[{"id":3687270,"web_url":"http://patchwork.ozlabs.org/comment/3687270/","msgid":"<873404qwsc.fsf@dell.be.48ers.dk>","list_archive_url":null,"date":"2026-05-06T17:21:07","subject":"Re: [Buildroot] [PATCH] package/python-django: security bump to\n 6.0.5","submitter":{"id":42365,"url":"http://patchwork.ozlabs.org/api/people/42365/","name":"Peter Korsgaard","email":"peter@korsgaard.com"},"content":">>>>> \"Marcus\" == Marcus Hoffmann via buildroot writes:\n\n > Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.\n > Security Fixes:\n > * CVE-2026-5766: Potential denial-of-service vulnerability in ASGI\n > requests via file upload limit bypass ASGI requests with a missing\n > or understated Content-Length header could bypass the\n > FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into\n > memory and causing service degradation.\n\n > As a reminder, Django expects a limit to be configured at the web server\n > level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.\n\n > This issue has severity “low” according to the Django security policy\n\n > * CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST\n > Response headers did not vary on cookies if a session was not modified,\n > but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a\n > user’s session after that user visits a cached public page.\n\n > This issue has severity “low” according to the Django security policy.\n\n > * CVE-2026-6907: Potential exposure of private data due to incorrect\n > handling of Vary: * in UpdateCacheMiddleware\n\n > Previously, UpdateCacheMiddleware would erroneously cache requests where\n > the Vary header contained an asterisk ('*'). This could lead to private\n > data being stored and served.\n\n > This issue has severity “low” according to the Django security policy.\n\n > Bugfixes:\n > * Fixed a misplaced in the\n > django/contrib/admin/templates/admin/change_list.html template added\n > in Django 6.0 that could be problematic when overriding the pagination\n > block (#37029).\n > * Fixed a bug in Django 6.0 where deprecation warnings incorrectly\n > skipped lines from third-party packages prefixed with “django”\n > (#37067).\n\n > Release notes: https://docs.djangoproject.com/en/6.0/releases/6.0.5/\n\n > Signed-off-by: Marcus Hoffmann \n\nCommitted, thanks.","headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=eWNS4rNF;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9hxc6zjPz1y04\n\tfor ;\n Thu, 07 May 2026 03:21:24 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 00E0C40E90;\n\tWed, 6 May 2026 17:21:23 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id hdERyXhV95do; Wed, 6 May 2026 17:21:22 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 23D1840ECD;\n\tWed, 6 May 2026 17:21:22 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n by lists1.osuosl.org (Postfix) with ESMTP id BC96611B\n for ; Wed, 6 May 2026 17:21:21 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id A2CD760E9D\n for ; Wed, 6 May 2026 17:21:21 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id jrrfSWJM413j for ;\n Wed, 6 May 2026 17:21:20 +0000 (UTC)","from sendmail.purelymail.com (sendmail.purelymail.com\n [34.202.193.197])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 0B86D60E9C\n for ; Wed, 6 May 2026 17:21:19 +0000 (UTC)","by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -572408006;\n (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);\n Wed, 06 May 2026 17:21:15 +0000 (UTC)","from peko by dell.be.48ers.dk with local (Exim 4.98.2)\n (envelope-from ) id 1wKfvn-000000020lQ-3tTg;\n Wed, 06 May 2026 19:21:07 +0200"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 23D1840ECD","OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0B86D60E9C"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1778088082;\n\tbh=GaReZb61uW+mUsxOWhItTZQ3BFcusuBmpALp/BA74l4=;\n\th=From:To:Cc:In-Reply-To:References:Date:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=eWNS4rNFsFG2Hc8IdlI3dA9s3QYTqBVNWRnpzSXPdZix2QCn7ZqGiuugE/F7ccIgM\n\t WnUGmGdbMf/qFsBHywIK+rxye5kJoifvt3JDUNBg/6a1D+SjKwi4brVr/EMYicFZGK\n\t DQmHeMqlDdKjxAzKfZubfp2hMpmhWiBHC4ZvVQUgHTbQcblUfZlSJS0GAyri5X4RGL\n\t JnR2JQJPi6C8Z4pO0azEMqWGU+JS19oTsLPLc8OWtkSp7BYhQUR5w7DbJt9JeNi3au\n\t 88+YZdxOm1P6w80NcAK4AC6tfd64kAuYKsvSBgfpokYC+34tr5uaNV8F+zsXFP1fDV\n\t ZR7ts5D4+ALkQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=34.202.193.197;\n helo=sendmail.purelymail.com; envelope-from=peter@korsgaard.com;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org 0B86D60E9C","Feedback-ID":"21632:4007:null:purelymail","X-Pm-Original-To":"buildroot@buildroot.org","From":"Peter Korsgaard ","To":"Marcus Hoffmann via buildroot ","Cc":"Marcus Hoffmann , James Hilliard\n , Manuel Diener\n , Oli Vogt ,\n Marcus Hoffmann ","In-Reply-To":"<20260506121800.507252-1-buildroot@bubu1.eu> (Marcus Hoffmann via\n buildroot's message of \"Wed, 6 May 2026 14:17:58 +0200\")","References":"<20260506121800.507252-1-buildroot@bubu1.eu>","Date":"Wed, 06 May 2026 19:21:07 +0200","Message-ID":"<873404qwsc.fsf@dell.be.48ers.dk>","User-Agent":"Gnus/5.13 (Gnus v5.13)","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"a=rsa-sha256;\n b=QeynNrX3Baz6lrQ8f0G/AbJS/TMoQ2+yNgfm4O0Cg1Gdu4aMcwdVRLjSyi2hOCbBUe2oGCxqeoeREhyIcQUunnExBtzRKDKy4PYxGZ/F3iJMKnXbLZ0VtGcnMDV4E4rgI2VpLMv/WIzVOsP1Jt6dHT9oV9o5smyFc7Rcz047teaP1+6FzkYvOhCV3u9OShDyh1ox7f+F/1rxXrakDTU/pzyHzcNpnk8ImWQG7FY8tDZjZTASVPC7U5tmQ1uQeZmpeBzVD9cgH6R6t6Fiao19fHfOxqfZ+1Tg2aJN1J5PlWgQisT3VAPZIFYg85lqqgAItsA4U4fQxsMq7BWiHFJFbQ==;\n s=purelymail1; d=purelymail.com; v=1;\n bh=/FvurTVrXLJ/wLyfvE8W1Krpyf4mzP9QfR8ZAUSr2EE=;\n h=Feedback-ID:Received:Received:From:To:Subject:Date;","X-Mailman-Original-Authentication-Results":["smtp3.osuosl.org;\n dmarc=none (p=none dis=none)\n header.from=korsgaard.com","smtp3.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=purelymail.com header.i=@purelymail.com\n header.a=rsa-sha256 header.s=purelymail1 header.b=QeynNrX3"],"Subject":"Re: [Buildroot] [PATCH] package/python-django: security bump to\n 6.0.5","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "}}]