| Message ID | 20221017172918.1737004-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/python-django: security bump to version 4.0.8 | expand |
On Mon, 17 Oct 2022 19:29:17 +0200 Peter Korsgaard <peter@korsgaard.com> wrote: > Fixes the following security issues: > > - CVE-2022-36359: Potential reflected file download vulnerability in > FileResponse (4.0.7) > https://www.djangoproject.com/weblog/2022/aug/03/security-releases/ > > - CVE-2022-41323: Potential denial-of-service vulnerability in > internationalized URLs (4.0.8) > https://www.djangoproject.com/weblog/2022/oct/04/security-releases/ > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/python-django/python-django.hash | 4 ++-- > package/python-django/python-django.mk | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) Applied to master, thanks. Thomas
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash index bfc9219c7e..72adc30bb1 100644 --- a/package/python-django/python-django.hash +++ b/package/python-django/python-django.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/django/json -md5 ad4e850c7110a45a6c7778d5bd01b85e Django-4.0.6.tar.gz -sha256 a67a793ff6827fd373555537dca0da293a63a316fe34cb7f367f898ccca3c3ae Django-4.0.6.tar.gz +md5 75ec07b3e00c79fd6e67fbee53786b7a Django-4.0.8.tar.gz +sha256 07e6433f263c3839939cfabeb6d7557841e0419e47759a7b7d37f6d44d40adcb Django-4.0.8.tar.gz # Locally computed sha256 checksums sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk index d49c845d54..567d590f77 100644 --- a/package/python-django/python-django.mk +++ b/package/python-django/python-django.mk @@ -4,10 +4,10 @@ # ################################################################################ -PYTHON_DJANGO_VERSION = 4.0.6 +PYTHON_DJANGO_VERSION = 4.0.8 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz # The official Django site has an unpractical URL -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/a4/17/b10aa26d7a566a3c19e9d29fac39c8643cbceb6cd7649a378d676839b5db +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/1a/de/08d8a349ed0e3e1999eb86ae0347cc9eaf634cd65f1eb80b9387ac1dbe3c PYTHON_DJANGO_LICENSE = BSD-3-Clause PYTHON_DJANGO_LICENSE_FILES = LICENSE
Fixes the following security issues: - CVE-2022-36359: Potential reflected file download vulnerability in FileResponse (4.0.7) https://www.djangoproject.com/weblog/2022/aug/03/security-releases/ - CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs (4.0.8) https://www.djangoproject.com/weblog/2022/oct/04/security-releases/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/python-django/python-django.hash | 4 ++-- package/python-django/python-django.mk | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)