* [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4
@ 2021-05-06 21:25 Peter Korsgaard
2021-05-06 21:25 ` [Buildroot] [PATCH 2/2] package/python-django: security bump to version 3.2.2 Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-05-06 21:25 UTC (permalink / raw)
To: buildroot
Needed by django 3.2.x
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-asgiref/python-asgiref.hash | 4 ++--
package/python-asgiref/python-asgiref.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-asgiref/python-asgiref.hash b/package/python-asgiref/python-asgiref.hash
index 782a13fe5c..c349ad5a44 100644
--- a/package/python-asgiref/python-asgiref.hash
+++ b/package/python-asgiref/python-asgiref.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/asgiref/json
-md5 39218c10eee0bf66a3d893491d835e86 asgiref-3.2.3.tar.gz
-sha256 7e06d934a7718bf3975acbf87780ba678957b87c7adc056f13b6215d610695a0 asgiref-3.2.3.tar.gz
+md5 5afe03ecc39ae94950ff95e80166d945 asgiref-3.3.4.tar.gz
+sha256 d1216dfbdfb63826470995d31caed36225dcaf34f182e0fa257a4dd9e86f1b78 asgiref-3.3.4.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
diff --git a/package/python-asgiref/python-asgiref.mk b/package/python-asgiref/python-asgiref.mk
index b29903509e..0353f5d5a0 100644
--- a/package/python-asgiref/python-asgiref.mk
+++ b/package/python-asgiref/python-asgiref.mk
@@ -4,9 +4,9 @@
#
################################################################################
-PYTHON_ASGIREF_VERSION = 3.2.3
+PYTHON_ASGIREF_VERSION = 3.3.4
PYTHON_ASGIREF_SOURCE = asgiref-$(PYTHON_ASGIREF_VERSION).tar.gz
-PYTHON_ASGIREF_SITE = https://files.pythonhosted.org/packages/80/c4/83a01607f2d10024c172097126264c8e00c6a4827b35d631ece9625e6ba2
+PYTHON_ASGIREF_SITE = https://files.pythonhosted.org/packages/d8/3f/ef696a6d8254f182b1a089aeffb638d2eb83055e603146d3a40605c5b7da
PYTHON_ASGIREF_SETUP_TYPE = setuptools
PYTHON_ASGIREF_LICENSE = BSD-3-Clause
PYTHON_ASGIREF_LICENSE_FILES = LICENSE
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/2] package/python-django: security bump to version 3.2.2
2021-05-06 21:25 [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4 Peter Korsgaard
@ 2021-05-06 21:25 ` Peter Korsgaard
2021-05-07 14:48 ` Peter Korsgaard
2021-05-08 14:34 ` Peter Korsgaard
2021-05-07 14:48 ` [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4 Peter Korsgaard
2021-05-08 14:34 ` Peter Korsgaard
2 siblings, 2 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-05-06 21:25 UTC (permalink / raw)
To: buildroot
Django 3.0.x is EOL, so move to 3.2.x which is the new LTS release. For
details of the changes and update instructions, see the announcement:
https://www.djangoproject.com/weblog/2021/apr/06/django-32-released/
Fixes the following security issues:
- CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of
the SQLPanel for Django Debug Toolbar >= 0.10.0
With Django Debug Toolbar 0.10.0 and above, attackers are able to execute
SQL by changing the raw_sql input of the SQL explain, analyze or select
forms and submitting the form. This is a high severity issue for anyone
using the toolbar in a production environment. Generally the Django Debug
Toolbar team only maintains the latest version of django-debug-toolbar,
but an exception was made because of the high severity of this issue.
The GitHub Security Advisory can be found here:
https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj
- CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal
via uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is
now applied. Specifically, empty file names and paths with dot segments
will be rejected.
This issue has low severity, according to the Django security policy.
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+
On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If you
used values with newlines in HTTP response, you could suffer from header
injection attacks. Django itself wasn't vulnerable because HttpResponse
prohibits newlines in HTTP headers.
