* [Buildroot] [PATCH] package/python-django: security bump to version 3.0.12
@ 2021-02-01 12:55 Peter Korsgaard
2021-02-02 15:34 ` Peter Korsgaard
2021-02-03 19:26 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-02-01 12:55 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
CVE-2021-3281: Potential directory-traversal via archive.extract()
The django.utils.archive.extract() function, used by startapp --template and
startproject --template, allowed directory-traversal via an archive with
absolute paths or relative paths with dot segments.
For details, see the advisory:
https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
Additionally, 3.0.11 fixed a regression:
https://docs.djangoproject.com/en/3.1/releases/3.0.11/
Update indentation in hash file (two spaces).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-django/python-django.hash | 6 +++---
package/python-django/python-django.mk | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 8aebe62161..53f718ea0a 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 deec48e8713727e443a7cee6b54baaeb Django-3.0.10.tar.gz
-sha256 2d14be521c3ae24960e5e83d4575e156a8c479a75c935224b671b1c6e66eddaf Django-3.0.10.tar.gz
+md5 55291777e25bd9e0a286c6f64751246a Django-3.0.12.tar.gz
+sha256 fd63e2c7acca5f2e7ad93dfb53d566e040d871404fc0f684a3e720006d221f9a Django-3.0.12.tar.gz
# Locally computed sha256 checksums
-sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
+sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 97bf75320d..512f2cd89c 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 3.0.10
+PYTHON_DJANGO_VERSION = 3.0.12
PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/f4/09/d7c995b128bec61233cfea0e5fa40e442cae54c127b4b2b0881e1fdd0023
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/32/e3/e7e9a9378321fdfc3eb55de151911dce968fa245d1f16d8c480c63ea4ed1
PYTHON_DJANGO_LICENSE = BSD-3-Clause
PYTHON_DJANGO_LICENSE_FILES = LICENSE
PYTHON_DJANGO_SETUP_TYPE = setuptools
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-django: security bump to version 3.0.12
2021-02-01 12:55 [Buildroot] [PATCH] package/python-django: security bump to version 3.0.12 Peter Korsgaard
@ 2021-02-02 15:34 ` Peter Korsgaard
2021-02-03 19:26 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-02-02 15:34 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2021-3281: Potential directory-traversal via archive.extract()
> The django.utils.archive.extract() function, used by startapp --template and
> startproject --template, allowed directory-traversal via an archive with
> absolute paths or relative paths with dot segments.
> For details, see the advisory:
> https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
> Additionally, 3.0.11 fixed a regression:
> https://docs.djangoproject.com/en/3.1/releases/3.0.11/
> Update indentation in hash file (two spaces).
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-django: security bump to version 3.0.12
2021-02-01 12:55 [Buildroot] [PATCH] package/python-django: security bump to version 3.0.12 Peter Korsgaard
2021-02-02 15:34 ` Peter Korsgaard
@ 2021-02-03 19:26 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-02-03 19:26 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2021-3281: Potential directory-traversal via archive.extract()
> The django.utils.archive.extract() function, used by startapp --template and
> startproject --template, allowed directory-traversal via an archive with
> absolute paths or relative paths with dot segments.
> For details, see the advisory:
> https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
> Additionally, 3.0.11 fixed a regression:
> https://docs.djangoproject.com/en/3.1/releases/3.0.11/
> Update indentation in hash file (two spaces).
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2020.02.x and 2020.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-03 19:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-01 12:55 [Buildroot] [PATCH] package/python-django: security bump to version 3.0.12 Peter Korsgaard
2021-02-02 15:34 ` Peter Korsgaard
2021-02-03 19:26 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.