[Buildroot] [PATCH v2] package/python-django: security bump to v5.2.7
Julien Olivain
ju.o at free.fr
Sun Oct 5 08:27:36 UTC 2025
On 04/10/2025 11:33, Titouan Christophe via buildroot wrote:
> This fixes the following vulnerabilities:
> - CVE-2025-59681:
> An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
> 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(),
> QuerySet.alias(),
> QuerySet.aggregate(), and QuerySet.extra() are subject to SQL
> injection in column aliases, when using a suitably crafted
> dictionary,
> with dictionary expansion, as the **kwargs passed to these methods
> (on
> MySQL and MariaDB).
> https://www.cve.org/CVERecord?id=CVE-2025-59681
>
> - CVE-2025-59682:
> An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
> 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract()
> function, used by the "startapp --template" and "startproject
> --template" commands, allows partial directory traversal via an
> archive with file paths sharing a common prefix with the target
> directory.
> https://www.cve.org/CVERecord?id=CVE-2025-59682
>
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
Applied to master, thanks.
More information about the buildroot
mailing list