* [Buildroot] [PATCH] package/python-django: security bump to version 3.0.10
@ 2020-09-01 14:22 Peter Korsgaard
2020-09-01 18:14 ` Peter Korsgaard
2020-09-05 7:41 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-09-01 14:22 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to
intermediate-level directories created in the process of uploading files and
to intermediate-level collected static directories when using the
collectstatic management command.
You should review and manually fix permissions on existing
intermediate-level directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of
the file system cache on Python 3.7+
On Python 3.7+, the intermediate-level directories of the file system cache
had the system?s standard umask rather than 0o077 (no group or others
permissions).
https://docs.djangoproject.com/en/dev/releases/3.0.10/
In addition, 3.0.8..10 contains a number of bugfixes.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 9690401043..8aebe62161 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 c3ac98d5503c671d316cf78ded3c9809 Django-3.0.7.tar.gz
-sha256 5052b34b34b3425233c682e0e11d658fd6efd587d11335a0203d827224ada8f2 Django-3.0.7.tar.gz
+md5 deec48e8713727e443a7cee6b54baaeb Django-3.0.10.tar.gz
+sha256 2d14be521c3ae24960e5e83d4575e156a8c479a75c935224b671b1c6e66eddaf Django-3.0.10.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index d76f6101e9..97bf75320d 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 3.0.7
+PYTHON_DJANGO_VERSION = 3.0.10
PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/74/ad/8a1bc5e0f8b740792c99c7bef5ecc043018e2b605a2fe1e2513fde586b72
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/f4/09/d7c995b128bec61233cfea0e5fa40e442cae54c127b4b2b0881e1fdd0023
PYTHON_DJANGO_LICENSE = BSD-3-Clause
PYTHON_DJANGO_LICENSE_FILES = LICENSE
PYTHON_DJANGO_SETUP_TYPE = setuptools
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-django: security bump to version 3.0.10
2020-09-01 14:22 [Buildroot] [PATCH] package/python-django: security bump to version 3.0.10 Peter Korsgaard
@ 2020-09-01 18:14 ` Peter Korsgaard
2020-09-05 7:41 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-09-01 18:14 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
> On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to
> intermediate-level directories created in the process of uploading files and
> to intermediate-level collected static directories when using the
> collectstatic management command.
> You should review and manually fix permissions on existing
> intermediate-level directories.
> CVE-2020-24584: Permission escalation in intermediate-level directories of
> the file system cache on Python 3.7+
> On Python 3.7+, the intermediate-level directories of the file system cache
> had the system?s standard umask rather than 0o077 (no group or others
> permissions).
> https://docs.djangoproject.com/en/dev/releases/3.0.10/
> In addition, 3.0.8..10 contains a number of bugfixes.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-django: security bump to version 3.0.10
2020-09-01 14:22 [Buildroot] [PATCH] package/python-django: security bump to version 3.0.10 Peter Korsgaard
2020-09-01 18:14 ` Peter Korsgaard
@ 2020-09-05 7:41 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-09-05 7:41 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
> On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to
> intermediate-level directories created in the process of uploading files and
> to intermediate-level collected static directories when using the
> collectstatic management command.
> You should review and manually fix permissions on existing
> intermediate-level directories.
> CVE-2020-24584: Permission escalation in intermediate-level directories of
> the file system cache on Python 3.7+
> On Python 3.7+, the intermediate-level directories of the file system cache
> had the system?s standard umask rather than 0o077 (no group or others
> permissions).
> https://docs.djangoproject.com/en/dev/releases/3.0.10/
> In addition, 3.0.8..10 contains a number of bugfixes.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2020.02.x and 2020.05.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-09-05 7:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-01 14:22 [Buildroot] [PATCH] package/python-django: security bump to version 3.0.10 Peter Korsgaard
2020-09-01 18:14 ` Peter Korsgaard
2020-09-05 7:41 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.