[meta-python] python3-django: upgrade 4.2.11 -> 4.2.16

Message ID	20240913092014.1730695-1-fathi.boudra@linaro.org
State	Accepted
Headers	show Return-Path: <fathi.boudra@linaro.org> ip: 209.85.221.53, mailfrom: fathi.boudra@linaro.org) From: Fathi Boudra <fathi.boudra@linaro.org> To: openembedded-devel@lists.openembedded.org Cc: Fathi Boudra <fathi.boudra@linaro.org> Subject: [meta-python][PATCH] python3-django: upgrade 4.2.11 -> 4.2.16 Date: Fri, 13 Sep 2024 11:20:14 +0200 Message-ID: <20240913092014.1730695-1-fathi.boudra@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-python] python3-django: upgrade 4.2.11 -> 4.2.16 \| expand [meta-python] python3-django: upgrade 4.2.11 -> 4.2.16

Message ID

20240913092014.1730695-1-fathi.boudra@linaro.org

State

Accepted

Headers

From: Fathi Boudra <fathi.boudra@linaro.org>
To: openembedded-devel@lists.openembedded.org
Cc: Fathi Boudra <fathi.boudra@linaro.org>
Subject: [meta-python][PATCH] python3-django: upgrade 4.2.11 -> 4.2.16
Date: Fri, 13 Sep 2024 11:20:14 +0200
Message-ID: <20240913092014.1730695-1-fathi.boudra@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-python] python3-django: upgrade 4.2.11 -> 4.2.16 | expand

Commit Message

Fathi Boudra Sept. 13, 2024, 9:20 a.m. UTC

CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize()
urlize and urlizetrunc were subject to a potential denial-of-service attack
via very large inputs with a specific sequence of characters.

CVE-2024-45231: Potential user email enumeration via response status on
password reset
Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to
enumerate user emails by issuing password reset requests and observing the
outcomes.
To mitigate this risk, exceptions occurring during password reset email
sending are now handled and logged using the django.contrib.auth logger.

CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()
The floatformat template filter is subject to significant memory consumption
when given a string representation of a number in scientific notation with
a large exponent.

CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()
The urlize() and urlizetrunc() template filters are subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget
The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget,
are subject to a potential denial-of-service attack via certain inputs with
a very large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
QuerySet.values() and values_list() methods on models with a JSONField are
subject to SQL injection in column aliases via a crafted JSON object key as
a passed *arg.

CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize()
urlize() and urlizetrunc() were subject to a potential denial-of-service
attack via certain inputs with a very large number of brackets.

CVE-2024-39329: Username enumeration through timing difference for users with
unusable passwords
The django.contrib.auth.backends.ModelBackend.authenticate() method allowed
remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal in
django.core.files.storage.Storage.save()
Derived classes of the django.core.files.storage.Storage base class which
override generate_filename() without replicating the file path validations
existing in the parent class, allowed for potential directory-traversal via
certain inputs when calling save().
Built-in Storage sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service in
django.utils.translation.get_supported_language_variant()
get_supported_language_variant() was subject to a potential denial-of-service
attack when used with very long strings containing specific characters.
To mitigate this vulnerability, the language code provided to
get_supported_language_variant() is now parsed up to a maximum length of
500 characters.

Fixed a crash in Django 4.2 when validating email max line lengths with content
decoded using the surrogateescape error handling scheme (#35361)

Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
---
 .../{python3-django_4.2.11.bb => python3-django_4.2.16.bb}    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-python/recipes-devtools/python/{python3-django_4.2.11.bb => python3-django_4.2.16.bb} (63%)

diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.11.bb b/meta-python/recipes-devtools/python/python3-django_4.2.16.bb
similarity index 63%
rename from meta-python/recipes-devtools/python/python3-django_4.2.11.bb
rename to meta-python/recipes-devtools/python/python3-django_4.2.16.bb
index 0642b7e7c..9254e8b00 100644
--- a/meta-python/recipes-devtools/python/python3-django_4.2.11.bb
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.16.bb
@@ -1,7 +1,7 @@ 
 require python-django.inc
 inherit setuptools3
 
-SRC_URI[sha256sum] = "6e6ff3db2d8dd0c986b4eec8554c8e4f919b5c1ff62a5b4390c17aff2ed6e5c4"
+SRC_URI[sha256sum] = "6f1616c2786c408ce86ab7e10f792b8f15742f7b7b7460243929cb371e7f1dad"
 
 RDEPENDS:${PN} += "\
     python3-sqlparse \
@@ -10,5 +10,5 @@  RDEPENDS:${PN} += "\
 
 # Set DEFAULT_PREFERENCE so that the LTS version of django is built by
 # default. To build the 4.x branch, 
-# PREFERRED_VERSION_python3-django = "4.2.11" can be added to local.conf
+# PREFERRED_VERSION_python3-django = "4.2.16" can be added to local.conf
 DEFAULT_PREFERENCE = "-1"

[meta-python] python3-django: upgrade 4.2.11 -> 4.2.16

Commit Message

Patch