From patchwork Wed Oct 22 06:17:52 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 72831
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 101FBCCD1BF
	for <webhook@archiver.kernel.org>; Wed, 22 Oct 2025 06:18:33 +0000 (UTC)
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
 by mx.groups.io with SMTP id smtpd.web10.2510.1761113897682591669
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:17 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=m+zRSgRi;
 spf=pass (domain: gmail.com, ip: 209.85.214.182,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-290ac2ef203so64377555ad.1
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761113897; x=1761718697;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=mdO42SslM9g0kLFrj28C3Rj40IWCy/JfvwZG5jRoJao=;
        b=m+zRSgRiC/+gEBZpMsEILjCo18VZAaAqpPFYqH0l0bYW9C2jBwjoZoqOoxirR2DjH4
         liGq2Pg3NGPVDg0/+e+iefB/Ab/qaRyIKUQx5MVCDNisLAl/lQT+XpaS0RnhFpj+73vM
         TSIMjbuBFoUM4FwABkmX71EpRSz5EilvrAE1l2CBCzxeBCCwsCpAEpONeKPogRqjHbBe
         wtIgzldO2syv1+xzHDYGPoHf199bdc0wAmqL/CIlITQHwcnXajFF0EuXLVfbGqJldKvx
         j0MJBbgl1F3ACY0/r5uSTNIArC1m7/cYmPg/5nVu9L1IM5lRdYSA9QrbwephwjU7kB75
         3i1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761113897; x=1761718697;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=mdO42SslM9g0kLFrj28C3Rj40IWCy/JfvwZG5jRoJao=;
        b=GVhXdqrHkIAgdj7+yxh8g59tw7WC6N+ldZF7EHsc0gJ+61CbA2EHY4ygiCxoIvJ/6S
         TbKK92cshh7kahsjs6joRGVU8KcdMkBxjzkNQIJyyCZ2Ogbvl/5HiVhT0O4gPQXEzQb5
         MFNVj8OxuWU1zhJwUCDZyY+wfNrdAeC5xocjgyvHZ/GvwNkXD6Ry3/As+7BPzUUgkiVx
         d2iiG2an+hvXg1eUxIqxRJXwMgkDTM0asF/b8xwPHpNWyMjCrvUlG1mY5eicaQGqHfcN
         VlsxwxDWrFMQWmRbs6mhnH/sbFh7PauHEsTnJInn2FnESLx6bZJasEEojRon5M6Pbs6H
         494A==
X-Gm-Message-State: AOJu0YzY6pW7eqtKkZp+t6oCz+XDuvl8oaQpOdgZM3CX5hxqFBUJ7Wr3
	gfM+u6ZpeySKU8DJCpErVQZJUA/YjJo7IxYdfDiR4X+UCIe1ofL02WoG1ri6rQ==
X-Gm-Gg: ASbGnctJ8XPPmZAikeb9kgVrn3Kx5XgHsnr6feYQeZ1suOYnKTVs5cQR4o8pu269rFM
	E70UMjFZFvFmJXGn5mdhyktm9zNlMWnEEBf0+otuwhwa7I7ecXWzy9JO/PDF+fglImh9I0tgth6
	i+UULIA8T1lEZooX5cG6VETF/fInBP2lLBcCgwmDuQ98um3Yv5wEYqsMKdxTeV9Ut9EigQpiJRK
	XU3b0cbJSiY2jhE5kgiTKDCLdBNi+gsbi74jLTiQonu5hTd8LWKE2FoHA2292hk/wg7DL6zj8ok
	V1I6G6g712awwhmYQGlV0d55lbcnXB8ve265SdR6rYImEd+scoqLJOAYCGULi5858GjFW2EG16c
	RnYUbK2hprI63eCmuV6SHLIICESPYTfeuDpJct7qqSE0KPDEUXten+sENAVVqinaZ0WBNWjOlH2
	AGtK/7kXLw3YP0G+A0oQHszHpt
X-Google-Smtp-Source: 
 AGHT+IEHS2cNaRgy28bh6eiXQL2P6iOVIwvn5Hs2mc+zL4hA070VOruRXPLo5nR/X3vWnvt3BJWMPw==
X-Received: by 2002:a17:903:4b0d:b0:250:643e:c947 with SMTP id
 d9443c01a7336-290ca30e401mr249306455ad.28.1761113896747;
        Tue, 21 Oct 2025 23:18:16 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-292471fde09sm127857485ad.93.2025.10.21.23.18.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Oct 2025 23:18:16 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Soumya Sambu <soumya.sambu@windriver.com>,
	Khem Raj <raj.khem@gmail.com>,
	Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-python][scarthgap][PATCH 1/8] python3-django: upgrade
 4.2.18 -> 4.2.20
Date: Wed, 22 Oct 2025 19:17:52 +1300
Message-ID: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 22 Oct 2025 06:18:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120884

From: Soumya Sambu <soumya.sambu@windriver.com>

Includes fix for CVE-2025-26699

Release Notes:
https://docs.djangoproject.com/en/dev/releases/4.2.19/
https://docs.djangoproject.com/en/dev/releases/4.2.20/

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 54f5df8907cbf1212d0733ffddc049c7b8b8aaf0)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../{python3-django_4.2.18.bb => python3-django_4.2.20.bb}    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-python/recipes-devtools/python/{python3-django_4.2.18.bb => python3-django_4.2.20.bb} (63%)

diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.18.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
similarity index 63%
rename from meta-python/recipes-devtools/python/python3-django_4.2.18.bb
rename to meta-python/recipes-devtools/python/python3-django_4.2.20.bb
index c9be3c0462..3fb8b03224 100644
--- a/meta-python/recipes-devtools/python/python3-django_4.2.18.bb
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
@@ -1,7 +1,7 @@
 require python-django.inc
 inherit setuptools3
 
-SRC_URI[sha256sum] = "52ae8eacf635617c0f13b44f749e5ea13dc34262819b2cc8c8636abb08d82c4b"
+SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"
 
 RDEPENDS:${PN} += "\
     python3-sqlparse \
@@ -10,5 +10,5 @@ RDEPENDS:${PN} += "\
 
 # Set DEFAULT_PREFERENCE so that the LTS version of django is built by
 # default. To build the 4.x branch, 
-# PREFERRED_VERSION_python3-django = "4.2.18" can be added to local.conf
+# PREFERRED_VERSION_python3-django = "4.2.20" can be added to local.conf
 DEFAULT_PREFERENCE = "-1"

From patchwork Wed Oct 22 06:17:53 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 72832
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0F1E5CCD1BE
	for <webhook@archiver.kernel.org>; Wed, 22 Oct 2025 06:18:33 +0000 (UTC)
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
 by mx.groups.io with SMTP id smtpd.web10.2511.1761113903385475105
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:23 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=JG4MsLce;
 spf=pass (domain: gmail.com, ip: 209.85.214.174,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-2897522a1dfso65189085ad.1
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761113903; x=1761718703;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=BpA/8RmPakfCa/GjfujGsqrALuVX2LUDI/QhiO8BVMI=;
        b=JG4MsLcerq8iB5WZRoK97Q9nyU/aTJY1z6BJ+cw7HMr/tiSPxHrQna5HFAYqosv84F
         7YSvfapE16iJwU50bq+pE+N02yeMXW1HGtHUIxJJOn8HQQkfg30QDbLO3T3xwif4OZAa
         nBG+oeS7JqDmZekgpS8iSniHCW2E2ZFN2llIETrF6BEppjJh4MBHdIwKjEB1LP8eqyo5
         ytimVSrLjewA0jcDHa2al66T6+TAkyD7zHyMRy6PMfWWadKMIqRH8aheBH842hcB2I6Q
         noxSUe5HugWA9Syx47FUc5jRYqKVnszw26rYpUVr3YJRwkOp4/853g3YU90dv1x7Hb/j
         Tg7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761113903; x=1761718703;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=BpA/8RmPakfCa/GjfujGsqrALuVX2LUDI/QhiO8BVMI=;
        b=ljrmJSFRyU5n4y8wzegTpVAYAtHySNf48dlHY1h1k6VXUe5B8qwfEsTDkHj+4NburX
         HEHbeEu4k0yRVhX/nzfAkPLau7eHJohNOA+WQT5YLyaxgjvRRAG1h79SUOL0zSjQPJq+
         KqGXPExD0q5fcJQGDNhrcvynxYCRYQB3fJXfOhvcs4p3eYuqRMh5BBbwy5SksGNRQosP
         JZ242640A4ehhm+enp1SLaaN0heagL2BF2TO5l2vE7r/2Zy2dCbGRo6DMFjtCDgJdP/Z
         94cztpyu96CywGEuGEmv9nOMzk/k9K0dahU28o6Tth174T+KQ4NHQohV1cr01NXKp/Va
         mq5Q==
X-Gm-Message-State: AOJu0YxI1SVZv96l6foxBKKyVdsQo80JiF0lkVrSF7sMzMV8NYyLEe0a
	FZOPnDWujAM8nGbk3ftdtu00LzAoaFxZCTe7OMjRB0qqIvBjVRCZg10zc4c74A==
X-Gm-Gg: ASbGncvLdMFYEWryH/yb5sWPL8w5jM2jwoeyLFYmMy0z1aPPKYKYhesvcziQerpz5FU
	t5rCddLGqb3nWIJ2ZJYmXnL8FqiR9ns0nG1ZJJKFjfwmzGacRxjew7L3uvcj/VcfuESGrMB2lLy
	OBrIs4zIsFLVL4v5xDOfTpvyiTPFQbv0i/DMQVCHFcbBq81x1RG127YiTxqfMii0USS3aioPKt6
	VhTORjwnqmfqmlYe6iCVscenV3lPfhQn5GLbpns4CEaNYwllCKelnCdicDTg6kXUEjzd0q/7w0j
	4JDJo5EJ10L921WjDstdG12ekUKvSZZgt48XuPY3HsCi9bwDNuBcqM7hhSN5/YMenDG73exfOib
	HsWaKk0lSX9OrTCz7QzLL02TyeWKgC+X9W+BnregpQgQePVNc6wmSnrg2bGuD4EtDj/SBmz42rA
	6FUz9UAYIfZIVRDekorUZmSKO7yUeUIcZVTus=
X-Google-Smtp-Source: 
 AGHT+IHSIgSkM/ZWicDWe+gfM7wyz97Ui809AYXqCxChcvCmM3NgMCIFtgjqYBkKS6UKI9ReGKP5hQ==
X-Received: by 2002:a17:902:f68c:b0:27b:defc:802d with SMTP id
 d9443c01a7336-290caf82b93mr273418105ad.28.1761113902571;
        Tue, 21 Oct 2025 23:18:22 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-292471fde09sm127857485ad.93.2025.10.21.23.18.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Oct 2025 23:18:22 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-python][scarthgap][PATCH 2/8] python3-django: patch
 CVE-2025-26699
Date: Wed, 22 Oct 2025 19:17:53 +1300
Message-ID: <20251022061803.887676-2-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
References: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 22 Oct 2025 06:18:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120885

