[Buildroot] [PATCH v2] package/python-django: security bump to v5.2.7
Titouan Christophe
titouan.christophe at mind.be
Sat Oct 4 09:33:48 UTC 2025
This fixes the following vulnerabilities:
- CVE-2025-59681:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),
QuerySet.aggregate(), and QuerySet.extra() are subject to SQL
injection in column aliases, when using a suitably crafted dictionary,
with dictionary expansion, as the **kwargs passed to these methods (on
MySQL and MariaDB).
https://www.cve.org/CVERecord?id=CVE-2025-59681
- CVE-2025-59682:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract()
function, used by the "startapp --template" and "startproject
--template" commands, allows partial directory traversal via an
archive with file paths sharing a common prefix with the target
directory.
https://www.cve.org/CVERecord?id=CVE-2025-59682
Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
Changes v1->v2:
- Update hash for utils/archive.py, because this file was updated as part
of the CVE fix
---
package/python-django/python-django.hash | 6 +++---
package/python-django/python-django.mk | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 3ff4eb4e36..1ec80dc1c2 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,6 +1,6 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 1f0327293cc3768903ce8cd390ec3f47 django-5.2.6.tar.gz
-sha256 da5e00372763193d73cecbf71084a3848458cecf4cee36b9a1e8d318d114a87b django-5.2.6.tar.gz
+md5 699a77ac347ca3484939762483dc4b08 django-5.2.7.tar.gz
+sha256 e0f6f12e2551b1716a95a63a1366ca91bbcd7be059862c1b18f989b1da356cdd django-5.2.7.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
sha256 dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17 django/contrib/gis/measure.py
@@ -12,4 +12,4 @@ sha256 4ee0cbc51370afde358652a0f977972053729ed578b6a42f5e2a037d114f0b39 django
sha256 73af2949bff9296cb0f816c3be19a4da4e95adc94c1f924796e8bad3f03f2f29 django/contrib/admin/static/admin/js/vendor/xregexp/LICENSE.txt
sha256 d114faff3488c16c319b3235dc41f90239d3d63d9853733033d8f7535f5c0004 django/contrib/admin/static/admin/img/LICENSE
sha256 54004c4b606964ebc163af16d04607c16e428f8a78a026fecb53f70c09f4a94f django/dispatch/license.txt
-sha256 1ce0483ad554cf135efec70ad2097e82ed72790194f17e1591821dc82c2416e0 django/utils/archive.py
+sha256 9f37277d682cf06369041e60fb6fda5a85dfcf118d9176489087a3d40293f015 django/utils/archive.py
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index e3959f4192..139a15b13a 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 5.2.6
+PYTHON_DJANGO_VERSION = 5.2.7
PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/4c/8c/2a21594337250a171d45dda926caa96309d5136becd1f48017247f9cdea0
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/b1/96/bd84e2bb997994de8bcda47ae4560991084e86536541d7214393880f01a8
PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)
PYTHON_DJANGO_LICENSE_FILES = LICENSE \
django/contrib/gis/measure.py \
--
2.51.0
More information about the buildroot
mailing list