* [Buildroot] [PATCH] package/python-django: security bump to version 3.2.10
@ 2021-12-15 17:08 Peter Korsgaard
2021-12-16 19:08 ` Arnout Vandecappelle
0 siblings, 1 reply; 2+ messages in thread
From: Peter Korsgaard @ 2021-12-15 17:08 UTC (permalink / raw)
To: buildroot; +Cc: Oli Vogt, Asaf Kahlon
Fixes the following security issues:
- CVE-2021-44420: Potential bypass of an upstream access control based on
URL paths
HTTP requests for URLs with trailing newlines could bypass an upstream
access control based on URL paths.
This issue has low severity, according to the Django security policy.
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
In addition, 3.2.8 / 3.2.9 fixes a number of bugs.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 5 +++--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index ab89f0341c..3eea17e70f 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 2ade1eecca77640abbde6c4589da27dd Django-3.2.7.tar.gz
-sha256 95b318319d6997bac3595517101ad9cc83fe5672ac498ba48d1a410f47afecd2 Django-3.2.7.tar.gz
+md5 eaf0c3b4ac6b22cae9068360e6fd2d1b Django-3.2.10.tar.gz
+sha256 074e8818b4b40acdc2369e67dcd6555d558329785408dcd25340ee98f1f1d5c4 Django-3.2.10.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 0850aa1358..4f80208f0e 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,11 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 3.2.7
+PYTHON_DJANGO_VERSION = 3.2.10
PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/59/45/c6fbb3a206df0b7dc3e6e8fae738e042c63d4ddf828c6e1ba10d7417a1d9
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/a5/8e/c6dfc718d572e4b33b56824b9e71e5ab9be8072e6747fc6184d206c3fdb3
+
PYTHON_DJANGO_LICENSE = BSD-3-Clause
PYTHON_DJANGO_LICENSE_FILES = LICENSE
PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH] package/python-django: security bump to version 3.2.10
2021-12-15 17:08 [Buildroot] [PATCH] package/python-django: security bump to version 3.2.10 Peter Korsgaard
@ 2021-12-16 19:08 ` Arnout Vandecappelle
0 siblings, 0 replies; 2+ messages in thread
From: Arnout Vandecappelle @ 2021-12-16 19:08 UTC (permalink / raw)
To: Peter Korsgaard, buildroot; +Cc: Oli Vogt, Asaf Kahlon
On 15/12/2021 18:08, Peter Korsgaard wrote:
> Fixes the following security issues:
>
> - CVE-2021-44420: Potential bypass of an upstream access control based on
> URL paths
>
> HTTP requests for URLs with trailing newlines could bypass an upstream
> access control based on URL paths.
>
> This issue has low severity, according to the Django security policy.
>
> https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
>
> In addition, 3.2.8 / 3.2.9 fixes a number of bugs.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> package/python-django/python-django.hash | 4 ++--
> package/python-django/python-django.mk | 5 +++--
> 2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index ab89f0341c..3eea17e70f 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,5 +1,5 @@
> # md5, sha256 from https://pypi.org/pypi/django/json
> -md5 2ade1eecca77640abbde6c4589da27dd Django-3.2.7.tar.gz
> -sha256 95b318319d6997bac3595517101ad9cc83fe5672ac498ba48d1a410f47afecd2 Django-3.2.7.tar.gz
> +md5 eaf0c3b4ac6b22cae9068360e6fd2d1b Django-3.2.10.tar.gz
> +sha256 074e8818b4b40acdc2369e67dcd6555d558329785408dcd25340ee98f1f1d5c4 Django-3.2.10.tar.gz
> # Locally computed sha256 checksums
> sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index 0850aa1358..4f80208f0e 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,10 +4,11 @@
> #
> ################################################################################
>
> -PYTHON_DJANGO_VERSION = 3.2.7
> +PYTHON_DJANGO_VERSION = 3.2.10
> PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
> # The official Django site has an unpractical URL
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/59/45/c6fbb3a206df0b7dc3e6e8fae738e042c63d4ddf828c6e1ba10d7417a1d9
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/a5/8e/c6dfc718d572e4b33b56824b9e71e5ab9be8072e6747fc6184d206c3fdb3
> +
> PYTHON_DJANGO_LICENSE = BSD-3-Clause
> PYTHON_DJANGO_LICENSE_FILES = LICENSE
> PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject
>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-12-16 19:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-15 17:08 [Buildroot] [PATCH] package/python-django: security bump to version 3.2.10 Peter Korsgaard
2021-12-16 19:08 ` Arnout Vandecappelle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.