This fixes a regression in Django 4.2.20, introduced when fixing CVE-2025-26699

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../CVE-2025-26699.patch                      | 102 ++++++++++++++++++
 .../python/python3-django_4.2.20.bb           |   4 +
 2 files changed, 106 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-26699.patch

diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-26699.patch b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-26699.patch
new file mode 100644
index 0000000000..54a43b123d
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-26699.patch
@@ -0,0 +1,102 @@
+From 3407ea136bd619591d259221d8712b72b3f3b9a0 Mon Sep 17 00:00:00 2001
+From: Matti Pohjanvirta <matti.pohjanvirta@iki.fi>
+Date: Sun, 20 Apr 2025 18:22:51 +0300
+Subject: [PATCH] [4.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap
+ template filter.
+
+Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b.
+
+This work improves the django.utils.text.wrap() function to ensure that
+empty lines and lines with whitespace only are kept instead of being
+dropped.
+
+Thanks Matti Pohjanvirta for the report and fix.
+
+Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
+
+Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
+
+CVE: CVE-2025-26699
+Upstream-Status: Backport [https://github.com/django/django/commit/e61e3daaf037507211028494d61f24382be31e5a]
+(cherry picked from commit e61e3daaf037507211028494d61f24382be31e5a)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ django/utils/text.py                          | 13 +++++-
+ .../filter_tests/test_wordwrap.py             | 41 +++++++++++++++++++
+ 2 files changed, 52 insertions(+), 2 deletions(-)
+
+diff --git a/django/utils/text.py b/django/utils/text.py
+index 81ae88dc76..b018f2601f 100644
+--- a/django/utils/text.py
++++ b/django/utils/text.py
+@@ -102,10 +102,19 @@ def wrap(text, width):
+         width=width,
+         break_long_words=False,
+         break_on_hyphens=False,
++        replace_whitespace=False,
+     )
+     result = []
+-    for line in text.splitlines(True):
+-        result.extend(wrapper.wrap(line))
++    for line in text.splitlines():
++        wrapped = wrapper.wrap(line)
++        if not wrapped:
++            # If `line` contains only whitespaces that are dropped, restore it.
++            result.append(line)
++        else:
++            result.extend(wrapped)
++    if text.endswith("\n"):
++        # If `text` ends with a newline, preserve it.
++        result.append("")
+     return "\n".join(result)
+ 
+ 
+diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
+index 4afa1dd234..1692332e1e 100644
+--- a/tests/template_tests/filter_tests/test_wordwrap.py
++++ b/tests/template_tests/filter_tests/test_wordwrap.py
+@@ -89,3 +89,44 @@ class FunctionTests(SimpleTestCase):
+             "I'm afraid",
+             wordwrap(long_text, 10),
+         )
++
++    def test_wrap_preserve_newlines(self):
++        cases = [
++            (
++                "this is a long paragraph of text that really needs to be wrapped\n\n"
++                "that is followed by another paragraph separated by an empty line\n",
++                "this is a long paragraph of\ntext that really needs to be\nwrapped\n\n"
++                "that is followed by another\nparagraph separated by an\nempty line\n",
++                30,
++            ),
++            ("\n\n\n", "\n\n\n", 5),
++            ("\n\n\n\n\n\n", "\n\n\n\n\n\n", 5),
++        ]
++        for text, expected, width in cases:
++            with self.subTest(text=text):
++                self.assertEqual(wordwrap(text, width), expected)
++
++    def test_wrap_preserve_whitespace(self):
++        width = 5
++        width_spaces = " " * width
++        cases = [
++            (
++                f"first line\n{width_spaces}\nsecond line",
++                f"first\nline\n{width_spaces}\nsecond\nline",
++            ),
++            (
++                "first line\n \t\t\t \nsecond line",
++                "first\nline\n \t\t\t \nsecond\nline",
++            ),
++            (
++                f"first line\n{width_spaces}\nsecond line\n\nthird{width_spaces}\n",
++                f"first\nline\n{width_spaces}\nsecond\nline\n\nthird\n",
++            ),
++            (
++                f"first line\n{width_spaces}{width_spaces}\nsecond line",
++                f"first\nline\n{width_spaces}{width_spaces}\nsecond\nline",
++            ),
++        ]
++        for text, expected in cases:
++            with self.subTest(text=text):
++                self.assertEqual(wordwrap(text, width), expected)
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
index 3fb8b03224..0b9ff1b8c0 100644
--- a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
@@ -1,6 +1,10 @@
 require python-django.inc
 inherit setuptools3
 
+SRC_URI += " \
+    file://CVE-2025-26699.patch \
+"
+
 SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"
 
 RDEPENDS:${PN} += "\

From patchwork Wed Oct 22 06:17:54 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 72833
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EB2EFCCD1BE
	for <webhook@archiver.kernel.org>; Wed, 22 Oct 2025 06:18:52 +0000 (UTC)
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
 by mx.groups.io with SMTP id smtpd.web10.2514.1761113910647801306
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:30 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=jjQtbK/K;
 spf=pass (domain: gmail.com, ip: 209.85.214.174,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-27c369f898fso92102485ad.3
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761113910; x=1761718710;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=b7gGl8u9BSN0D91ejodoybmW7RxMR3CQiu0OCLR7k/o=;
        b=jjQtbK/K/0FUOF++lAJJ91mgYZNOd5DgU3zJrmOKYRbAow/D53oWieHN8crjCZPIua
         StMyaaqR6IF1rX9DrsI397YdnWn1ImbN7kpzoAvReEZmjYG4LPKmMUc1EW0aRJca7KQu
         RUAvD3vyN2OEMWSkwe5BVwt/+fsQLIfD9OwSjRCnAZ8LJrkPOuKtDgU+8w2xuQ0pb7Wj
         btrUFWG/EYRiwSZk4ifNNriZ1OFQE0AhLco6sQ1vGL1A2dsrjOV47mFDtw/C5aMQFlzO
         61xeBljG1sI7l9fnkEqcIUdl687GIK5SYxXrWYq21mBbIHP15kDBAom4qkZ5P8q9gECA
         1+6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761113910; x=1761718710;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=b7gGl8u9BSN0D91ejodoybmW7RxMR3CQiu0OCLR7k/o=;
        b=uJmuGeMyxYP2HJZrjChOm5dYg3CJ7eccpEr9sEsuLVpDIHKRYSIkq+EJNftpvAMb4I
         8+utgM12IXHF1z/hVGDF8kMjYLc1Ms0yN2udBs3OcpRTMsprzVNqCb+2wLeq2RyDfmZU
         LVov+71V8an2jOoivJzqUmB3bI6QtNyBS66GIQuVlXmjuDo+7AgTcUqS950MH7zONQGT
         lvg1Xu29GIZzPpSWcQh90SHhI+ZwEbCqsKVgpUm7e5vAPc7XF7hOBNy6GsF41NDSeFkz
         VLnMsPhNRV3WvTRSQgPClXeAmW4+W2jwNq1z5Jp5O3gWndEOK3cdDbQ1uy2Fv3QJlbzH
         P7rw==
X-Gm-Message-State: AOJu0YzWQd7vzEcqE/r7ga5rbuLuIL1MnJC50Mte/6PXp8lW072jwX0L
	ariPEd0+6jJiYw0qVZWcUZqu8T0O9U6E43KnV3kV++22obk+XApQCF8O7yBrxw==
X-Gm-Gg: ASbGncvJSu7xc42TCfObEKA4BhNZIrbWjPtQSbVqFNlpU7NwEWq28w5jywXJeL+gXd9
	XpokImxWbkl9qF4z+AMsr/XHlrDQ/QbozQUXRYE8UTZLSankvUiUerMGS3TGRcGaOFEg1V7AmdS
	C2o586mSzmdeC4+aiCBtRYBnXqE8Q5K2ytPCbqwu/PeB4AUOukuSnjRtme3qqq//6Ix2dZmXjia
	kwhEiLbxjspB/cCSa8fgwsZOSUw9VM2saFAer3PiOLyOEHS17l/gmDeWOobMKLH9wJ+qjOrkaZ3
	L+6cFfRaD+CzMTo21LabTV80QH56NZ++X7FqjG5g7to57yrVyiMIS9URb5O1MsuzNWdG913Yuxm
	FdvUEXdUQpKGiVYGDceJ69iiz1W7QuoxPWIhA7/R80y94TZ7uXFZwZgDVV1RigskcAyZKGCmgdP
	5AjaVrp3lY6nQWBGpP+1VsMNB7
X-Google-Smtp-Source: 
 AGHT+IFEyFFz41R127mh281MKOs5cURYVKOZSXX8S3Br751upUGl6LukRL10n80EorMRQEpDk9ASqg==
X-Received: by 2002:a17:903:46c7:b0:274:aab9:4ed4 with SMTP id
 d9443c01a7336-290cb65f861mr262201475ad.57.1761113909764;
        Tue, 21 Oct 2025 23:18:29 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-292471fde09sm127857485ad.93.2025.10.21.23.18.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Oct 2025 23:18:29 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-python][scarthgap][PATCH 3/8] python3-django: patch
 CVE-2025-32873
Date: Wed, 22 Oct 2025 19:17:54 +1300
Message-ID: <20251022061803.887676-3-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
References: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 22 Oct 2025 06:18:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120886

