[{"id":3681640,"web_url":"http://patchwork.ozlabs.org/comment/3681640/","msgid":"<6d47a2885ab05603e4f4a597670664bf@free.fr>","list_archive_url":null,"date":"2026-04-23T19:10:41","subject":"Re: [Buildroot] [PATCH] package/python-django: security bump to\n 6.0.4","submitter":{"id":80537,"url":"http://patchwork.ozlabs.org/api/people/80537/","name":"Julien Olivain","email":"ju.o@free.fr"},"content":"On 22/04/2026 23:54, Marcus Hoffmann via buildroot wrote:\n> Django 6.0.4 fixes one security issue with severity “moderate”, four\n> security issues with severity “low”, and several bugs in 6.0.3.\n> \n> Security issues:\n> * CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation\n> ASGIRequest normalizes header names following WSGI conventions, \n> mapping\n> hyphens to underscores. As a result, even in configurations where\n> reverse proxies carefully strip security-sensitive headers named \n> with\n> hyphens, such a header could be spoofed by supplying a header named \n> with\n> underscores.\n> \n> Under WSGI, it is the responsibility of the server or proxy to \n> avoid\n> ambiguous mappings. (Django’s runserver was patched in CVE \n> 2015-0219.)\n> But under ASGI, there is not the same uniform expectation, even if \n> many\n> proxies protect against this under default configuration (including\n> nginx via underscores_in_headers off;).\n> \n> Headers containing underscores are now ignored by ASGIRequest, \n> matching\n> the behavior of Daphne, the reference server for ASGI.\n> \n> This issue has severity “low” according to the Django security \n> policy.\n> \n> * CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin¶\n> \n> Add permissions on inline model instances were not validated on\n> submission of forged POST data in GenericInlineModelAdmin.\n> \n> This issue has severity “low” according to the Django security \n> policy.\n> \n> * CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable¶\n> \n> Admin changelist forms using list_editable incorrectly allowed new\n> instances to be created via forged POST data.\n> \n> This issue has severity “low” according to the Django security \n> policy.\n> \n> * CVE-2026-33033: Potential denial-of-service vulnerability in\n> MultiPartParser via base64-encoded file upload¶\n> \n> When using django.http.multipartparser.MultiPartParser, multipart\n> uploads with Content-Transfer-Encoding: base64 that include \n> excessive\n> whitespace may trigger repeated memory copying, potentially \n> degrading\n> performance.\n> \n> This issue has severity “moderate” according to the Django security \n> policy.\n> \n> * CVE-2026-33034: Potential denial-of-service vulnerability in\n> ASGI requests via memory upload limit bypass¶\n> \n> ASGI requests with a missing or understated Content-Length header \n> could\n> bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading\n> HttpRequest.body, potentially loading an unbounded request body \n> into\n> memory and causing service degradation.\n> \n> This issue has severity “low” according to the Django security \n> policy.\n> \n> Bugfixes:\n> * Fixed a regression in Django 6.0 where alogin() and alogout() did not\n> respectively set or clear request.user if it had already been\n> materialized (e.g., by sync middleware) (#37017).\n> * Fixed a regression in Django 6.0 in admin forms where\n> RelatedFieldWidgetWrapper incorrectly wrapped all widgets in a\n>
