diff mbox series

[meta-python,scarthgap,01/10] python3-django: upgrade 4.2.20 -> 4.2.27

Message ID 20260123170221.671471-1-skandigraun@gmail.com
State New
Headers show
Series [meta-python,scarthgap,01/10] python3-django: upgrade 4.2.20 -> 4.2.27 | expand

Commit Message

Gyorgy Sarvari Jan. 23, 2026, 5:02 p.m. UTC 
Upstream has switched from setuptools3 build backend to setuptools_build_meta,
however their setuptools requirements are higher than what's available in oe-core.
As a workaround, add a patch that lowers the requirements. This change has been
tested by successfully executing the django test suite in qemu (without Selenium tests).

Changes:
4.2.27: https://docs.djangoproject.com/en/6.0/releases/4.2.27/
- Fix CVE-2025-13372
- Fix CVE-2025-64460
- Fixed a regression in Django 4.2.26 where DisallowedRedirect was raised by
  HttpResponseRedirect and HttpResponsePermanentRedirect for URLs longer than 2048 characters.
  The limit is now 16384 characters

4.2.26: https://docs.djangoproject.com/en/6.0/releases/4.2.26/
- Fix CVE-2025-64458
- Fix CVE-2025-64459

4.2.25: https://docs.djangoproject.com/en/6.0/releases/4.2.25/
- Fix CVE-2025-59681
- Fix CVE-2025-59682

4.2.24: https://docs.djangoproject.com/en/6.0/releases/4.2.24/
- Fix CVE-2025-57833

4.2.23: https://docs.djangoproject.com/en/6.0/releases/4.2.23/
- Fix CVE-2025-48432

4.2.22: https://docs.djangoproject.com/en/6.0/releases/4.2.22/
- Fix CVE-2025-48432

4.2.21: https://docs.djangoproject.com/en/6.0/releases/4.2.21/
- Change build backend
- Fix CVE-2025-32873
- Fixed a data corruption possibility in file_move_safe() when
  allow_overwrite=True, where leftover content from a previously larger file could
  remain after overwriting with a smaller one due to lack of truncation
- Fixed a regression in Django 4.2.20, introduced when fixing CVE 2025-26699,
  where the wordwrap template filter did not preserve empty lines between paragraphs
  after wrapping text

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../0001-lower-setuptools-requirements.patch  | 25 +++++++++++++++++++
 .../python/python3-django_4.2.20.bb           | 14 -----------
 .../python/python3-django_4.2.27.bb           | 17 +++++++++++++
 3 files changed, 42 insertions(+), 14 deletions(-)
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch
 delete mode 100644 meta-python/recipes-devtools/python/python3-django_4.2.20.bb
 create mode 100644 meta-python/recipes-devtools/python/python3-django_4.2.27.bb
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch b/meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch
new file mode 100644
index 0000000000..5f6707467b
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch
@@ -0,0 +1,25 @@ 
+From 10ddc1ee660ed5ee4d9aa21f751eb07a1b260b6c Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Fri, 23 Jan 2026 13:49:53 +0100
+Subject: [PATCH] lower setuptools requirements
+
+Scarthgap ships with version 69.1.1 - adjust the requirements for that.
+
+Upstream-Status: Inappropriate [specific to OE LTS versions]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ pyproject.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index 4635d0e..319b261 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -1,6 +1,6 @@
+ [build-system]
+ requires = [
+-    "setuptools>=75.8.1; python_version >= '3.9'",
++    "setuptools>=69.0.0; python_version >= '3.9'",
+     "setuptools<75.4.0; python_version < '3.9'",
+ ]
+ build-backend = "setuptools.build_meta"
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
deleted file mode 100644
index 3fb8b03224..0000000000
--- a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
+++ /dev/null
@@ -1,14 +0,0 @@ 
-require python-django.inc
-inherit setuptools3
-
-SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"
-
-RDEPENDS:${PN} += "\
-    python3-sqlparse \
-    python3-asgiref \
-"
-
-# Set DEFAULT_PREFERENCE so that the LTS version of django is built by
-# default. To build the 4.x branch, 
-# PREFERRED_VERSION_python3-django = "4.2.20" can be added to local.conf
-DEFAULT_PREFERENCE = "-1"
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.27.bb b/meta-python/recipes-devtools/python/python3-django_4.2.27.bb
new file mode 100644
index 0000000000..038b0220fa
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.27.bb
@@ -0,0 +1,17 @@ 
+require python-django.inc
+inherit python_setuptools_build_meta
+
+SRC_URI += "file://0001-lower-setuptools-requirements.patch"
+SRC_URI[sha256sum] = "b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92"
+
+RDEPENDS:${PN} += "\
+    python3-sqlparse \
+    python3-asgiref \
+"
+
+PYPI_PACKAGE = "django"
+
+# Set DEFAULT_PREFERENCE so that the LTS version of django is built by
+# default. To build the 4.x branch, 
+# PREFERRED_VERSION_python3-django = "4.2.%" can be added to local.conf
+DEFAULT_PREFERENCE = "-1"