Message ID | 20241214141430.3314872-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | package/python-django: security bump to version 5.1.4 | expand |
On 14/12/2024 15:14, Peter Korsgaard wrote: > Fixes the following security issues: > > CVE-2024-53907: Potential denial-of-service in > django.utils.html.strip_tags() > > The strip_tags() method and striptags template filter are subject to a > potential denial-of-service attack via certain inputs containing large > sequences of nested incomplete HTML entities. > > CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle > > Direct usage of the django.db.models.fields.json.HasKey lookup on > Oracle is > subject to SQL injection if untrusted data is used as a lhs value. > Applications that use the jsonfield.has_key lookup through the __ > syntax are > unaffected. > > https://www.djangoproject.com/weblog/2024/dec/04/security-releases/ > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. > --- > package/python-django/python-django.hash | 4 ++-- > package/python-django/python-django.mk | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/package/python-django/python-django.hash > b/package/python-django/python-django.hash > index 656d9eee9a..53c4ceead3 100644 > --- a/package/python-django/python-django.hash > +++ b/package/python-django/python-django.hash > @@ -1,5 +1,5 @@ > # md5, sha256 from https://pypi.org/pypi/django/json > -md5 3f556d14e7999a9700a27a325efc0833 Django-5.1.3.tar.gz > -sha256 > c0fa0e619c39325a169208caef234f90baa925227032ad3f44842ba14d75234a > Django-5.1.3.tar.gz > +md5 03ec3e0f2d6cbcb9eb11c629ca1c538b Django-5.1.4.tar.gz > +sha256 > de450c09e91879fa5a307f696e57c851955c910a438a35e6b4c895e86bedc82a > Django-5.1.4.tar.gz > # Locally computed sha256 checksums > sha256 > b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 > LICENSE > diff --git a/package/python-django/python-django.mk > b/package/python-django/python-django.mk > index 6588acc31d..4facc6b6c4 100644 > --- a/package/python-django/python-django.mk > +++ b/package/python-django/python-django.mk > @@ -4,10 +4,10 @@ > # > > ################################################################################ > > -PYTHON_DJANGO_VERSION = 5.1.3 > +PYTHON_DJANGO_VERSION = 5.1.4 > PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz > # The official Django site has an unpractical URL > -PYTHON_DJANGO_SITE = > https://files.pythonhosted.org/packages/c6/85/ba2c2b83ba8b95354f99ed8344405d9571109ce0175028876209d6b93fba > +PYTHON_DJANGO_SITE = > https://files.pythonhosted.org/packages/d3/e8/536555596dbb79f6e77418aeb40bdc1758c26725aba31919ba449e6d5e6a > PYTHON_DJANGO_LICENSE = BSD-3-Clause > PYTHON_DJANGO_LICENSE_FILES = LICENSE > PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject > -- > 2.39.5 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > CVE-2024-53907: Potential denial-of-service in > django.utils.html.strip_tags() > The strip_tags() method and striptags template filter are subject to a > potential denial-of-service attack via certain inputs containing large > sequences of nested incomplete HTML entities. > CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle > Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is > subject to SQL injection if untrusted data is used as a lhs value. > Applications that use the jsonfield.has_key lookup through the __ syntax are > unaffected. > https://www.djangoproject.com/weblog/2024/dec/04/security-releases/ > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2024.11.x, thanks. For 2024.02.x I will instead bump to 5.0.10.
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash index 656d9eee9a..53c4ceead3 100644 --- a/package/python-django/python-django.hash +++ b/package/python-django/python-django.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/django/json -md5 3f556d14e7999a9700a27a325efc0833 Django-5.1.3.tar.gz -sha256 c0fa0e619c39325a169208caef234f90baa925227032ad3f44842ba14d75234a Django-5.1.3.tar.gz +md5 03ec3e0f2d6cbcb9eb11c629ca1c538b Django-5.1.4.tar.gz +sha256 de450c09e91879fa5a307f696e57c851955c910a438a35e6b4c895e86bedc82a Django-5.1.4.tar.gz # Locally computed sha256 checksums sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk index 6588acc31d..4facc6b6c4 100644 --- a/package/python-django/python-django.mk +++ b/package/python-django/python-django.mk @@ -4,10 +4,10 @@ # ################################################################################ -PYTHON_DJANGO_VERSION = 5.1.3 +PYTHON_DJANGO_VERSION = 5.1.4 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz # The official Django site has an unpractical URL -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/c6/85/ba2c2b83ba8b95354f99ed8344405d9571109ce0175028876209d6b93fba +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/d3/e8/536555596dbb79f6e77418aeb40bdc1758c26725aba31919ba449e6d5e6a PYTHON_DJANGO_LICENSE = BSD-3-Clause PYTHON_DJANGO_LICENSE_FILES = LICENSE PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject
Fixes the following security issues: CVE-2024-53907: Potential denial-of-service in django.utils.html.strip_tags() The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is subject to SQL injection if untrusted data is used as a lhs value. Applications that use the jsonfield.has_key lookup through the __ syntax are unaffected. https://www.djangoproject.com/weblog/2024/dec/04/security-releases/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/python-django/python-django.hash | 4 ++-- package/python-django/python-django.mk | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)