* [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7
@ 2019-02-15 13:32 Peter Korsgaard
2019-02-15 20:48 ` Thomas Petazzoni
2019-02-21 15:21 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-02-15 13:32 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
If django.utils.numberformat.format() ? used by contrib.admin as well as the
the floatformat, filesizeformat, and intcomma templates filters ? received a
Decimal with a large number of digits or a large exponent, it could lead to
significant memory usage due to a call to '{:f}'.format().
To avoid this, decimals with more than 200 digits are now formatted using
scientific notation.
https://docs.djangoproject.com/en/2.1/releases/2.1.6/
2.1.6 contained a packaging error, fixed by 2.1.7:
https://docs.djangoproject.com/en/2.1/releases/2.1.7/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 4b932ac907..93ca1080c5 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 9309c48c8b92503b8969a7603a97e2a1 Django-2.1.5.tar.gz
-sha256 d6393918da830530a9516bbbcbf7f1214c3d733738779f06b0f649f49cc698c3 Django-2.1.5.tar.gz
+md5 a042e6ba117d2e01950d842cceb5eee0 Django-2.1.7.tar.gz
+sha256 939652e9d34d7d53d74d5d8ef82a19e5f8bb2de75618f7e5360691b6e9667963 Django-2.1.7.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 53e8f20e87..5922a6c07c 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 2.1.5
+PYTHON_DJANGO_VERSION = 2.1.7
PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/5c/7f/4c750e09b246621e5e90fa08f93dec1b991f5c203b0ff615d62a891c8f41
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/7e/ae/29c28f6afddae0e305326078f31372f03d7f2e6d6210c9963843196ce67e
PYTHON_DJANGO_LICENSE = BSD-3-Clause
PYTHON_DJANGO_LICENSE_FILES = LICENSE
PYTHON_DJANGO_SETUP_TYPE = setuptools
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7
2019-02-15 13:32 [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7 Peter Korsgaard
@ 2019-02-15 20:48 ` Thomas Petazzoni
2019-02-21 15:21 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2019-02-15 20:48 UTC (permalink / raw)
To: buildroot
On Fri, 15 Feb 2019 14:32:01 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:
> Fixes the following security issues:
>
> CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
>
> If django.utils.numberformat.format() ? used by contrib.admin as well as the
> the floatformat, filesizeformat, and intcomma templates filters ? received a
> Decimal with a large number of digits or a large exponent, it could lead to
> significant memory usage due to a call to '{:f}'.format().
>
> To avoid this, decimals with more than 200 digits are now formatted using
> scientific notation.
>
> https://docs.djangoproject.com/en/2.1/releases/2.1.6/
>
> 2.1.6 contained a packaging error, fixed by 2.1.7:
>
> https://docs.djangoproject.com/en/2.1/releases/2.1.7/
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/python-django/python-django.hash | 4 ++--
> package/python-django/python-django.mk | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7
2019-02-15 13:32 [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7 Peter Korsgaard
2019-02-15 20:48 ` Thomas Petazzoni
@ 2019-02-21 15:21 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-02-21 15:21 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
> If django.utils.numberformat.format() ? used by contrib.admin as well as the
> the floatformat, filesizeformat, and intcomma templates filters ? received a
> Decimal with a large number of digits or a large exponent, it could lead to
> significant memory usage due to a call to '{:f}'.format().
> To avoid this, decimals with more than 200 digits are now formatted using
> scientific notation.
> https://docs.djangoproject.com/en/2.1/releases/2.1.6/
> 2.1.6 contained a packaging error, fixed by 2.1.7:
> https://docs.djangoproject.com/en/2.1/releases/2.1.7/
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2018.11.x, thanks.
For 2018.02.x I will instead use 1.11.20:
https://docs.djangoproject.com/en/2.1/releases/1.11.20/
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-02-21 15:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-15 13:32 [Buildroot] [PATCH] package/python-django: security bump to version 2.1.7 Peter Korsgaard
2019-02-15 20:48 ` Thomas Petazzoni
2019-02-21 15:21 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.