| Message ID | 20220414215915.2974871-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/python-django: security bump to version 4.0.4 | expand |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() > QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL > injection in column aliases, using a suitably crafted dictionary, with > dictionary expansion, as the **kwargs passed to these methods. > CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL > QuerySet.explain() method was subject to SQL injection in option names, > using a suitably crafted dictionary, with dictionary expansion, as the > **options argument. > For more details, see the advisory: > https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() > QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL > injection in column aliases, using a suitably crafted dictionary, with > dictionary expansion, as the **kwargs passed to these methods. > CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL > QuerySet.explain() method was subject to SQL injection in option names, > using a suitably crafted dictionary, with dictionary expansion, as the > **options argument. > For more details, see the advisory: > https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2022.02.x, thanks.
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash index f78df56c5f..8d9f0aafdb 100644 --- a/package/python-django/python-django.hash +++ b/package/python-django/python-django.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/django/json -md5 a86339c0e87241597afa8744704d9965 Django-4.0.2.tar.gz -sha256 110fb58fb12eca59e072ad59fc42d771cd642dd7a2f2416582aa9da7a8ef954a Django-4.0.2.tar.gz +md5 153fcb5dd7360b7ad219d65cb53e2d57 Django-4.0.4.tar.gz +sha256 4e8177858524417563cc0430f29ea249946d831eacb0068a1455686587df40b5 Django-4.0.4.tar.gz # Locally computed sha256 checksums sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk index 652ca477ce..b4d6ec21c9 100644 --- a/package/python-django/python-django.mk +++ b/package/python-django/python-django.mk @@ -4,10 +4,10 @@ # ################################################################################ -PYTHON_DJANGO_VERSION = 4.0.2 +PYTHON_DJANGO_VERSION = 4.0.4 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz # The official Django site has an unpractical URL -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/61/84/676c840e8f1188a6c836e3224b97aa8be4c2e6857c690d6c564eb23a4975 +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/d2/95/93d1f75da95624bf89e373d079fa72debf77f9b10acc31998cc52a5ff3f9 PYTHON_DJANGO_LICENSE = BSD-3-Clause PYTHON_DJANGO_LICENSE_FILES = LICENSE
Fixes the following security issues: CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods. CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument. For more details, see the advisory: https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/python-django/python-django.hash | 4 ++-- package/python-django/python-django.mk | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)