4vrmN\n pR+gKq6qgJNnwYeNCbS7VObKAt8EDFXrGLPzI2ReO5vGIq1iuohQ6AqSHfqBGuSBoIgs\n CkPrg5E2eg1/Mnau7rseRegKFs/GLIBzO6jhimrNplwxDCtkh9/jgGua6jgEL3kv8VJ2\n iqFmEzh9SK7seJMy3u0tnXOvNI+ZeR0tZK0aiLVnc2Bf2bZrNUbrT+sEUH98irqoRzm7\n RX5Bw0tkBONmgxmSr0i9c4TdGS7mK38s03NfXLjkQkENbiorPNgX+qwtNabiSN9FjwHK\n Lbng==", "X-Mailman-Original-Authentication-Results": [ "smtp1.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be", "smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=JfbefhVY" ], "Subject": "[Buildroot] [PATCH for 2025.02.x] package/python-django: security\n bump to v5.2.11", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Titouan Christophe via buildroot <buildroot@buildroot.org>", "Reply-To": "Titouan Christophe <titouan.christophe@mind.be>", "Cc": "James Hilliard <james.hilliard1@gmail.com>,\n Oli Vogt <oli.vogt.pub01@gmail.com>, Marcus Hoffmann <bubu@bubu1.eu>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "See the release notes:\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.11/\n\nThis is a security release on Django's LTS branch,\nfixing the following vulnerabilties:\n\n- CVE-2025-13473:\n An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and\n 4.2 before 4.2.28. The\n `django.contrib.auth.handlers.modwsgi.check_password()` function for\n authentication via `mod_wsgi` allows remote attackers to enumerate\n users via a timing attack. Earlier, unsupported Django series (such as\n 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\n Django would like to thank Stackered for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2025-13473\n\n- CVE-2025-14550:\n An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and\n 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a\n potential denial-of-service via a crafted request with multiple\n duplicate headers. Earlier, unsupported Django series (such as 5.0.x,\n 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django\n would like to thank Jiyong Yang for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2025-14550\n\n- CVE-2026-1207:\n An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and\n 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented\n on PostGIS) allows remote attackers to inject SQL via the band index\n parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,\n and 3.2.x) were not evaluated and may also be affected. Django would\n like to thank Tarek Nakkouch for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2026-1207\n\n- CVE-2026-1285:\n An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and\n 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and\n `Truncator.words()` methods (with `html=True`) and the\n `truncatechars_html` and `truncatewords_html` template filters allow a\n remote attacker to cause a potential denial-of-service via crafted\n inputs containing a large number of unmatched HTML end tags. Earlier,\n unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not\n evaluated and may also be affected. Django would like to thank\n Seokchan Yoon for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2026-1285\n\n- CVE-2026-1287:\n An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and\n 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in\n column aliases via control characters, using a suitably crafted\n dictionary, with dictionary expansion, as the `**kwargs` passed to\n `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`,\n `values_list()`, and `alias()`. Earlier, unsupported Django series\n (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be\n affected. Django would like to thank Solomon Kebede for reporting this\n issue.\n https://www.cve.org/CVERecord?id=CVE-2026-1287\n\n- CVE-2026-1312:\n An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and\n 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection\n in column aliases containing periods when the same alias is, using a\n suitably crafted dictionary, with dictionary expansion, used in\n `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x,\n 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django\n would like to thank Solomon Kebede for reporting this issue.\n https://www.cve.org/CVERecord?id=CVE-2026-1312\n\nSigned-off-by: Titouan Christophe <titouan.christophe@mind.be>\n---\n package/python-django/python-django.hash | 4 ++--\n package/python-django/python-django.mk | 4 ++--\n 2 files changed, 4 insertions(+), 4 deletions(-)", "diff": "diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash\nindex 1c2b9bcd29..b39b8c54cc 100644\n--- a/package/python-django/python-django.hash\n+++ b/package/python-django/python-django.hash\n@@ -1,6 +1,6 @@\n # md5, sha256 from https://pypi.org/pypi/django/json\n-md5 98e667c17123f7bbd2d7d1db32f9ccdd django-5.2.10.tar.gz\n-sha256 74df100784c288c50a2b5cad59631d71214f40f72051d5af3fdf220c20bdbbbe django-5.2.10.tar.gz\n+md5 051357d45eb71a115a64e6d2a79c7c51 django-5.2.11.tar.gz\n+sha256 7f2d292ad8b9ee35e405d965fbbad293758b858c34bbf7f3df551aeeac6f02d3 django-5.2.11.tar.gz\n # Locally computed sha256 checksums\n sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE\n sha256 dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17 django/contrib/gis/measure.py\ndiff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk\nindex 184f91bfa1..4b840701f4 100644\n--- a/package/python-django/python-django.mk\n+++ b/package/python-django/python-django.mk\n@@ -4,10 +4,10 @@\n #\n ################################################################################\n \n-PYTHON_DJANGO_VERSION = 5.2.10\n+PYTHON_DJANGO_VERSION = 5.2.11\n PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz\n # The official Django site has an unpractical URL\n-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/e6/e5/2671df24bf0ded831768ef79532e5a7922485411a5696f6d979568591a37\n+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/17/f2/3e57ef696b95067e05ae206171e47a8e53b9c84eec56198671ef9eaa51a6\n PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)\n PYTHON_DJANGO_LICENSE_FILES = LICENSE \\\n \tdjango/contrib/gis/measure.py \\\n", "prefixes": [ "for", "2025.02.x" ] }