[Buildroot] [PATCH v2 for 2025.02.x] package/python-django: security bump to v5.1.13
Titouan Christophe
titouan.christophe at mind.be
Sat Oct 4 09:41:28 UTC 2025
This fixes the following vulnerabilities:
- CVE-2025-59681:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),
QuerySet.aggregate(), and QuerySet.extra() are subject to SQL
injection in column aliases, when using a suitably crafted dictionary,
with dictionary expansion, as the **kwargs passed to these methods (on
MySQL and MariaDB).
https://www.cve.org/CVERecord?id=CVE-2025-59681
- CVE-2025-59682:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract()
function, used by the "startapp --template" and "startproject
--template" commands, allows partial directory traversal via an
archive with file paths sharing a common prefix with the target
directory.
https://www.cve.org/CVERecord?id=CVE-2025-59682
Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
Changes v1->v2:
- Update hash for utils/archive.py, because this file was updated as part
of the CVE fix
---
package/python-django/python-django.hash | 6 +++---
package/python-django/python-django.mk | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 155e3af8ef..a525410582 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,6 +1,6 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 7f7a03e4f19ad7813d96f9fbbad65a5c django-5.1.12.tar.gz
-sha256 8a8991b1ec052ef6a44fefd1ef336ab8daa221287bcb91a4a17d5e1abec5bbcc django-5.1.12.tar.gz
+md5 dad76d0dbdbc86402061182fc708a442 django-5.1.13.tar.gz
+sha256 543ff21679f15e80edfc01fe7ea35f8291b6d4ea589433882913626a7c1cf929 django-5.1.13.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
sha256 dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17 django/contrib/gis/measure.py
@@ -12,4 +12,4 @@ sha256 4ee0cbc51370afde358652a0f977972053729ed578b6a42f5e2a037d114f0b39 django
sha256 73af2949bff9296cb0f816c3be19a4da4e95adc94c1f924796e8bad3f03f2f29 django/contrib/admin/static/admin/js/vendor/xregexp/LICENSE.txt
sha256 d114faff3488c16c319b3235dc41f90239d3d63d9853733033d8f7535f5c0004 django/contrib/admin/static/admin/img/LICENSE
sha256 54004c4b606964ebc163af16d04607c16e428f8a78a026fecb53f70c09f4a94f django/dispatch/license.txt
-sha256 1ce0483ad554cf135efec70ad2097e82ed72790194f17e1591821dc82c2416e0 django/utils/archive.py
+sha256 9f37277d682cf06369041e60fb6fda5a85dfcf118d9176489087a3d40293f015 django/utils/archive.py
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 3026c304be..c2581f5f90 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 5.1.12
+PYTHON_DJANGO_VERSION = 5.1.13
PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/f0/99/a951d93a27a5bc59fb96edbcdbc03fb9bfac51177f1bc0110888de85af3f
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/bb/57/ad9905d03a2ee39064ee7ba69f8e2790db4a7ffaef9c54f95e7a8f2cb0a1
PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)
PYTHON_DJANGO_LICENSE_FILES = LICENSE \
django/contrib/gis/measure.py \
--
2.51.0
More information about the buildroot
mailing list