Details https://nvd.nist.gov/vuln/detail/CVE-2025-32873

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../CVE-2025-32873.patch                      | 85 +++++++++++++++++++
 .../python/python3-django_4.2.20.bb           |  1 +
 2 files changed, 86 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-32873.patch

diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-32873.patch b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-32873.patch
new file mode 100644
index 0000000000..4c7bda962a
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-32873.patch
@@ -0,0 +1,85 @@
+From 1bd7650f2978c0824772e3d12f6c8b3ecefa10e0 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Tue, 8 Apr 2025 16:30:17 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in
+ strip_tags().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
+Howard for the reviews.
+
+Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
+
+Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
+
+CVE: CVE-2025-32873
+Upstream-Status: Backport [https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c]
+(cherry picked from commit 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ django/utils/html.py           |  6 ++++++
+ tests/utils_tests/test_html.py | 15 ++++++++++++++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/django/utils/html.py b/django/utils/html.py
+index a3a7238cba..84c37d1186 100644
+--- a/django/utils/html.py
++++ b/django/utils/html.py
+@@ -17,6 +17,9 @@ from django.utils.text import normalize_newlines
+ MAX_URL_LENGTH = 2048
+ MAX_STRIP_TAGS_DEPTH = 50
+ 
++# HTML tag that opens but has no closing ">" after 1k+ chars.
++long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
++
+ 
+ @keep_lazy(SafeString)
+ def escape(text):
+@@ -175,6 +178,9 @@ def _strip_once(value):
+ def strip_tags(value):
+     """Return the given HTML with all tags stripped."""
+     value = str(value)
++    for long_open_tag in long_open_tag_without_closing_re.finditer(value):
++        if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
++            raise SuspiciousOperation
+     # Note: in typical case this loop executes _strip_once twice (the second
+     # execution does not remove any more tags).
+     strip_tags_depth = 0
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 579bb2a1e3..25168e2348 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -115,17 +115,30 @@ class TestUtilsHtml(SimpleTestCase):
+             ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
+             ("X<<<<br>br>br>br>X", "XX"),
+             ("<" * 50 + "a>" * 50, ""),
++            (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
++            ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
++            ("<" + "a" * 1_002, "<" + "a" * 1_002),
+         )
+         for value, output in items:
+             with self.subTest(value=value, output=output):
+                 self.check_output(strip_tags, value, output)
+                 self.check_output(strip_tags, lazystr(value), output)
+ 
+-    def test_strip_tags_suspicious_operation(self):
++    def test_strip_tags_suspicious_operation_max_depth(self):
+         value = "<" * 51 + "a>" * 51, "<a>"
+         with self.assertRaises(SuspiciousOperation):
+             strip_tags(value)
+ 
++    def test_strip_tags_suspicious_operation_large_open_tags(self):
++        items = [
++            ">" + "<a" * 501,
++            "<a" * 50 + "a" * 950,
++        ]
++        for value in items:
++            with self.subTest(value=value):
++                with self.assertRaises(SuspiciousOperation):
++                    strip_tags(value)
++
+     def test_strip_tags_files(self):
+         # Test with more lengthy content (also catching performance regressions)
+         for filename in ("strip_tags1.html", "strip_tags2.txt"):
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
index 0b9ff1b8c0..85321e51a2 100644
--- a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
@@ -3,6 +3,7 @@ inherit setuptools3
 
 SRC_URI += " \
     file://CVE-2025-26699.patch \
+    file://CVE-2025-32873.patch \
 "
 
 SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"

From patchwork Wed Oct 22 06:17:55 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 72836
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F0CD8CCD1AB
	for <webhook@archiver.kernel.org>; Wed, 22 Oct 2025 06:18:52 +0000 (UTC)
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
 by mx.groups.io with SMTP id smtpd.web11.2523.1761113915307683992
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=MyZzkmC1;
 spf=pass (domain: gmail.com, ip: 209.85.215.182,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-b6a7d3040efso2722959a12.1
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761113914; x=1761718714;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=uyuSiPadbMHwnZD7Dp1d3dA6gkHzwvWmuUovr3lC8NA=;
        b=MyZzkmC1Erx4e95MjWwwS3w6yfRr8Yo0dY83kIY2UrcpnaQ9aJzholer8N4zoD7yC2
         7WRMu/cFDcefh/kJrSny/t7oFquetq/Z4MB0xYZNrYT5M1G+R0MQVcxfuj9dt8Y4tWHm
         oiSW9tlJFZoLFms0BogNTtzQM8PAmECu8Xa++Yovi7kcqtg3iVPRv3v4RvuxMSDqhbUS
         1qUM5OcVJ4e/CBFLVoDQYpWr0ZwFHXhF5KnuQLy+9bFTVlvuPAc+5zZaOiXQHJ5ZyEJV
         PaAi9vo3MQUM1TWHDWhsRWU+OinShmsC+WBC8/HD6+bix2KVRtm7WQLlYdqC3fvxdQC/
         U5pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761113914; x=1761718714;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=uyuSiPadbMHwnZD7Dp1d3dA6gkHzwvWmuUovr3lC8NA=;
        b=AKk9g0bhTDXhNjlCK3QjavWdgL51pQ4HsMAfVBpC5szkJyx355EmAU/BjEjNeq8BKh
         4kWcZFQ3kvEc0hak6Sso/OQwRsaiO2zO7nYHLkITZMPQNvfeIzfQXoIVldX+ThdZNlgk
         bGVl82ZUTEBL5swTACQ5umfQI0hM9Vw+mP5Ylsjhav2HpFAx24x5hBseEm7pYoTFVxI8
         p/2yWjnmmbY4WAMgpLlcJu6ioQf6zAwfFSShreC/FUJpLm3E2kDsjI+cJ9JBJ3ksTYjH
         n8/FRj64mq4uR0bZZOXqldPoQmAFrtT1p8/HlLH6Pw3t/CnH5bBEtnyrqD0rqYrGNX1Y
         LTDg==
X-Gm-Message-State: AOJu0YysTN6WE7SlJnqkEhzgXXfFY5DXDxI9E9R/DxPKnsyWIFia0imn
	d5HIas0aqZIASF4ugcdr3YySiR+V4lxIYy0dRZqYm7xeFKIECn/aog+KoG47YQ==
X-Gm-Gg: ASbGncvl9ntmDHilqZFJindQwFaaNIGtv+Tfw+p3hEf+jfRFwtYjOSL7IDwsKYSQ5Q1
	2rhc7mNbNRk2IRtHAFA8LvpZh5DaltsBNFT3EXgdpWGvgo6YNgOfWYZNQJpV+VfG96SxqMu4GHg
	1BERUFHcZGvTL6jLlYA5adZYAmcsjk6z70Fxw60ClM65Y4TR9EjMOyxNQseYlYINnwf7f9epxBW
	WTTcVthCToNZEDRaFvTdDuMVBkZk1vw3k/6qsD9rbk5zrqB6lTrlng74rRYcTMNHLvSK0Bck8Nj
	ZczvvcmNqCEWe5DR7K7ICq3IAU5862toEgBuiHRUdn3acSD6rPnv+0YhVn74ycQCCACKDmDoZHa
	Tsz2472ZxFBpgFrD++vcS0lYhl/yad4B6FvdDK0YjGYgKWe+5F3Np2bVCC0BHnliIijk+Dxyj8E
	blwlncx6Z3vUXQZO1GzCuLF7ka
X-Google-Smtp-Source: 
 AGHT+IHH8M6USPQai+nXGcEaxtaKwdPw1ceNpCC31aZijmj/kuZhMeldNxiP7x1/mNEZKE1I5Pi2mw==
X-Received: by 2002:a17:903:138a:b0:28e:c9f6:867b with SMTP id
 d9443c01a7336-290c9cd4adbmr233125285ad.23.1761113914121;
        Tue, 21 Oct 2025 23:18:34 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-292471fde09sm127857485ad.93.2025.10.21.23.18.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Oct 2025 23:18:33 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-python][scarthgap][PATCH 4/8] python3-django: patch
 CVE-2025-48432
Date: Wed, 22 Oct 2025 19:17:55 +1300
Message-ID: <20251022061803.887676-4-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
References: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 22 Oct 2025 06:18:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120887

https://nvd.nist.gov/vuln/detail/CVE-2025-48432

Following patches are needed to avoid cherry-pick conflicts
 - CVE-2025-48432-1.patch
 - CVE-2025-48432-2.patch
 - CVE-2025-48432-4.patch

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../CVE-2025-48432-1.patch                    | 166 +++++++++++++
 .../CVE-2025-48432-2.patch                    | 225 ++++++++++++++++++
 .../CVE-2025-48432-3.patch                    | 164 +++++++++++++
 .../CVE-2025-48432-4.patch                    | 193 +++++++++++++++
 .../CVE-2025-48432-5.patch                    |  76 ++++++
 .../CVE-2025-48432-6.patch                    | 144 +++++++++++
 .../python/python3-django_4.2.20.bb           |   6 +
 7 files changed, 974 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-1.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-2.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-3.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-4.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-5.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-6.patch

diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-1.patch b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-1.patch
new file mode 100644
index 0000000000..51196d0ceb
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-1.patch
@@ -0,0 +1,166 @@
+From d4a83d38022de809f4ae015ff4b7592c11f3b371 Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Mon, 19 May 2025 22:45:38 -0300
+Subject: [PATCH] [4.2.x] Refs #26688 -- Added tests for `log_response()`
+ internal helper.
+
+Backport of 897046815944cc9a2da7ed9e8082f45ffe8110e3 from main.
+
+CVE: CVE-2025-48432
+Upstream-Status: Backport [https://github.com/django/django/commit/acbe655a0fa1200d2de31c6020f310ba9aa2f636]
+(cherry picked from commit acbe655a0fa1200d2de31c6020f310ba9aa2f636)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ tests/logging_tests/tests.py | 121 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 121 insertions(+)
+
+diff --git a/tests/logging_tests/tests.py b/tests/logging_tests/tests.py
+index c73a3acd6d..2138a7fe50 100644
+--- a/tests/logging_tests/tests.py
++++ b/tests/logging_tests/tests.py
+@@ -1,6 +1,7 @@
+ import logging
+ from contextlib import contextmanager
+ from io import StringIO
++from unittest import TestCase
+ 
+ from admin_scripts.tests import AdminScriptTestCase
+ 
+@@ -9,6 +10,7 @@ from django.core import mail
+ from django.core.exceptions import DisallowedHost, PermissionDenied, SuspiciousOperation
+ from django.core.files.temp import NamedTemporaryFile
+ from django.core.management import color
++from django.http import HttpResponse
+ from django.http.multipartparser import MultiPartParserError
+ from django.test import RequestFactory, SimpleTestCase, override_settings
+ from django.test.utils import LoggingCaptureMixin
+@@ -19,6 +21,7 @@ from django.utils.log import (
+     RequireDebugFalse,
+     RequireDebugTrue,
+     ServerFormatter,
++    log_response,
+ )
+ from django.views.debug import ExceptionReporter
+ 
+@@ -646,3 +649,121 @@ class LogFormattersTests(SimpleTestCase):
+             self.assertRegex(
+                 logger_output.getvalue(), r"^\[[/:,\w\s\d]+\] %s\n" % log_msg
+             )
++
++
++class LogResponseRealLoggerTests(TestCase):
++    request = RequestFactory().get("/test-path/")
++
++    def assertResponseLogged(self, logger_cm, msg, levelno, status_code, request):
++        self.assertEqual(
++            records_len := len(logger_cm.records),
++            1,
++            f"Unexpected number of records for {logger_cm=} in {levelno=} (expected 1, "
++            f"got {records_len}).",
++        )
++        record = logger_cm.records[0]
++        self.assertEqual(record.getMessage(), msg)
++        self.assertEqual(record.levelno, levelno)
++        self.assertEqual(record.status_code, status_code)
++        self.assertEqual(record.request, request)
++
++    def test_missing_response_raises_attribute_error(self):
++        with self.assertRaises(AttributeError):
++            log_response("No response provided", response=None, request=self.request)
++
++    def test_missing_request_logs_with_none(self):
++        response = HttpResponse(status=403)
++        with self.assertLogs("django.request", level="INFO") as cm:
++            log_response(msg := "Missing request", response=response, request=None)
++        self.assertResponseLogged(cm, msg, logging.WARNING, 403, request=None)
++
++    def test_logs_5xx_as_error(self):
++        response = HttpResponse(status=508)
++        with self.assertLogs("django.request", level="ERROR") as cm:
++            log_response(
++                msg := "Server error occurred", response=response, request=self.request
++            )
++        self.assertResponseLogged(cm, msg, logging.ERROR, 508, self.request)
++
++    def test_logs_4xx_as_warning(self):
++        response = HttpResponse(status=418)
++        with self.assertLogs("django.request", level="WARNING") as cm:
++            log_response(
++                msg := "This is a teapot!", response=response, request=self.request
++            )
++        self.assertResponseLogged(cm, msg, logging.WARNING, 418, self.request)
++
++    def test_logs_2xx_as_info(self):
++        response = HttpResponse(status=201)
++        with self.assertLogs("django.request", level="INFO") as cm:
++            log_response(msg := "OK response", response=response, request=self.request)
++        self.assertResponseLogged(cm, msg, logging.INFO, 201, self.request)
++
++    def test_custom_log_level(self):
++        response = HttpResponse(status=403)
++        with self.assertLogs("django.request", level="DEBUG") as cm:
++            log_response(
++                msg := "Debug level log",
++                response=response,
++                request=self.request,
++                level="debug",
++            )
++        self.assertResponseLogged(cm, msg, logging.DEBUG, 403, self.request)
++
++    def test_logs_only_once_per_response(self):
++        response = HttpResponse(status=500)
++        with self.assertLogs("django.request", level="ERROR") as cm:
++            log_response("First log", response=response, request=self.request)
++            log_response("Second log", response=response, request=self.request)
++        self.assertResponseLogged(cm, "First log", logging.ERROR, 500, self.request)
++
++    def test_exc_info_output(self):
++        response = HttpResponse(status=500)
++        try:
++            raise ValueError("Simulated failure")
++        except ValueError as exc:
++            with self.assertLogs("django.request", level="ERROR") as cm:
++                log_response(
++                    "With exception",
++                    response=response,
++                    request=self.request,
++                    exception=exc,
++                )
++        self.assertResponseLogged(
++            cm, "With exception", logging.ERROR, 500, self.request
++        )
++        self.assertIn("ValueError", "\n".join(cm.output))  # Stack trace included
++
++    def test_format_args_are_applied(self):
++        response = HttpResponse(status=500)
++        with self.assertLogs("django.request", level="ERROR") as cm:
++            log_response(
++                "Something went wrong: %s (%d)",
++                "DB error",
++                42,
++                response=response,
++                request=self.request,
++            )
++        msg = "Something went wrong: DB error (42)"
++        self.assertResponseLogged(cm, msg, logging.ERROR, 500, self.request)
++
++    def test_logs_with_custom_logger(self):
++        handler = logging.StreamHandler(log_stream := StringIO())
++        handler.setFormatter(logging.Formatter("%(levelname)s:%(name)s:%(message)s"))
++
++        custom_logger = logging.getLogger("my.custom.logger")
++        custom_logger.setLevel(logging.DEBUG)
++        custom_logger.addHandler(handler)
++        self.addCleanup(custom_logger.removeHandler, handler)
++
++        response = HttpResponse(status=404)
++        log_response(
++            msg := "Handled by custom logger",
++            response=response,
++            request=self.request,
++            logger=custom_logger,
++        )
++
++        self.assertEqual(
++            f"WARNING:my.custom.logger:{msg}", log_stream.getvalue().strip()
++        )
diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-2.patch b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-2.patch
new file mode 100644
index 0000000000..2824a9c0e3
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-2.patch
@@ -0,0 +1,225 @@
+From 88c0244497d492e84b4a2925ac4554698cdf179a Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Mon, 19 May 2025 22:46:00 -0300
+Subject: [PATCH] [4.2.x] Added helpers in csrf_tests and logging_tests to
+ assert logs from `log_response()`.
+
+Backport of ad6f99889838ccc2c30b3c02ed3868c9b565e81b from main.
+
+CVE: CVE-2025-48432
+Upstream-Status: Backport [https://github.com/django/django/commit/32fd8dec5618bd09eccdeb9dbf512043193d68ef]
+(cherry picked from commit 32fd8dec5618bd09eccdeb9dbf512043193d68ef)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ tests/csrf_tests/tests.py    | 53 ++++++++++++++++++------------------
+ tests/logging_tests/tests.py | 42 ++++++++++++++++++++--------
+ 2 files changed, 57 insertions(+), 38 deletions(-)
+
+diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
+index ba8f87d6ac..b8d928151e 100644
+--- a/tests/csrf_tests/tests.py
++++ b/tests/csrf_tests/tests.py
+@@ -1,3 +1,4 @@
++import logging
+ import re
+ 
+ from django.conf import settings
+@@ -57,6 +58,21 @@ class CsrfFunctionTestMixin:
+         actual = _unmask_cipher_token(masked_secret)
+         self.assertEqual(actual, secret)
+ 
++    def assertForbiddenReason(
++        self, response, logger_cm, reason, levelno=logging.WARNING
++    ):
++        self.assertEqual(
++            records_len := len(logger_cm.records),
++            1,
++            f"Unexpected number of records for {logger_cm=} in {levelno=} (expected 1, "
++            f"got {records_len}).",
++        )
++        record = logger_cm.records[0]
++        self.assertEqual(record.getMessage(), "Forbidden (%s): " % reason)
++        self.assertEqual(record.levelno, levelno)
++        self.assertEqual(record.status_code, 403)
++        self.assertEqual(response.status_code, 403)
++
+ 
+ class CsrfFunctionTests(CsrfFunctionTestMixin, SimpleTestCase):
+     def test_unmask_cipher_token(self):
+@@ -347,8 +363,7 @@ class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
+         mw.process_request(req)
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             resp = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(403, resp.status_code)
+-        self.assertEqual(cm.records[0].getMessage(), "Forbidden (%s): " % expected)
++        self.assertForbiddenReason(resp, cm, expected)
+ 
+     def test_no_csrf_cookie(self):
+         """
+@@ -373,9 +388,8 @@ class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
+         mw.process_request(req)
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             resp = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(403, resp.status_code)
+         self.assertEqual(resp["Content-Type"], "text/html; charset=utf-8")
+-        self.assertEqual(cm.records[0].getMessage(), "Forbidden (%s): " % expected)
++        self.assertForbiddenReason(resp, cm, expected)
+ 
+     def test_csrf_cookie_bad_or_missing_token(self):
+         """
+@@ -480,18 +494,12 @@ class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
+         mw = CsrfViewMiddleware(post_form_view)
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             resp = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(403, resp.status_code)
+-        self.assertEqual(
+-            cm.records[0].getMessage(), "Forbidden (%s): " % REASON_NO_CSRF_COOKIE
+-        )
++        self.assertForbiddenReason(resp, cm, REASON_NO_CSRF_COOKIE)
+ 
+         req = self._get_request(method="DELETE")
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             resp = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(403, resp.status_code)
+-        self.assertEqual(
+-            cm.records[0].getMessage(), "Forbidden (%s): " % REASON_NO_CSRF_COOKIE
+-        )
++        self.assertForbiddenReason(resp, cm, REASON_NO_CSRF_COOKIE)
+ 
+     def test_put_and_delete_allowed(self):
+         """
+@@ -879,11 +887,7 @@ class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
+         mw.process_request(req)
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             resp = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(resp.status_code, 403)
+-        self.assertEqual(
+-            cm.records[0].getMessage(),
+-            "Forbidden (%s): " % REASON_CSRF_TOKEN_MISSING,
+-        )
++        self.assertForbiddenReason(resp, cm, REASON_CSRF_TOKEN_MISSING)
+ 
+     def test_reading_post_data_raises_os_error(self):
+         """
+@@ -908,9 +912,8 @@ class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
+         self.assertIs(mw._origin_verified(req), False)
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             response = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(response.status_code, 403)
+         msg = REASON_BAD_ORIGIN % req.META["HTTP_ORIGIN"]
+-        self.assertEqual(cm.records[0].getMessage(), "Forbidden (%s): " % msg)
++        self.assertForbiddenReason(response, cm, msg)
+ 
+     @override_settings(ALLOWED_HOSTS=["www.example.com"])
+     def test_bad_origin_null_origin(self):
+@@ -923,9 +926,8 @@ class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
+         self.assertIs(mw._origin_verified(req), False)
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             response = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(response.status_code, 403)
