All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7
@ 2019-02-15 13:32 Peter Korsgaard
  2019-02-15 20:48 ` Thomas Petazzoni
  2019-02-21 15:21 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-02-15 13:32 UTC (permalink / raw)
  To: buildroot

Fixes the following security issues:

CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() ? used by contrib.admin as well as the
the floatformat, filesizeformat, and intcomma templates filters ? received a
Decimal with a large number of digits or a large exponent, it could lead to
significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using
scientific notation.

https://docs.djangoproject.com/en/2.1/releases/2.1.6/

2.1.6 contained a packaging error, fixed by 2.1.7:

https://docs.djangoproject.com/en/2.1/releases/2.1.7/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/python-django/python-django.hash | 4 ++--
 package/python-django/python-django.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 4b932ac907..93ca1080c5 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5	9309c48c8b92503b8969a7603a97e2a1  Django-2.1.5.tar.gz
-sha256	d6393918da830530a9516bbbcbf7f1214c3d733738779f06b0f649f49cc698c3  Django-2.1.5.tar.gz
+md5	a042e6ba117d2e01950d842cceb5eee0  Django-2.1.7.tar.gz
+sha256	939652e9d34d7d53d74d5d8ef82a19e5f8bb2de75618f7e5360691b6e9667963  Django-2.1.7.tar.gz
 # Locally computed sha256 checksums
 sha256	b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 53e8f20e87..5922a6c07c 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 2.1.5
+PYTHON_DJANGO_VERSION = 2.1.7
 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 # The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/5c/7f/4c750e09b246621e5e90fa08f93dec1b991f5c203b0ff615d62a891c8f41
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/7e/ae/29c28f6afddae0e305326078f31372f03d7f2e6d6210c9963843196ce67e
 PYTHON_DJANGO_LICENSE = BSD-3-Clause
 PYTHON_DJANGO_LICENSE_FILES = LICENSE
 PYTHON_DJANGO_SETUP_TYPE = setuptools
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7
  2019-02-15 13:32 [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7 Peter Korsgaard
@ 2019-02-15 20:48 ` Thomas Petazzoni
  2019-02-21 15:21 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2019-02-15 20:48 UTC (permalink / raw)
  To: buildroot

On Fri, 15 Feb 2019 14:32:01 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:

> Fixes the following security issues:
> 
> CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
> 
> If django.utils.numberformat.format() ? used by contrib.admin as well as the
> the floatformat, filesizeformat, and intcomma templates filters ? received a
> Decimal with a large number of digits or a large exponent, it could lead to
> significant memory usage due to a call to '{:f}'.format().
> 
> To avoid this, decimals with more than 200 digits are now formatted using
> scientific notation.
> 
> https://docs.djangoproject.com/en/2.1/releases/2.1.6/
> 
> 2.1.6 contained a packaging error, fixed by 2.1.7:
> 
> https://docs.djangoproject.com/en/2.1/releases/2.1.7/
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/python-django/python-django.hash | 4 ++--
>  package/python-django/python-django.mk   | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7
  2019-02-15 13:32 [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7 Peter Korsgaard
  2019-02-15 20:48 ` Thomas Petazzoni
@ 2019-02-21 15:21 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-02-21 15:21 UTC (permalink / raw)
  To: buildroot

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

 > If django.utils.numberformat.format() ? used by contrib.admin as well as the
 > the floatformat, filesizeformat, and intcomma templates filters ? received a
 > Decimal with a large number of digits or a large exponent, it could lead to
 > significant memory usage due to a call to '{:f}'.format().

 > To avoid this, decimals with more than 200 digits are now formatted using
 > scientific notation.

 > https://docs.djangoproject.com/en/2.1/releases/2.1.6/

 > 2.1.6 contained a packaging error, fixed by 2.1.7:

 > https://docs.djangoproject.com/en/2.1/releases/2.1.7/

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2018.11.x, thanks.

For 2018.02.x I will instead use 1.11.20:

https://docs.djangoproject.com/en/2.1/releases/1.11.20/

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-02-21 15:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-15 13:32 [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7 Peter Korsgaard
2019-02-15 20:48 ` Thomas Petazzoni
2019-02-21 15:21 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.