diff mbox series

[1/1] package/python-django: security bump to version 3.2.11

Message ID 20220115114244.1912724-1-fontaine.fabrice@gmail.com
State Accepted
Headers show
Series [1/1] package/python-django: security bump to version 3.2.11 | expand

Commit Message

Fabrice Fontaine Jan. 15, 2022, 11:42 a.m. UTC 
Fixes:
 - CVE-2021-45115: Denial-of-service possibility in
   UserAttributeSimilarityValidator
 - CVE-2021-45116: Potential information disclosure in dictsort template
   filter
 - CVE-2021-45452: Potential directory-traversal via Storage.save()

https://www.djangoproject.com/weblog/2022/jan/04/security-releases

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/python-django/python-django.hash | 4 ++--
 package/python-django/python-django.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

Comments

Yann E. MORIN Jan. 15, 2022, 2:22 p.m. UTC | #1 
Fabrice, All,

On 2022-01-15 12:42 +0100, Fabrice Fontaine spake thusly:
> Fixes:
>  - CVE-2021-45115: Denial-of-service possibility in
>    UserAttributeSimilarityValidator
>  - CVE-2021-45116: Potential information disclosure in dictsort template
>    filter
>  - CVE-2021-45452: Potential directory-traversal via Storage.save()
> 
> https://www.djangoproject.com/weblog/2022/jan/04/security-releases
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/python-django/python-django.hash | 4 ++--
>  package/python-django/python-django.mk   | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index 3eea17e70f..89bc5ffb19 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,5 +1,5 @@
>  # md5, sha256 from https://pypi.org/pypi/django/json
> -md5  eaf0c3b4ac6b22cae9068360e6fd2d1b  Django-3.2.10.tar.gz
> -sha256  074e8818b4b40acdc2369e67dcd6555d558329785408dcd25340ee98f1f1d5c4  Django-3.2.10.tar.gz
> +md5  6c4a53d2ccb464bc3dd772c6f2f07df9  Django-3.2.11.tar.gz
> +sha256  69c94abe5d6b1b088bf475e09b7b74403f943e34da107e798465d2045da27e75  Django-3.2.11.tar.gz
>  # Locally computed sha256 checksums
>  sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index 4f80208f0e..25a645823b 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,10 +4,10 @@
>  #
>  ################################################################################
>  
> -PYTHON_DJANGO_VERSION = 3.2.10
> +PYTHON_DJANGO_VERSION = 3.2.11
>  PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
>  # The official Django site has an unpractical URL
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/a5/8e/c6dfc718d572e4b33b56824b9e71e5ab9be8072e6747fc6184d206c3fdb3
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/20/86/e4348aac45bc83fc8e9dda2cfd81004b007c65b68c1499a4233acabdaa3b
>  
>  PYTHON_DJANGO_LICENSE = BSD-3-Clause
>  PYTHON_DJANGO_LICENSE_FILES = LICENSE
> -- 
> 2.34.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
Peter Korsgaard Jan. 28, 2022, 5 p.m. UTC | #2 
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fixes:
 >  - CVE-2021-45115: Denial-of-service possibility in
 >    UserAttributeSimilarityValidator
 >  - CVE-2021-45116: Potential information disclosure in dictsort template
 >    filter
 >  - CVE-2021-45452: Potential directory-traversal via Storage.save()

 > https://www.djangoproject.com/weblog/2022/jan/04/security-releases

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x and 2021.11.x, thanks.
diff mbox series

Patch

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 3eea17e70f..89bc5ffb19 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@ 
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5  eaf0c3b4ac6b22cae9068360e6fd2d1b  Django-3.2.10.tar.gz
-sha256  074e8818b4b40acdc2369e67dcd6555d558329785408dcd25340ee98f1f1d5c4  Django-3.2.10.tar.gz
+md5  6c4a53d2ccb464bc3dd772c6f2f07df9  Django-3.2.11.tar.gz
+sha256  69c94abe5d6b1b088bf475e09b7b74403f943e34da107e798465d2045da27e75  Django-3.2.11.tar.gz
 # Locally computed sha256 checksums
 sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 4f80208f0e..25a645823b 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@ 
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 3.2.10
+PYTHON_DJANGO_VERSION = 3.2.11
 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 # The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/a5/8e/c6dfc718d572e4b33b56824b9e71e5ab9be8072e6747fc6184d206c3fdb3
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/20/86/e4348aac45bc83fc8e9dda2cfd81004b007c65b68c1499a4233acabdaa3b
 
 PYTHON_DJANGO_LICENSE = BSD-3-Clause
 PYTHON_DJANGO_LICENSE_FILES = LICENSE