+         msg = REASON_BAD_ORIGIN % req.META["HTTP_ORIGIN"]
+-        self.assertEqual(cm.records[0].getMessage(), "Forbidden (%s): " % msg)
++        self.assertForbiddenReason(response, cm, msg)
+ 
+     @override_settings(ALLOWED_HOSTS=["www.example.com"])
+     def test_bad_origin_bad_protocol(self):
+@@ -939,9 +941,8 @@ class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
+         self.assertIs(mw._origin_verified(req), False)
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             response = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(response.status_code, 403)
+         msg = REASON_BAD_ORIGIN % req.META["HTTP_ORIGIN"]
+-        self.assertEqual(cm.records[0].getMessage(), "Forbidden (%s): " % msg)
++        self.assertForbiddenReason(response, cm, msg)
+ 
+     @override_settings(
+         ALLOWED_HOSTS=["www.example.com"],
+@@ -966,9 +967,8 @@ class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
+         self.assertIs(mw._origin_verified(req), False)
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             response = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(response.status_code, 403)
+         msg = REASON_BAD_ORIGIN % req.META["HTTP_ORIGIN"]
+-        self.assertEqual(cm.records[0].getMessage(), "Forbidden (%s): " % msg)
++        self.assertForbiddenReason(response, cm, msg)
+         self.assertEqual(mw.allowed_origins_exact, {"http://no-match.com"})
+         self.assertEqual(
+             mw.allowed_origin_subdomains,
+@@ -992,9 +992,8 @@ class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
+         self.assertIs(mw._origin_verified(req), False)
+         with self.assertLogs("django.security.csrf", "WARNING") as cm:
+             response = mw.process_view(req, post_form_view, (), {})
+-        self.assertEqual(response.status_code, 403)
+         msg = REASON_BAD_ORIGIN % req.META["HTTP_ORIGIN"]
+-        self.assertEqual(cm.records[0].getMessage(), "Forbidden (%s): " % msg)
++        self.assertForbiddenReason(response, cm, msg)
+ 
+     @override_settings(ALLOWED_HOSTS=["www.example.com"])
+     def test_good_origin_insecure(self):
+diff --git a/tests/logging_tests/tests.py b/tests/logging_tests/tests.py
+index 2138a7fe50..4ffa49a1b8 100644
+--- a/tests/logging_tests/tests.py
++++ b/tests/logging_tests/tests.py
+@@ -94,6 +94,28 @@ class DefaultLoggingTests(
+ 
+ 
+ class LoggingAssertionMixin:
++
++    def assertLogRecord(
++        self,
++        logger_cm,
++        level,
++        msg,
++        status_code,
++        exc_class=None,
++    ):
++        self.assertEqual(
++            records_len := len(logger_cm.records),
++            1,
++            f"Wrong number of calls for {logger_cm=} in {level=} (expected 1, got "
++            f"{records_len}).",
++        )
++        record = logger_cm.records[0]
++        self.assertEqual(record.getMessage(), msg)
++        self.assertEqual(record.status_code, status_code)
++        if exc_class:
++            self.assertIsNotNone(record.exc_info)
++            self.assertEqual(record.exc_info[0], exc_class)
++
+     def assertLogsRequest(
+         self, url, level, msg, status_code, logger="django.request", exc_class=None
+     ):
+@@ -102,17 +124,7 @@ class LoggingAssertionMixin:
+                 self.client.get(url)
+             except views.UncaughtException:
+                 pass
+-            self.assertEqual(
+-                len(cm.records),
+-                1,
+-                "Wrong number of calls for logger %r in %r level." % (logger, level),
+-            )
+-            record = cm.records[0]
+-            self.assertEqual(record.getMessage(), msg)
+-            self.assertEqual(record.status_code, status_code)
+-            if exc_class:
+-                self.assertIsNotNone(record.exc_info)
+-                self.assertEqual(record.exc_info[0], exc_class)
++            self.assertLogRecord(cm, level, msg, status_code, exc_class)
+ 
+ 
+ @override_settings(DEBUG=True, ROOT_URLCONF="logging_tests.urls")
+@@ -135,6 +147,14 @@ class HandlerLoggingTests(
+             msg="Not Found: /does_not_exist/",
+         )
+ 
++    async def test_async_page_not_found_warning(self):
++        logger = "django.request"
++        level = "WARNING"
++        with self.assertLogs(logger, level) as cm:
++            await self.async_client.get("/does_not_exist/")
++
++        self.assertLogRecord(cm, level, "Not Found: /does_not_exist/", 404)
++
+     def test_page_not_found_raised(self):
+         self.assertLogsRequest(
+             url="/does_not_exist_raised/",
diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-3.patch b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-3.patch
new file mode 100644
index 0000000000..58550567a4
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-48432-3.patch
@@ -0,0 +1,164 @@
+From 5e137465b5b7668f9a32f5c4f4af374fd705f38d Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Tue, 20 May 2025 15:29:52 -0300
+Subject: [PATCH] [4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments
+ in `log_response()`.
+
+Suitably crafted requests containing a CRLF sequence in the request
+path may have allowed log injection, potentially corrupting log files,
+obscuring other attacks, misleading log post-processing tools, or
+forging log entries.
+
+To mitigate this, all positional formatting arguments passed to the
+logger are now escaped using "unicode_escape" encoding.
+
+Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
+
+Co-authored-by: Carlton Gibson <carlton@noumenal.es>
+Co-authored-by: Jake Howard <git@theorangeone.net>
+
+Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
+CVE: CVE-2025-48432
+Upstream-Status: Backport [https://github.com/django/django/commit/ac03c5e7df8680c61cdb0d3bdb8be9095dba841e]
+(cherry picked from commit ac03c5e7df8680c61cdb0d3bdb8be9095dba841e)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ django/utils/log.py          |  7 +++-
+ tests/logging_tests/tests.py | 79 +++++++++++++++++++++++++++++++++++-
+ 2 files changed, 84 insertions(+), 2 deletions(-)
+
+diff --git a/django/utils/log.py b/django/utils/log.py
+index fd0cc1bdc1..d7465f73d7 100644
+--- a/django/utils/log.py
++++ b/django/utils/log.py
+@@ -238,9 +238,14 @@ def log_response(
+         else:
+             level = "info"
+ 
++    escaped_args = tuple(
++        a.encode("unicode_escape").decode("ascii") if isinstance(a, str) else a
++        for a in args
++    )
++
+     getattr(logger, level)(
+         message,
+-        *args,
++        *escaped_args,
+         extra={
+             "status_code": response.status_code,
+             "request": request,
+diff --git a/tests/logging_tests/tests.py b/tests/logging_tests/tests.py
+index 4ffa49a1b8..cda0a62f2c 100644
+--- a/tests/logging_tests/tests.py
++++ b/tests/logging_tests/tests.py
+@@ -94,7 +94,6 @@ class DefaultLoggingTests(
+ 
+ 
+ class LoggingAssertionMixin:
+-
+     def assertLogRecord(
+         self,
+         logger_cm,
+@@ -147,6 +146,14 @@ class HandlerLoggingTests(
+             msg="Not Found: /does_not_exist/",
+         )
+ 
++    def test_control_chars_escaped(self):
++        self.assertLogsRequest(
++            url="/%1B[1;31mNOW IN RED!!!1B[0m/",
++            level="WARNING",
++            status_code=404,
++            msg=r"Not Found: /\x1b[1;31mNOW IN RED!!!1B[0m/",
++        )
++
+     async def test_async_page_not_found_warning(self):
+         logger = "django.request"
+         level = "WARNING"
+@@ -155,6 +162,16 @@ class HandlerLoggingTests(
+ 
+         self.assertLogRecord(cm, level, "Not Found: /does_not_exist/", 404)
+ 
++    async def test_async_control_chars_escaped(self):
++        logger = "django.request"
++        level = "WARNING"
++        with self.assertLogs(logger, level) as cm:
++            await self.async_client.get(r"/%1B[1;31mNOW IN RED!!!1B[0m/")
++
++        self.assertLogRecord(
++            cm, level, r"Not Found: /\x1b[1;31mNOW IN RED!!!1B[0m/", 404
++        )
++
+     def test_page_not_found_raised(self):
+         self.assertLogsRequest(
+             url="/does_not_exist_raised/",
+@@ -686,6 +703,7 @@ class LogResponseRealLoggerTests(TestCase):
+         self.assertEqual(record.levelno, levelno)
+         self.assertEqual(record.status_code, status_code)
+         self.assertEqual(record.request, request)
++        return record
+ 
+     def test_missing_response_raises_attribute_error(self):
+         with self.assertRaises(AttributeError):
+@@ -787,3 +805,62 @@ class LogResponseRealLoggerTests(TestCase):
+         self.assertEqual(
+             f"WARNING:my.custom.logger:{msg}", log_stream.getvalue().strip()
+         )
++
++    def test_unicode_escape_escaping(self):
++        test_cases = [
++            # Control characters.
++            ("line\nbreak", "line\\nbreak"),
++            ("carriage\rreturn", "carriage\\rreturn"),
++            ("tab\tseparated", "tab\\tseparated"),
++            ("formfeed\f", "formfeed\\x0c"),
++            ("bell\a", "bell\\x07"),
++            ("multi\nline\ntext", "multi\\nline\\ntext"),
++            # Slashes.
++            ("slash\\test", "slash\\\\test"),
++            ("back\\slash", "back\\\\slash"),
++            # Quotes.
++            ('quote"test"', 'quote"test"'),
++            ("quote'test'", "quote'test'"),
++            # Accented, composed characters, emojis and symbols.
++            ("café", "caf\\xe9"),
++            ("e\u0301", "e\\u0301"),  # e + combining acute
++            ("smile
From patchwork Wed Oct 22 06:17:56 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 72835
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 03498CCF9E1
	for <webhook@archiver.kernel.org>; Wed, 22 Oct 2025 06:18:53 +0000 (UTC)
Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com
 [209.85.215.176])
 by mx.groups.io with SMTP id smtpd.web11.2526.1761113918823027070
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=NUDGdPuN;
 spf=pass (domain: gmail.com, ip: 209.85.215.176,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pg1-f176.google.com with SMTP id
 41be03b00d2f7-b6cea7c527bso16163a12.3
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761113918; x=1761718718;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cXyJMLMBhC1Riiy3uiWojazl40JO5p0zDiWzh3tHuHE=;
        b=NUDGdPuNBqpgUlx8SBZMs5BS7vt9LqBsfnhYpwrYJnGGFl36hF0/fZ0GZmaUrblicl
         LsgjbWWY5WNfxtS4+27URLLCjcNL+HSkYgKyHPNYaHvCkd1wddCAJiyn+bIZlBhP5CWG
         Tluhhh17Xrvb2jxIraq1zD0qCwWk+bX+05xYeG3FfEohswBIW3BQ6hcFPlGZ3XFF6nVz
         j+O21/y6lLtLHC0MJJnnVbJGidUXu39x96ZNRLMaVV7zOb/Ux9fqvPew6XZRA7BC2fO9
         eMsvzpeBBtv01dWmtJR2Tion6UIKlvy1FcjQScI+j4/Tg4k7m5d5K+fN6uwsawr817LZ
         UP4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761113918; x=1761718718;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=cXyJMLMBhC1Riiy3uiWojazl40JO5p0zDiWzh3tHuHE=;
        b=tkkBacHiywFy4zsYOqTemjHcNRYCJHUHc0w5orHBV7qpvv09phJT4R63foanfXGArl
         RdaN3Q0HcxbFxzJNu0HWCkG+ulQrFDbOXinQ4Yc5zMudFlTfL6uNZroTeB9DG0T1JDe6
         nim3q16C7inFwFJBvEayR/k2ZCdmxvaqgqqaWqTEZOGoAJr3PlkUp2WR3JQnpnEVboXD
         l+XOfmZz+ZszfX+Aho/mJWc4RW3cmsX/+VWzCGKTfGENny6iU1ffO6m3l5liaS4v038w
         QNF7ViSg/AMpVZ7KF14N6kEeS7MGmlNCz3TxZdXQYIq7z32rSXtE1l2KzOtq7uowd0/j
         Ir2w==
X-Gm-Message-State: AOJu0YwhMIIl5pICiyKLnz3wNi1bl99/k/W2UG9vzm/8pS44mz9s7ryq
	gE5zQdrYuUDgzL9ukRr09fI7Yhv+LpE28I7dTSdFK4jInW/n49sBhZ2EP0tPjQ==
X-Gm-Gg: ASbGncuU9tkprIU8Lm5QC2XyI1Yka43zBiOm8zR09z5Px540lBgTDbhJysYY9Kqw394
	EZcewlYhKkqVszYEqpbFJ+bGO4Id9icJyaTWAL7Db1nWWjY7VzzjG1EB3GX/KaXWY+EF8sl8ElW
	HEpqpapiaxvIl5TSJZf+vDUSDwMpMSLvLYyc5vbXY6pdxLP7NIR2J/7KEK2WN8IrQsH4e0ZQ8pw
	lQ/5NvfR/IdR+MzBs2FpOuR1R9wa1kyMLYQ/rzyeyaDKw1gYORDQ50h/7z9Rry4QOyOX5n2kZ4T
	en9aQHx8ZFMTi4cL9Wy58mpH6e2goRvjE7Pimnqnm/3zSgNhkHRAPJlZmWQWxu4x/umxa1ROTeo
	0ta6ij2z1z/pXEjlZ30HVRHGuAnX46FNePeMMTNMT5IOjyYlcsjH4kmEl6hEsTM8F8RoQ8qnc8m
	IHTly0Tnu2srnBjA==
X-Google-Smtp-Source: 
 AGHT+IEFY04wPwlfN99IVqdqiPbktzfdgcSt13ICmcW62G89wV9MLMrsrdGaeV2Y3WkRSEWqEJTt0g==
X-Received: by 2002:a17:902:ced0:b0:256:9c51:d752 with SMTP id
 d9443c01a7336-290cb65f0e5mr278656755ad.56.1761113917863;
        Tue, 21 Oct 2025 23:18:37 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-292471fde09sm127857485ad.93.2025.10.21.23.18.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Oct 2025 23:18:37 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-python][scarthgap][PATCH 5/8] python3-django: patch
 CVE-2025-57833
Date: Wed, 22 Oct 2025 19:17:56 +1300
Message-ID: <20251022061803.887676-5-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
References: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 22 Oct 2025 06:18:53 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120888

Details https://nvd.nist.gov/vuln/detail/CVE-2025-57833

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../CVE-2025-57833.patch                      | 83 +++++++++++++++++++
 .../python/python3-django_4.2.20.bb           |  1 +
 2 files changed, 84 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-57833.patch

diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-57833.patch b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-57833.patch
new file mode 100644
index 0000000000..d04589a149
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-57833.patch
@@ -0,0 +1,83 @@
+From 5826d1b59363e0208ebbd4a59d3b3ef39cfe14d5 Mon Sep 17 00:00:00 2001
+From: Jake Howard <git@theorangeone.net>
+Date: Wed, 13 Aug 2025 14:13:42 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation
+ against SQL injection in column aliases.
+
+Thanks Eyal Gabay (EyalSec) for the report.
+
+Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
+CVE: CVE-2025-57833
+Upstream-Status: Backport [https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92]
+(cherry picked from commit 31334e6965ad136a5e369993b01721499c5d1a92)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ django/db/models/sql/query.py |  1 +
+ tests/annotations/tests.py    | 24 ++++++++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
+index e68fd9efb7..5a1b68507b 100644
+--- a/django/db/models/sql/query.py
++++ b/django/db/models/sql/query.py
+@@ -1620,6 +1620,7 @@ class Query(BaseExpression):
+         return target_clause
+ 
+     def add_filtered_relation(self, filtered_relation, alias):
++        self.check_alias(alias)
+         filtered_relation.alias = alias
+         lookups = dict(get_children_from_q(filtered_relation.condition))
+         relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
+diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
+index e0cdbf1e0b..a8474abc77 100644
+--- a/tests/annotations/tests.py
++++ b/tests/annotations/tests.py
+@@ -12,6 +12,7 @@ from django.db.models import (
+     Exists,
+     ExpressionWrapper,
+     F,
++    FilteredRelation,
+     FloatField,
+     Func,
+     IntegerField,
+@@ -1121,6 +1122,15 @@ class NonAggregateAnnotationTestCase(TestCase):
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.annotate(**{crafted_alias: Value(1)})
+ 
++    def test_alias_filtered_relation_sql_injection(self):
++        crafted_alias = """injected_name" from "annotations_book"; --"""
++        msg = (
++            "Column aliases cannot contain whitespace characters, quotation marks, "
++            "semicolons, or SQL comments."
++        )
++        with self.assertRaisesMessage(ValueError, msg):
++            Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
++
+     def test_alias_forbidden_chars(self):
+         tests = [
+             'al"ias',
+@@ -1146,6 +1156,11 @@ class NonAggregateAnnotationTestCase(TestCase):
+                 with self.assertRaisesMessage(ValueError, msg):
+                     Book.objects.annotate(**{crafted_alias: Value(1)})
+ 
++                with self.assertRaisesMessage(ValueError, msg):
++                    Book.objects.annotate(
++                        **{crafted_alias: FilteredRelation("authors")}
++                    )
++
+ 
+ class AliasTests(TestCase):
+     @classmethod
+@@ -1418,3 +1433,12 @@ class AliasTests(TestCase):
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.alias(**{crafted_alias: Value(1)})
++
++    def test_alias_filtered_relation_sql_injection(self):
++        crafted_alias = """injected_name" from "annotations_book"; --"""
++        msg = (
++            "Column aliases cannot contain whitespace characters, quotation marks, "
++            "semicolons, or SQL comments."
++        )
++        with self.assertRaisesMessage(ValueError, msg):
++            Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
index 9d25af074f..4aca046b71 100644
--- a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
@@ -10,6 +10,7 @@ SRC_URI += " \
     file://CVE-2025-48432-4.patch \
     file://CVE-2025-48432-5.patch \
     file://CVE-2025-48432-6.patch \
+    file://CVE-2025-57833.patch \
 "
 
 SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"

From patchwork Wed Oct 22 06:17:57 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 72838
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 167C7CCF9E3
	for <webhook@archiver.kernel.org>; Wed, 22 Oct 2025 06:18:53 +0000 (UTC)
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com
 [209.85.214.181])
 by mx.groups.io with SMTP id smtpd.web11.2529.1761113924471234869
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:44 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=QVu/e0AZ;
 spf=pass (domain: gmail.com, ip: 209.85.214.181,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f181.google.com with SMTP id
 d9443c01a7336-269639879c3so61052055ad.2
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761113924; x=1761718724;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=55+71s0tJ9AlthPVb58xDlwDgiLubMMKpQEDgjuzuNo=;
        b=QVu/e0AZqv5SgDIr36IkCQAMZd3KVdGjuyrfbmeLVXN4t10PNTS4PEkcPZ5tMuXyXT
         HO/1BslmLcH7QPMvz8rsFSI/q2RaLarFQHGQBIdg5Fuxtn+ks8q1pPoszDLkKVuNTTqa
         P3Gjh23tDdu+snX+4InCzhDTeWT9NYP782cB+NSdJ2j8Bm8D3I8S02m8yd2844yL8nw/
         aDRis0gZZ/BReUMrrP+vWmiwGeDM2oKbA/SRzG81Azz9ZQsWdHSzXIKXn6fu7WBQCGmn
         H4R3QLG3IOF15CMlQ/PDbJv/kcQVKKzpyCF5wXO7UW/YZAFCU0/lmIBMddIWr+9mSoc+
         89gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761113924; x=1761718724;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=55+71s0tJ9AlthPVb58xDlwDgiLubMMKpQEDgjuzuNo=;
        b=Zal+BAJcQwSqqZGSFRvx1vMO6SzE0EWzkMkAOPbgRNY+vy8r4C8VF4GyC718SSSkxz
         fMAFrfX+s930R2L+yX8Ove4n642esJYOORFX8nKHc4VLFK1hJGvBWP98xCTWNbhcs8uD
         XDmCxeGPear5G/8xTDYEpv8fabCpmSyQ+G3zAoGlgnTFFL7xM8vMRtihumY+KbQVEKgf
         eqHRB50T41YBshstlCzP3qNTBEyJm/LOWw6ux46exfcLVBqhlVy06/plbnbheX1lck1D
         LdSNtR5SOHQ3ZdQGyCIuqZIbhfE64Jp6jCZeIMuMarrMdXBH9xF3VZvVQ66jJ2Sy1Tua
         BlsQ==
X-Gm-Message-State: AOJu0YwYylb3v2RGKj3tlyERKPlVl8FY4AYqWjUIfbsxzem5n/6DVG9j
	5lwJoFCoWAMLupXzn98mUQelZkKT1fB8Yly9+M9uLDkIHNLV712B9OiUUssfxw==
X-Gm-Gg: ASbGncu2LJEQUiSGH3gEb0uM8+kKdn7MxLk1uWjU/Kk7LCdQ48vCarJXwlJk4CpMkL0
	KeeL0ZQ3etTFJXqgiyx9QdvCod62yB1CUPthFYfOKF6Q+6wTPv7epga0k58IM/CespQ0FpIv49s
	XRisYgTNg5zSCAtOLkbZOmiRS5yemNJdF8qt7ka2vdtLToeBgtXF/lN6nji55PdMj2kt7wbIIXL
	BLpr992auiS50LXuIq9VVZ9hqyRWbPAYb0caYgej6p2H6IcAMrIJ4/8smw25e2Sv2rXIPC7UnhM
	h8giHllXcCuyZVyzTfGIsDE7F4KqcuEeyRBLLaYMeGf4Ec3g+Ah85phz/1lStfg+2s5gGbH83te
	e2S4ROdqzIFjBn7xv0jP2JilUf+FEcKcZJNMcgA+C+jWt94IT94gQnwXDGxwEsyddpOv+d43vW1
	MyGxEcOVSK9hVP+g==
X-Google-Smtp-Source: 
 AGHT+IFwbqJqlNtl+XcyM8c3SkrPEi4haF/9rjel0ZSCD7mJ76hUbvygR1NfiFugz2E3t40njOdnDQ==
X-Received: by 2002:a17:902:d50b:b0:24e:3cf2:2453 with SMTP id
 d9443c01a7336-290cbc3f1b3mr259723495ad.61.1761113923592;
        Tue, 21 Oct 2025 23:18:43 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-292471fde09sm127857485ad.93.2025.10.21.23.18.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Oct 2025 23:18:43 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-python][scarthgap][PATCH 6/8] python3-django: patch
 CVE-2025-59681
Date: Wed, 22 Oct 2025 19:17:57 +1300
Message-ID: <20251022061803.887676-6-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
References: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 22 Oct 2025 06:18:53 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120889

Details https://nvd.nist.gov/vuln/detail/CVE-2025-59681

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../CVE-2025-59681.patch                      | 174 ++++++++++++++++++
 .../python/python3-django_4.2.20.bb           |   1 +
 2 files changed, 175 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59681.patch

diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59681.patch b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59681.patch
new file mode 100644
index 0000000000..681638ac4f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59681.patch
@@ -0,0 +1,174 @@
+From af61d1752df85a1ba1c320282128f2fccdad0107 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Wed, 10 Sep 2025 09:53:52 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2025-59681 -- Protected
+ QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection
+ in column aliases on MySQL/MariaDB.
+
+Thanks sw0rd1ight for the report.
+
+Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
+
+Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
+
+CVE: CVE-2025-59681
+Upstream-Status: Backport [https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5]
+(cherry picked from commit 38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ django/db/models/sql/query.py             |  8 ++++----
+ tests/aggregation/tests.py                |  4 ++--
+ tests/annotations/tests.py                | 23 ++++++++++++-----------
+ tests/expressions/test_queryset_values.py |  8 ++++----
+ tests/queries/tests.py                    |  4 ++--
+ 5 files changed, 24 insertions(+), 23 deletions(-)
+
+diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
+index 5a1b68507b..3b8071eab4 100644
+--- a/django/db/models/sql/query.py
++++ b/django/db/models/sql/query.py
+@@ -46,9 +46,9 @@ from django.utils.tree import Node
+ 
+ __all__ = ["Query", "RawQuery"]
+ 
+-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
++# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline
+ # SQL comments are forbidden in column aliases.
+-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
++FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/")
+ 
+ # Inspired from
+ # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
+@@ -1123,8 +1123,8 @@ class Query(BaseExpression):
+     def check_alias(self, alias):
+         if FORBIDDEN_ALIAS_PATTERN.search(alias):
+             raise ValueError(
+-                "Column aliases cannot contain whitespace characters, quotation marks, "
+-                "semicolons, or SQL comments."
++                "Column aliases cannot contain whitespace characters, hashes, "
++                "quotation marks, semicolons, or SQL comments."
+             )
+ 
+     def add_annotation(self, annotation, alias, select=True):
+diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py
+index 48266d9774..277c0507f7 100644
+--- a/tests/aggregation/tests.py
++++ b/tests/aggregation/tests.py
+@@ -2090,8 +2090,8 @@ class AggregateTestCase(TestCase):
+     def test_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "aggregation_author"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
++            "Column aliases cannot contain whitespace characters, hashes, quotation "
++            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Author.objects.aggregate(**{crafted_alias: Avg("age")})
+diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
+index a8474abc77..4879f19a78 100644
+--- a/tests/annotations/tests.py
++++ b/tests/annotations/tests.py
+@@ -1116,8 +1116,8 @@ class NonAggregateAnnotationTestCase(TestCase):
+     def test_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "annotations_book"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
++            "Column aliases cannot contain whitespace characters, hashes, quotation "
++            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.annotate(**{crafted_alias: Value(1)})
+@@ -1125,8 +1125,8 @@ class NonAggregateAnnotationTestCase(TestCase):
+     def test_alias_filtered_relation_sql_injection(self):
+         crafted_alias = """injected_name" from "annotations_book"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
++            "Column aliases cannot contain whitespace characters, hashes, quotation "
++            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
+@@ -1143,13 +1143,14 @@ class NonAggregateAnnotationTestCase(TestCase):
+             "ali/*as",
+             "alias*/",
+             "alias;",
+-            # [] are used by MSSQL.
++            # [] and # are used by MSSQL.
+             "alias[",
+             "alias]",
++            "ali#as",
+         ]
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
++            "Column aliases cannot contain whitespace characters, hashes, quotation "
++            "marks, semicolons, or SQL comments."
+         )
+         for crafted_alias in tests:
+             with self.subTest(crafted_alias):
+@@ -1428,8 +1429,8 @@ class AliasTests(TestCase):
+     def test_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "annotations_book"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
++            "Column aliases cannot contain whitespace characters, hashes, quotation "
++            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.alias(**{crafted_alias: Value(1)})
+@@ -1437,8 +1438,8 @@ class AliasTests(TestCase):
+     def test_alias_filtered_relation_sql_injection(self):
+         crafted_alias = """injected_name" from "annotations_book"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
++            "Column aliases cannot contain whitespace characters, hashes, quotation "
++            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
+diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
+index 47bd1358de..080ee06183 100644
+--- a/tests/expressions/test_queryset_values.py
++++ b/tests/expressions/test_queryset_values.py
+@@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase):
+     def test_values_expression_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "expressions_company"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
++            "Column aliases cannot contain whitespace characters, hashes, quotation "
++            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Company.objects.values(**{crafted_alias: F("ceo__salary")})
+@@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase):
+     def test_values_expression_alias_sql_injection_json_field(self):
+         crafted_alias = """injected_name" from "expressions_company"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
++            "Column aliases cannot contain whitespace characters, hashes, quotation "
++            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             JSONFieldModel.objects.values(f"data__{crafted_alias}")
+diff --git a/tests/queries/tests.py b/tests/queries/tests.py
+index a6a2b252eb..b8488fef75 100644
+--- a/tests/queries/tests.py
++++ b/tests/queries/tests.py
+@@ -1943,8 +1943,8 @@ class Queries5Tests(TestCase):
+     def test_extra_select_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "queries_note"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
++            "Column aliases cannot contain whitespace characters, hashes, quotation "
++            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Note.objects.extra(select={crafted_alias: "1"})
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
index 4aca046b71..67f704f9cf 100644
--- a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
@@ -11,6 +11,7 @@ SRC_URI += " \
     file://CVE-2025-48432-5.patch \
     file://CVE-2025-48432-6.patch \
     file://CVE-2025-57833.patch \
+    file://CVE-2025-59681.patch \
 "
 
 SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"

From patchwork Wed Oct 22 06:17:58 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 72837
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0345BCCD1BF
	for <webhook@archiver.kernel.org>; Wed, 22 Oct 2025 06:18:53 +0000 (UTC)
Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com
 [209.85.214.170])
 by mx.groups.io with SMTP id smtpd.web11.2530.1761113928364280928
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=HWxxkih8;
 spf=pass (domain: gmail.com, ip: 209.85.214.170,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f170.google.com with SMTP id
 d9443c01a7336-29292eca5dbso40014265ad.0
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761113928; x=1761718728;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=utzZVHUTlEZ2xDD+JQjzL9tt3vtcN0PCoyGjjVkQcEE=;
        b=HWxxkih8FRTDUlgHoP54GWyukFwvlNxi4z3kmWhPwTq9w+ixsLyNJKXudrP4WdAPCN
         vwqYyD94DaM6UHcBAMrBwOgcFjYhRsL32aEPXXxPgJXdnNS/YPGWIR4t1F+qRErPjmTn
         aZdVY07Ha7T4SuBqxAzPTtD40ugDAoxVYI8xjWOsoE9350/vbVSGVLKWqIXLEdqNcAmf
         OSlSkpokGruntpMROjRSDCC3DH7Sk3NKg0ZxVPCyhz8Vl3M1api5cCUsUi1oipPO5Gga
         LdziB710oMxi0MQdn7OZ/HJpCh2E/ejvm2DrvY7iRxW1ZxrqlIthSaZ7akR7ey6sYVQo
         cavA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761113928; x=1761718728;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=utzZVHUTlEZ2xDD+JQjzL9tt3vtcN0PCoyGjjVkQcEE=;
        b=AYhZZeTMZXGGUSYj50+9IdLRBdy4S9Uv1Se2rwzSHRR85A+G7OSfbx352jjxGe06zW
         XG6CCsi2Py8YL2iWZ4Mg40a6WyDQ27frY8W0tkDGVZI/xaEs930DYzE/Jo8J4OVB+Mlg
         HuYnme1TI0Kf7oCpSEqGMlfV/QRBTYjrj9xHlQ63bqxqTUUb1SffghXMt9FhKOpIYJvQ
         fSBwLl/pdn0wyO5xJiQq5LtRw5U3Q/I+dOp4k5cXaDSLV1qz0s129/e2KqYKJwVLm4VG
         lKCyvjPruFUZhhACLtSqfHZo0Z8N0awQ1zK+LYH4anSal2fzUayU4GTu0QmoqLjVXfUa
         Q+Fw==
X-Gm-Message-State: AOJu0YyGjMSWd4CiqTfHaSmwJiPN6BNgQms6YfF90eicyFO0A+ExINzv
	QK2T5aEt4mRd9R94MqZFISURwvCQPStlnp1cjtSxnqeHwRRSotAiEihjCKqfvA==
X-Gm-Gg: ASbGncvGFmkulqMeoUdaCztcuodwx0fooo475mP/UkJpy9oluPfAVw+C395G63mQpZT
	d7G+yLeygSv1eXZg9g/HW7rDC/WoQlFijhn43ifAeT0iQ7Ad8nygEOB2EKRiOFt2ETFnMveAOeN
	KlO8ECueGrbo+lVVQ7B96E8RCmOLihdRl9UexkuIoFOHCJK4JrvYv0Qqkp1llYXJN2m6m0tQODj
	m+IoOh7f9kAdpqD/74q02f47PT0CJymmcgpZe6iM0sPSJShNeaaXl7bE7urda8b6dTwkhAuKxju
	EXJWydp1C5V8epfnXYncfQH2r6dCL+QtBVK7HUe9uD1qdJISHqMvSJb21MvczFt0DMHikmtZ9f4
	nTtPH3rfH+MA7c7hUskNwDE1NBLp9S7MGkEVpybeH+v+WSHSUHy9BQpAQvPCD3FFIkjleoATdRw
	Bg8jr5IED6pzCrazRE4zePaIEq
X-Google-Smtp-Source: 
 AGHT+IG8X4jijP1GEeGXkGuK3wQb6t3h67rFZtKca64aypRqO5IcFZuxNbJ4woinusPZxcaknTYU3w==
X-Received: by 2002:a17:902:fc4b:b0:267:b0e4:314e with SMTP id
 d9443c01a7336-290c9cbc851mr231066735ad.23.1761113927494;
        Tue, 21 Oct 2025 23:18:47 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-292471fde09sm127857485ad.93.2025.10.21.23.18.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Oct 2025 23:18:47 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-python][scarthgap][PATCH 7/8] python3-django: patch
 CVE-2025-59682
Date: Wed, 22 Oct 2025 19:17:58 +1300
Message-ID: <20251022061803.887676-7-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
References: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 22 Oct 2025 06:18:53 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120890

