{"id":2233415,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2233415/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260506121800.507252-1-buildroot@bubu1.eu/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.1/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260506121800.507252-1-buildroot@bubu1.eu>","date":"2026-05-06T12:17:58","name":"package/python-django: security bump to 6.0.5","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"4bf2c01eeb5e6e72bdee8e85edc23b89d37c7eeb","submitter":{"id":87807,"url":"http://patchwork.ozlabs.org/api/1.1/people/87807/?format=json","name":"Marcus Hoffmann","email":"buildroot@bubu1.eu"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260506121800.507252-1-buildroot@bubu1.eu/mbox/","series":[{"id":502976,"url":"http://patchwork.ozlabs.org/api/1.1/series/502976/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=502976","date":"2026-05-06T12:17:58","name":"package/python-django: security bump to 6.0.5","version":1,"mbox":"http://patchwork.ozlabs.org/series/502976/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2233415/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2233415/checks/","tags":{},"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=RV+53kR+;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9ZCx0LGyz1y04\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Wed, 06 May 2026 22:18:20 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id E68BA80E07;\n\tWed,  6 May 2026 12:18:18 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id K1jSrbeWhh10; Wed,  6 May 2026 12:18:18 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id F13CF81230;\n\tWed,  6 May 2026 12:18:17 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists1.osuosl.org (Postfix) with ESMTP id EFBBE11B\n for <buildroot@buildroot.org>; Wed,  6 May 2026 12:18:16 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id D606140591\n for <buildroot@buildroot.org>; Wed,  6 May 2026 12:18:16 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id bwqyRRw_xxVW for <buildroot@buildroot.org>;\n Wed,  6 May 2026 12:18:16 +0000 (UTC)","from smtp.bubu1.eu (smtp.bubu1.eu [176.9.145.28])\n by smtp2.osuosl.org (Postfix) with ESMTPS id DA8584058F\n for <buildroot@buildroot.org>; Wed,  6 May 2026 12:18:15 +0000 (UTC)","from bubutux.fritz.box (unknown [212.37.174.96])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519MLKEM768 server-signature RSA-PSS (4096 bits)\n server-digest\n SHA256) (No client certificate requested)\n by smtp.bubu1.eu (Postfix) with ESMTPSA id 213F02C84123;\n Wed, 06 May 2026 14:18:13 +0200 (CEST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org F13CF81230","OpenDKIM Filter v2.11.0 smtp2.osuosl.org DA8584058F"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1778069898;\n\tbh=GCLm3MAzZ/ODh+UsIVFwZMA/iC+xFzzqlvBvroyDD8s=;\n\th=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:\n\t List-Help:List-Subscribe:From:Reply-To:Cc:From;\n\tb=RV+53kR+jPILJlxuH1SkSejrjpxFQWlXxcHueGRI9uVYbmx+hORRzlG6uX8VmyrUV\n\t mIotPUldQDWTKATVwaU4UK1XIG4l8uCmPgrGaCXY1G3UD/CBGJkqjj+tVRVCqaKwv6\n\t iIUR7b3x5QFIFVeEKecAExah8/NRzGuteLzzcHQ5WoSQ57Z5jStwtM81g8eHF2QBLH\n\t JACk43pQ73YQanm3red00aZu6ze+vzmIYNeQjXaxRUuW/vhbDvQTa5mapmtvRUe+Eq\n\t 2iRXB+nPwFIzhCYrmcNTbYje8VqSfY3IzbIo4GqObIOG9BhoiLwvhTxgserj9OW6Et\n\t j2uqWOQy+aqiw==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=176.9.145.28;\n helo=smtp.bubu1.eu; envelope-from=buildroot@bubu1.eu; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org DA8584058F","To":"buildroot@buildroot.org","Date":"Wed,  6 May 2026 14:17:58 +0200","Message-ID":"<20260506121800.507252-1-buildroot@bubu1.eu>","X-Mailer":"git-send-email 2.54.0","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=bubu1.eu; s=bubu;\n t=1778069893; bh=HLggiZprFI6O53H12p/SQGqnywdTBOPc7at2KXCHzNc=;\n h=From:To:Cc:Subject:Date;\n b=GwlAepNM5qe4fvwSbb8mmoHJAZstMFIUXTn+5/3m/v16jqHmWf4Ri9nkZtPMjUcKV\n lN066B+gX9jawHha8JX0QPVkmdG+kFVeMf202/77AxeiioBgKJoq31HU0hfF5owXqC\n f0WNldP9cZrweF0i6N+Yec/UZSNOfsafgF64AgYQU1YmoXRe+sw+61ElwPCSGFBqGZ\n HVd8+r3Xjnmp/VQADWlIJzGwtmblSVP/LLL220D5cCJrKTza84zH8O+0UaCCHl1tez\n