(#36949).\n> * Fixed a bug in Django 6.0 where the fields.E348 system check did not\n> detect name clashes between model managers and related_names for\n> non-self-referential relationships (#36973).\n> \n> Release Notes:\n> https://docs.djangoproject.com/en/6.0/releases/6.0.4/\n> \n> Signed-off-by: Marcus Hoffmann \n\nApplied to master, thanks.","headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=OPQUODDw;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1lzy0Lj5z1yDD\n\tfor ;\n Fri, 24 Apr 2026 05:10:54 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 99B968076C;\n\tThu, 23 Apr 2026 19:10:52 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id O4YpNV6nf9Jc; Thu, 23 Apr 2026 19:10:51 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id B14FE80790;\n\tThu, 23 Apr 2026 19:10:51 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n by lists1.osuosl.org (Postfix) with ESMTP id D9FD524D\n for ; Thu, 23 Apr 2026 19:10:49 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id CBB878076C\n for ; Thu, 23 Apr 2026 19:10:49 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id w9kbIxKyNOag for ;\n Thu, 23 Apr 2026 19:10:49 +0000 (UTC)","from smtp3-g21.free.fr (smtp3-g21.free.fr\n [IPv6:2a01:e0c:1:1599::12])\n by smtp1.osuosl.org (Postfix) with ESMTPS id C867E80E9C\n for ; Thu, 23 Apr 2026 19:10:48 +0000 (UTC)","from webmail.free.fr (unknown [172.20.246.3])\n (Authenticated sender: ju.o@free.fr)\n by smtp3-g21.free.fr (Postfix) with ESMTPA id 8531A13F8B9;\n Thu, 23 Apr 2026 21:10:41 +0200 (CEST)","from 2a01:e0a:1065:2100:52d9:65fe:2df3:c492\n via 2a01:e0a:1065:2100:52d9:65fe:2df3:c492 by webmail.free.fr\n with HTTP (HTTP/1.0 POST); Thu, 23 Apr 2026 21:10:41 +0200"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org B14FE80790","OpenDKIM Filter v2.11.0 smtp1.osuosl.org C867E80E9C"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776971451;\n\tbh=9zC53AMlLPb3AJWHm71cInQ1MqIP634q//aAKalZlqg=;\n\th=Date:To:Cc:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=OPQUODDwd6EjUzgDd63OzavRktzbvTVYxwxtKz95/U2kYIz30cZ1uo/pWvWs9Bbpu\n\t ettWZP0aM8oU7R+Of7+/Zf3+GQc2GtiqhXzm1YAMskKE7WMn9sk3OeKddelpS1l84C\n\t QXmHn17/lLNkoynrlw7fh94D8tEVbXG4vLTsUVdUG8URH5LnSmMx8eY+9Yoy/xTz9t\n\t niANihI7jbNJu3f89IBrpLaO56Cy9L5lD6ZG0eerputxOnpms5B9g6ttfMele9whCv\n\t 4nd/tZlCu2pGievEN8PBcJbRIEJeIkJ3PFdE9viBqhmY/EXUgt0YXHoDiEgCPfpqHo\n\t VTAhPbLne2kPw==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a01:e0c:1:1599::12;\n helo=smtp3-g21.free.fr; envelope-from=ju.o@free.fr; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org C867E80E9C","MIME-Version":"1.0","Date":"Thu, 23 Apr 2026 21:10:41 +0200","To":"Marcus Hoffmann ","Cc":"buildroot@buildroot.org, James Hilliard ,\n Manuel Diener , Oli Vogt\n , Marcus Hoffmann ","In-Reply-To":"<20260422215427.186961-1-buildroot@bubu1.eu>","References":"<20260422215427.186961-1-buildroot@bubu1.eu>","User-Agent":"Webmail Free/1.6.14","Message-ID":"<6d47a2885ab05603e4f4a597670664bf@free.fr>","X-Sender":"ju.o@free.fr","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=free.fr; s=smtp-20201208; t=1776971447;\n bh=rcz8RyCPmsKWnc/73+9YFN9IrVtLbCuw6Lf0vwJFAW0=;\n h=Date:From:To:Cc:Subject:In-Reply-To:References:From;\n b=jr2YrnQfIey1tKQ+vl4EA4MHNJRLfAiuNvtU62bGMFrpZbZ8SuWNwo+YOlpjrxfsq\n WUfMrgjLtxiaXRJ/79oZkjhVBBAGnVIjhomXXM/xtuU2REl2ZKz5NXLEDVi80bRwlS\n 3FJioS8LuIHTDxFRmbG/eqm4tRfySWNgHL4m544LQ7+ty72IZA+MsohZhEinsQ7QFl\n LR1EpjmO3H42l6lwXxIyVlF/IaVvCp4s4ZRgtXIAN/ZC96SFfEigraHch8wmchpU0g\n ZO30K0pLrrPFJsQOonfJO0HSgc0O89+ZuwrysUS16PC4/kgDSYA+UqpuMeWxuO/mDP\n qxnX8bitP/58Q==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=free.fr","smtp1.osuosl.org;\n dkim=pass (2048-bit key) header.d=free.fr header.i=@free.fr\n header.a=rsa-sha256 header.s=smtp-20201208 header.b=jr2YrnQf"],"Subject":"Re: [Buildroot] [PATCH] package/python-django: security bump to\n 6.0.4","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"Julien Olivain via buildroot ","Reply-To":"Julien Olivain ","Content-Transfer-Encoding":"base64","Content-Type":"text/plain; charset=\"utf-8\"; Format=\"flowed\"","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "}}]