diff mbox series

package/python-django: security bump to version 5.1.4

Message ID 20241214141430.3314872-1-peter@korsgaard.com
State Accepted
Headers show
Series package/python-django: security bump to version 5.1.4 | expand

Commit Message

Peter Korsgaard Dec. 14, 2024, 2:14 p.m. UTC
Fixes the following security issues:

CVE-2024-53907: Potential denial-of-service in
django.utils.html.strip_tags()

The strip_tags() method and striptags template filter are subject to a
potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.

CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle

Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is
subject to SQL injection if untrusted data is used as a lhs value.
Applications that use the jsonfield.has_key lookup through the __ syntax are
unaffected.

https://www.djangoproject.com/weblog/2024/dec/04/security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/python-django/python-django.hash | 4 ++--
 package/python-django/python-django.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

Comments

Julien Olivain Dec. 14, 2024, 6:55 p.m. UTC | #1
On 14/12/2024 15:14, Peter Korsgaard wrote:
> Fixes the following security issues:
> 
> CVE-2024-53907: Potential denial-of-service in
> django.utils.html.strip_tags()
> 
> The strip_tags() method and striptags template filter are subject to a
> potential denial-of-service attack via certain inputs containing large
> sequences of nested incomplete HTML entities.
> 
> CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
> 
> Direct usage of the django.db.models.fields.json.HasKey lookup on 
> Oracle is
> subject to SQL injection if untrusted data is used as a lhs value.
> Applications that use the jsonfield.has_key lookup through the __ 
> syntax are
> unaffected.
> 
> https://www.djangoproject.com/weblog/2024/dec/04/security-releases/
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.

> ---
>  package/python-django/python-django.hash | 4 ++--
>  package/python-django/python-django.mk   | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/python-django/python-django.hash 
> b/package/python-django/python-django.hash
> index 656d9eee9a..53c4ceead3 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,5 +1,5 @@
>  # md5, sha256 from https://pypi.org/pypi/django/json
> -md5  3f556d14e7999a9700a27a325efc0833  Django-5.1.3.tar.gz
> -sha256  
> c0fa0e619c39325a169208caef234f90baa925227032ad3f44842ba14d75234a  
> Django-5.1.3.tar.gz
> +md5  03ec3e0f2d6cbcb9eb11c629ca1c538b  Django-5.1.4.tar.gz
> +sha256  
> de450c09e91879fa5a307f696e57c851955c910a438a35e6b4c895e86bedc82a  
> Django-5.1.4.tar.gz
>  # Locally computed sha256 checksums
>  sha256  
> b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  
> LICENSE
> diff --git a/package/python-django/python-django.mk 
> b/package/python-django/python-django.mk
> index 6588acc31d..4facc6b6c4 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,10 +4,10 @@
>  #
>  
> ################################################################################
> 
> -PYTHON_DJANGO_VERSION = 5.1.3
> +PYTHON_DJANGO_VERSION = 5.1.4
>  PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
>  # The official Django site has an unpractical URL
> -PYTHON_DJANGO_SITE = 
> https://files.pythonhosted.org/packages/c6/85/ba2c2b83ba8b95354f99ed8344405d9571109ce0175028876209d6b93fba
> +PYTHON_DJANGO_SITE = 
> https://files.pythonhosted.org/packages/d3/e8/536555596dbb79f6e77418aeb40bdc1758c26725aba31919ba449e6d5e6a
>  PYTHON_DJANGO_LICENSE = BSD-3-Clause
>  PYTHON_DJANGO_LICENSE_FILES = LICENSE
>  PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject
> --
> 2.39.5
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
Peter Korsgaard Dec. 19, 2024, 8:29 a.m. UTC | #2
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > CVE-2024-53907: Potential denial-of-service in
 > django.utils.html.strip_tags()

 > The strip_tags() method and striptags template filter are subject to a
 > potential denial-of-service attack via certain inputs containing large
 > sequences of nested incomplete HTML entities.

 > CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle

 > Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is
 > subject to SQL injection if untrusted data is used as a lhs value.
 > Applications that use the jsonfield.has_key lookup through the __ syntax are
 > unaffected.

 > https://www.djangoproject.com/weblog/2024/dec/04/security-releases/

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2024.11.x, thanks.

For 2024.02.x I will instead bump to 5.0.10.
diff mbox series

Patch

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 656d9eee9a..53c4ceead3 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@ 
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5  3f556d14e7999a9700a27a325efc0833  Django-5.1.3.tar.gz
-sha256  c0fa0e619c39325a169208caef234f90baa925227032ad3f44842ba14d75234a  Django-5.1.3.tar.gz
+md5  03ec3e0f2d6cbcb9eb11c629ca1c538b  Django-5.1.4.tar.gz
+sha256  de450c09e91879fa5a307f696e57c851955c910a438a35e6b4c895e86bedc82a  Django-5.1.4.tar.gz
 # Locally computed sha256 checksums
 sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 6588acc31d..4facc6b6c4 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@ 
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 5.1.3
+PYTHON_DJANGO_VERSION = 5.1.4
 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 # The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/c6/85/ba2c2b83ba8b95354f99ed8344405d9571109ce0175028876209d6b93fba
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/d3/e8/536555596dbb79f6e77418aeb40bdc1758c26725aba31919ba449e6d5e6a
 PYTHON_DJANGO_LICENSE = BSD-3-Clause
 PYTHON_DJANGO_LICENSE_FILES = LICENSE
 PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject