[Buildroot] [v2 PATCH 1/1] package/python-jinja2: security bump to version 3.1.6
Arnout Vandecappelle
arnout at rnout.be
Wed Apr 16 21:33:01 UTC 2025
On 09/04/2025 19:10, Thomas Perale via buildroot wrote:
> Fixes the following security issue:
>
> - CVE-2025-27516: Prior to 3.1.6, an oversight in how the Jinja
> sandboxed environment interacts with the |attr filter allows
> an attacker that controls the content of a template to execute
> arbitrary Python code.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-27516
> - https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403
>
> For more details on the version bump, see the release notes:
>
> https://github.com/pallets/jinja/releases/tag/3.1.6
>
> Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Applied to 2025.02.x, thanks.
Regards,
Arnout
> ---
> package/python-jinja2/python-jinja2.hash | 4 ++--
> package/python-jinja2/python-jinja2.mk | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/package/python-jinja2/python-jinja2.hash b/package/python-jinja2/python-jinja2.hash
> index a89c63a0f4..ffd0bc55c2 100644
> --- a/package/python-jinja2/python-jinja2.hash
> +++ b/package/python-jinja2/python-jinja2.hash
> @@ -1,5 +1,5 @@
> # md5, sha256 from https://pypi.org/pypi/jinja2/json
> -md5 083d64f070f6f1b5f75971ae60240785 jinja2-3.1.5.tar.gz
> -sha256 8fefff8dc3034e27bb80d67c671eb8a9bc424c0ef4c0826edbff304cceff43bb jinja2-3.1.5.tar.gz
> +md5 66d4c25ff43d1deaf9637ccda523dec8 jinja2-3.1.6.tar.gz
> +sha256 0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d jinja2-3.1.6.tar.gz
> # Locally computed sha256 checksums
> sha256 3b49dcee4105eb37bac10faf1be260408fe85d252b8e9df2e0979fc1e094437b LICENSE.txt
> diff --git a/package/python-jinja2/python-jinja2.mk b/package/python-jinja2/python-jinja2.mk
> index 9b95b3212c..74360ec258 100644
> --- a/package/python-jinja2/python-jinja2.mk
> +++ b/package/python-jinja2/python-jinja2.mk
> @@ -4,9 +4,9 @@
> #
> ################################################################################
>
> -PYTHON_JINJA2_VERSION = 3.1.5
> +PYTHON_JINJA2_VERSION = 3.1.6
> PYTHON_JINJA2_SOURCE = jinja2-$(PYTHON_JINJA2_VERSION).tar.gz
> -PYTHON_JINJA2_SITE = https://files.pythonhosted.org/packages/af/92/b3130cbbf5591acf9ade8708c365f3238046ac7cb8ccba6e81abccb0ccff
> +PYTHON_JINJA2_SITE = https://files.pythonhosted.org/packages/df/bf/f7da0350254c0ed7c72f3e33cef02e048281fec7ecec5f032d4aac52226b
> PYTHON_JINJA2_SETUP_TYPE = flit
> PYTHON_JINJA2_LICENSE = BSD-3-Clause
> PYTHON_JINJA2_LICENSE_FILES = LICENSE.txt
More information about the buildroot
mailing list