Details https://nvd.nist.gov/vuln/detail/CVE-2025-59682

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../CVE-2025-59682.patch                      | 72 +++++++++++++++++++
 .../python/python3-django_4.2.20.bb           |  1 +
 2 files changed, 73 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59682.patch

diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59682.patch b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59682.patch
new file mode 100644
index 0000000000..72f566a0e1
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59682.patch
@@ -0,0 +1,72 @@
+From c757b620cd8099d17e202c0f5582bbab5564056c Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Tue, 16 Sep 2025 17:13:36 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial
+ directory-traversal via archive.extract().
+
+Thanks stackered for the report.
+
+Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23.
+
+Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
+
+CVE: CVE-2025-59682
+Upstream-Status: Backport [https://github.com/django/django/commit/9504bbaa392c9fe37eee9291f5b4c29eb6037619]
+(cherry picked from commit 9504bbaa392c9fe37eee9291f5b4c29eb6037619)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ django/utils/archive.py           |  6 +++++-
+ tests/utils_tests/test_archive.py | 19 +++++++++++++++++++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/django/utils/archive.py b/django/utils/archive.py
+index 71ec2d0015..e8af690e27 100644
+--- a/django/utils/archive.py
++++ b/django/utils/archive.py
+@@ -144,7 +144,11 @@ class BaseArchive:
+     def target_filename(self, to_path, name):
+         target_path = os.path.abspath(to_path)
+         filename = os.path.abspath(os.path.join(target_path, name))
+-        if not filename.startswith(target_path):
++        try:
++            if os.path.commonpath([target_path, filename]) != target_path:
++                raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
++        except ValueError:
++            # Different drives on Windows raises ValueError.
+             raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
+         return filename
+ 
+diff --git a/tests/utils_tests/test_archive.py b/tests/utils_tests/test_archive.py
+index 8cd107063f..8063dafb65 100644
+--- a/tests/utils_tests/test_archive.py
++++ b/tests/utils_tests/test_archive.py
+@@ -3,6 +3,7 @@ import stat
+ import sys
+ import tempfile
+ import unittest
++import zipfile
+ 
+ from django.core.exceptions import SuspiciousOperation
+ from django.test import SimpleTestCase
+@@ -96,3 +97,21 @@ class TestArchiveInvalid(SimpleTestCase):
+             with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir:
+                 with self.assertRaisesMessage(SuspiciousOperation, msg % invalid_path):
+                     archive.extract(os.path.join(archives_dir, entry), tmpdir)
++
++    def test_extract_function_traversal_startswith(self):
++        with tempfile.TemporaryDirectory() as tmpdir:
++            base = os.path.abspath(tmpdir)
++            tarfile_handle = tempfile.NamedTemporaryFile(suffix=".zip", delete=False)
++            tar_path = tarfile_handle.name
++            tarfile_handle.close()
++            self.addCleanup(os.remove, tar_path)
++
++            malicious_member = os.path.join(base + "abc", "evil.txt")
++            with zipfile.ZipFile(tar_path, "w") as zf:
++                zf.writestr(malicious_member, "evil\n")
++                zf.writestr("test.txt", "data\n")
++
++            with self.assertRaisesMessage(
++                SuspiciousOperation, "Archive contains invalid path"
++            ):
++                archive.extract(tar_path, base)
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
index 67f704f9cf..d62fa3fd2c 100644
--- a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
@@ -12,6 +12,7 @@ SRC_URI += " \
     file://CVE-2025-48432-6.patch \
     file://CVE-2025-57833.patch \
     file://CVE-2025-59681.patch \
+    file://CVE-2025-59682.patch \
 "
 
 SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"

From patchwork Wed Oct 22 06:17:59 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 72834
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1624FCCF9E0
	for <webhook@archiver.kernel.org>; Wed, 22 Oct 2025 06:18:53 +0000 (UTC)
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com
 [209.85.215.174])
 by mx.groups.io with SMTP id smtpd.web11.2531.1761113931575481512
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:51 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=UuYFHoaS;
 spf=pass (domain: gmail.com, ip: 209.85.215.174,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pg1-f174.google.com with SMTP id
 41be03b00d2f7-b6cdba26639so530764a12.1
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 21 Oct 2025 23:18:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761113931; x=1761718731;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=e7nR8i4MvkzGLG77qjep7fYozZhlMHyCSJzu+IsiXnM=;
        b=UuYFHoaSPgTI4/k0IQRFm9TuKBnl8hmmoa5m/XuddqUzT2GJlQ8NOLLiTrI5BKl32y
         Sxe+DOks3m/X/FrbCcRncaB5EagCoWcCuwRFNO0enGMQpCGvps0jMOJjOGnBxabLCQ2Z
         R44ZQtDTWi+MIk6dAEqvBUxmEluXEFtnU/Gu0CGInbr0ysovMlFnYb9guRttUdveSzMX
         LUz3v08UC9xNoJXxFSgE8g54Lei8d4MNicCuQXWv8Awlf/pVPV5n0GiwAGXaDguHaqV+
         VuT5Je7aK5KLkKEATz4rDCylOtEoi/2g8G9kjIZXpPS70iVCmvW8PJAwJmGtvDUOxbVS
         ZicQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761113931; x=1761718731;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=e7nR8i4MvkzGLG77qjep7fYozZhlMHyCSJzu+IsiXnM=;
        b=aUhsmYZrW/U8eXHV2wQR+TwRM+RHqsQdpEiycxV0zBa1c+PgV89onG117Ai/IFS5AY
         o53tnYCM7zY5yjgRV0hAefUwPcOUhkhx8tPWeQ9LfZw1CXjz6vuRrL6YuQMDJfdmSFes
         C2bvWweTdgw9eFyae9yYoQCL3kk0Z9YmTY/8Yg7StIGiWZVM5mlu3jwko1XMsyNavrJy
         Kqpq6aztYEhXRvQewyuYcWXMj7rLBAIs6+rh/F6k+W+YItR+qyMhRuDvLmDBFtl7ZSXu
         vj7+HWWLgY0o1Xd/Qs01jSU+oHrgnPm9yYRwXCmpo0xXo+cEvaCBzk3B9HCbmg++siY4
         euvw==
X-Gm-Message-State: AOJu0Yy5RgmpwuwmtKJrTn0nwm92NJDsN0dfhYJt47nu5uCX+e7xZsB2
	W063o9B9fnPorkP3zFxrvxNXZdriDS6CcIJUMaWxJjxMhsz/4eiMhJul3bbRIA==
X-Gm-Gg: ASbGncuBhUjKVcyp+c8xnH3uZmRxN95356cyl/jdL3Hr02M6erqUXhwpKWzk9a31+r9
	akSfkpFaA4PDesHY1GWV3jL3mC7JZevV0pRnEsQffc6jR1rWc9J8NDYO9oqlg1l3tFSmorfVJaX
	UNEs0IBS2Yk/ZMS1bm0EBStzVlsyWactLnomnEd5s3m1xa6HsN0+7rZhRqmTPkVQ+O2Z4UHE3N4
	1B/Wl39JKWgYDE+d2d3EqChDVp2JGW1AxcTaDRXxmC9ofInuEml0FvHxYh9W7K4PtvooTkQ8wty
	BGVqDyuovPKmaVcfdXEV2uxGEhJMjURldmzMd+D0QzLtOiXWPaV80peSw5mJ4jSMeD6WLKLFYdQ
	Qjhn+ZwG96DSdX2qEPdBwqLr+5u/9vSUMpIhNYN7g8zNhKXHrZFBDEaa76xGwCO99JbImCcQ1bx
	PmNqwHd6iJonTm7Q==
X-Google-Smtp-Source: 
 AGHT+IGy2ZuaeLSiS7A/U+/8PZuLPHtpYHAZU76WoAQ5wBKUEvfFPje/x7tgUvR+HbfEJ3ghE+F+3Q==
X-Received: by 2002:a17:903:37c5:b0:271:bd13:7e73 with SMTP id
 d9443c01a7336-2935e0b4c55mr3590635ad.19.1761113930832;
        Tue, 21 Oct 2025 23:18:50 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-292471fde09sm127857485ad.93.2025.10.21.23.18.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Oct 2025 23:18:50 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-python][scarthgap][PATCH 8/8] python3-django: upgrade
 5.0.11 -> 5.0.14
Date: Wed, 22 Oct 2025 19:17:59 +1300
Message-ID: <20251022061803.887676-8-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
References: <20251022061803.887676-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 22 Oct 2025 06:18:53 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120891

Includes fix for CVE-2025-26699 and CVE-2025-27556

Release notes:
https://docs.djangoproject.com/en/dev/releases/5.0.12/
https://docs.djangoproject.com/en/dev/releases/5.0.13/
https://docs.djangoproject.com/en/dev/releases/5.0.14/

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../{python3-django_5.0.11.bb => python3-django_5.0.14.bb}      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-python/recipes-devtools/python/{python3-django_5.0.11.bb => python3-django_5.0.14.bb} (56%)

diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
similarity index 56%
rename from meta-python/recipes-devtools/python/python3-django_5.0.11.bb
rename to meta-python/recipes-devtools/python/python3-django_5.0.14.bb
index 5060f3c9ad..b95a5067fb 100644
--- a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb
+++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
@@ -1,7 +1,7 @@
 require python-django.inc
 inherit setuptools3
 
-SRC_URI[sha256sum] = "e7d98fa05ce09cb3e8d5ad6472fb602322acd1740bfdadc29c8404182d664f65"
+SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11"
 
 RDEPENDS:${PN} += "\
     python3-sqlparse \