iJULkAlFLds2X8kiA7Z9caalMNgwzB3yG/iYt2TQpaMt1/xFZXsJNGVI6jeU7/S9We\n QIzVi/HZAvOaw==","X-Mailman-Original-Authentication-Results":["smtp2.osuosl.org;\n dmarc=pass (p=reject dis=none)\n header.from=bubu1.eu","smtp2.osuosl.org;\n dkim=pass (2048-bit key) header.d=bubu1.eu header.i=@bubu1.eu\n header.a=rsa-sha256 header.s=bubu header.b=GwlAepNM"],"Subject":"[Buildroot] [PATCH] package/python-django: security bump to 6.0.5","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Marcus Hoffmann via buildroot <buildroot@buildroot.org>","Reply-To":"Marcus Hoffmann <buildroot@bubu1.eu>","Cc":"James Hilliard <james.hilliard1@gmail.com>,\n Manuel Diener <manuel.diener@oss.othermo.de>,\n Oli Vogt <oli.vogt.pub01@gmail.com>, Marcus Hoffmann <bubu@bubu1.eu>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.\n\nSecurity Fixes:\n* CVE-2026-5766: Potential denial-of-service vulnerability in ASGI\n    requests via file upload limit bypass ASGI requests with a missing\n    or understated Content-Length header could bypass the\n    FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into\n    memory and causing service degradation.\n\n    As a reminder, Django expects a limit to be configured at the web server\n    level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.\n\n    This issue has severity “low” according to the Django security policy\n\n* CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST\n    Response headers did not vary on cookies if a session was not modified,\n    but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a\n    user’s session after that user visits a cached public page.\n\n    This issue has severity “low” according to the Django security policy.\n\n* CVE-2026-6907: Potential exposure of private data due to incorrect\n    handling of Vary: * in UpdateCacheMiddleware\n\n    Previously, UpdateCacheMiddleware would erroneously cache requests where\n    the Vary header contained an asterisk ('*'). This could lead to private\n    data being stored and served.\n\n    This issue has severity “low” according to the Django security policy.\n\nBugfixes:\n* Fixed a misplaced </div> in the\n  django/contrib/admin/templates/admin/change_list.html template added\n  in Django 6.0 that could be problematic when overriding the pagination\n  block (#37029).\n* Fixed a bug in Django 6.0 where deprecation warnings incorrectly\n  skipped lines from third-party packages prefixed with “django”\n  (#37067).\n\nRelease notes: https://docs.djangoproject.com/en/6.0/releases/6.0.5/\n\nSigned-off-by: Marcus Hoffmann <buildroot@bubu1.eu>\n---\n package/python-django/python-django.hash | 4 ++--\n package/python-django/python-django.mk   | 2 +-\n 2 files changed, 3 insertions(+), 3 deletions(-)","diff":"diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash\nindex 6c317cf6e0..5af043f2c2 100644\n--- a/package/python-django/python-django.hash\n+++ b/package/python-django/python-django.hash\n@@ -1,6 +1,6 @@\n # md5, sha256 from https://pypi.org/pypi/django/json\n-md5  9d429cbef8c8357a480d0b920dd9a956  django-6.0.4.tar.gz\n-sha256  8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac  django-6.0.4.tar.gz\n+md5  44c18a8f264c1326e6fe4f1053fea5fc  django-6.0.5.tar.gz\n+sha256  bc6d6872e98a2864c836e42edd644b362db311147dd5aa8d5b82ba7a032f5269  django-6.0.5.tar.gz\n # Locally computed sha256 checksums\n sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE\n sha256  be30dc0e3f7010af6c453d205feaece1f89494789b6e92f0c255ef597a1e6864  django/contrib/gis/measure.py\ndiff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk\nindex 201eece164..fe88128e24 100644\n--- a/package/python-django/python-django.mk\n+++ b/package/python-django/python-django.mk\n@@ -4,7 +4,7 @@\n #\n ################################################################################\n \n-PYTHON_DJANGO_VERSION = 6.0.4\n+PYTHON_DJANGO_VERSION = 6.0.5\n PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz\n PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/source/d/django\n PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)\n","prefixes":[]}