Moreover, the URLField form field which uses URLValidator silently removes
newlines and tabs on Python 3.9.5+, so the possibility of newlines
entering your data only existed if you are using this validator outside of
the form fields.
This issue was introduced by the bpo-43882 fix.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 1cc4b5ecc9..1c7d7b8841 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 f444fdd6ff8edec132991cbc343368d4 Django-3.0.14.tar.gz
-sha256 d58d8394036db75a81896037d757357e79406e8f68816c3e8a28721c1d9d4c11 Django-3.0.14.tar.gz
+md5 43784c090a8805605e3d0b768cd21cb2 Django-3.2.2.tar.gz
+sha256 0a1d195ad65c52bf275b8277b3d49680bd1137a5f55039a806f25f6b9752ce3d Django-3.2.2.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index cb8f5492d6..0e36a530a9 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 3.0.14
+PYTHON_DJANGO_VERSION = 3.2.2
PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/76/0e/5d847a77b7b42cacd01405b45e4e370124c1d8a15970865df5ab0f09f83a
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/da/24/e2e6e534464f8e0bd010401f06d2cfc773141776d2952d6418d01c97f12c
PYTHON_DJANGO_LICENSE = BSD-3-Clause
PYTHON_DJANGO_LICENSE_FILES = LICENSE
PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4
2021-05-06 21:25 [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4 Peter Korsgaard
2021-05-06 21:25 ` [Buildroot] [PATCH 2/2] package/python-django: security bump to version 3.2.2 Peter Korsgaard
@ 2021-05-07 14:48 ` Peter Korsgaard
2021-05-08 14:34 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-05-07 14:48 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Needed by django 3.2.x
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/2] package/python-django: security bump to version 3.2.2
2021-05-06 21:25 ` [Buildroot] [PATCH 2/2] package/python-django: security bump to version 3.2.2 Peter Korsgaard
@ 2021-05-07 14:48 ` Peter Korsgaard
2021-05-08 14:34 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-05-07 14:48 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Django 3.0.x is EOL, so move to 3.2.x which is the new LTS release. For
> details of the changes and update instructions, see the announcement:
> https://www.djangoproject.com/weblog/2021/apr/06/django-32-released/
> Fixes the following security issues:
> - CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of
> the SQLPanel for Django Debug Toolbar >= 0.10.0
> With Django Debug Toolbar 0.10.0 and above, attackers are able to execute
> SQL by changing the raw_sql input of the SQL explain, analyze or select
> forms and submitting the form. This is a high severity issue for anyone
> using the toolbar in a production environment. Generally the Django Debug
> Toolbar team only maintains the latest version of django-debug-toolbar,
> but an exception was made because of the high severity of this issue.
> The GitHub Security Advisory can be found here:
> https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj
> - CVE-2021-31542: Potential directory-traversal via uploaded files
> MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal
> via uploaded files with suitably crafted file names.
> In order to mitigate this risk, stricter basename and path sanitation is
> now applied. Specifically, empty file names and paths with dot segments
> will be rejected.
> This issue has low severity, according to the Django security policy.
> - CVE-2021-32052: Header injection possibility since URLValidator accepted
> newlines in input on Python 3.9.5+
> On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If you
> used values with newlines in HTTP response, you could suffer from header
> injection attacks. Django itself wasn't vulnerable because HttpResponse
> prohibits newlines in HTTP headers.
> Moreover, the URLField form field which uses URLValidator silently removes
> newlines and tabs on Python 3.9.5+, so the possibility of newlines
> entering your data only existed if you are using this validator outside of
> the form fields.
> This issue was introduced by the bpo-43882 fix.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
Committed to 2021.02.x, thanks.
> ---
> package/python-django/python-django.hash | 4 ++--
> package/python-django/python-django.mk | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index 1cc4b5ecc9..1c7d7b8841 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,5 +1,5 @@
> # md5, sha256 from https://pypi.org/pypi/django/json
> -md5 f444fdd6ff8edec132991cbc343368d4 Django-3.0.14.tar.gz
> -sha256 d58d8394036db75a81896037d757357e79406e8f68816c3e8a28721c1d9d4c11 Django-3.0.14.tar.gz
> +md5 43784c090a8805605e3d0b768cd21cb2 Django-3.2.2.tar.gz
> +sha256 0a1d195ad65c52bf275b8277b3d49680bd1137a5f55039a806f25f6b9752ce3d Django-3.2.2.tar.gz
> # Locally computed sha256 checksums
> sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index cb8f5492d6..0e36a530a9 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,10 +4,10 @@
> #
> ################################################################################
> -PYTHON_DJANGO_VERSION = 3.0.14
> +PYTHON_DJANGO_VERSION = 3.2.2
> PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
> # The official Django site has an unpractical URL
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/76/0e/5d847a77b7b42cacd01405b45e4e370124c1d8a15970865df5ab0f09f83a
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/da/24/e2e6e534464f8e0bd010401f06d2cfc773141776d2952d6418d01c97f12c
> PYTHON_DJANGO_LICENSE = BSD-3-Clause
> PYTHON_DJANGO_LICENSE_FILES = LICENSE
> PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject
> --
> 2.20.1
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4
2021-05-06 21:25 [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4 Peter Korsgaard
2021-05-06 21:25 ` [Buildroot] [PATCH 2/2] package/python-django: security bump to version 3.2.2 Peter Korsgaard
2021-05-07 14:48 ` [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4 Peter Korsgaard
@ 2021-05-08 14:34 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-05-08 14:34 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Needed by django 3.2.x
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2021.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/2] package/python-django: security bump to version 3.2.2
2021-05-06 21:25 ` [Buildroot] [PATCH 2/2] package/python-django: security bump to version 3.2.2 Peter Korsgaard
2021-05-07 14:48 ` Peter Korsgaard
@ 2021-05-08 14:34 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-05-08 14:34 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Django 3.0.x is EOL, so move to 3.2.x which is the new LTS release. For
> details of the changes and update instructions, see the announcement:
> https://www.djangoproject.com/weblog/2021/apr/06/django-32-released/
> Fixes the following security issues:
> - CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of
> the SQLPanel for Django Debug Toolbar >= 0.10.0
> With Django Debug Toolbar 0.10.0 and above, attackers are able to execute
> SQL by changing the raw_sql input of the SQL explain, analyze or select
> forms and submitting the form. This is a high severity issue for anyone
> using the toolbar in a production environment. Generally the Django Debug
> Toolbar team only maintains the latest version of django-debug-toolbar,
> but an exception was made because of the high severity of this issue.
> The GitHub Security Advisory can be found here:
> https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj
> - CVE-2021-31542: Potential directory-traversal via uploaded files
> MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal
> via uploaded files with suitably crafted file names.
> In order to mitigate this risk, stricter basename and path sanitation is
> now applied. Specifically, empty file names and paths with dot segments
> will be rejected.
> This issue has low severity, according to the Django security policy.
> - CVE-2021-32052: Header injection possibility since URLValidator accepted
> newlines in input on Python 3.9.5+
> On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If you
> used values with newlines in HTTP response, you could suffer from header
> injection attacks. Django itself wasn't vulnerable because HttpResponse
> prohibits newlines in HTTP headers.
> Moreover, the URLField form field which uses URLValidator silently removes
> newlines and tabs on Python 3.9.5+, so the possibility of newlines
> entering your data only existed if you are using this validator outside of
> the form fields.
> This issue was introduced by the bpo-43882 fix.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2021.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-05-08 14:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-06 21:25 [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4 Peter Korsgaard
2021-05-06 21:25 ` [Buildroot] [PATCH 2/2] package/python-django: security bump to version 3.2.2 Peter Korsgaard
2021-05-07 14:48 ` Peter Korsgaard
2021-05-08 14:34 ` Peter Korsgaard
2021-05-07 14:48 ` [Buildroot] [PATCH 1/2] package/python-asgiref: bump version to 3.3.4 Peter Korsgaard
2021-05-08 14:34 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.