[Buildroot] [PATCH v2 for 2025.02.x] package/python-django: security bump to v5.1.13
Thomas Perale
thomas.perale at mind.be
Thu Oct 9 14:55:43 UTC 2025
In reply of:
> This fixes the following vulnerabilities:
> - CVE-2025-59681:
> An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
> 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),
> QuerySet.aggregate(), and QuerySet.extra() are subject to SQL
> injection in column aliases, when using a suitably crafted dictionary,
> with dictionary expansion, as the **kwargs passed to these methods (on
> MySQL and MariaDB).
> https://www.cve.org/CVERecord?id=CVE-2025-59681
>
> - CVE-2025-59682:
> An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
> 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract()
> function, used by the "startapp --template" and "startproject
> --template" commands, allows partial directory traversal via an
> archive with file paths sharing a common prefix with the target
> directory.
> https://www.cve.org/CVERecord?id=CVE-2025-59682
>
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
Applied to 2025.02.x. Thanks
> ---
> Changes v1->v2:
> - Update hash for utils/archive.py, because this file was updated as part
> of the CVE fix
> ---
> package/python-django/python-django.hash | 6 +++---
> package/python-django/python-django.mk | 4 ++--
> 2 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index 155e3af8ef..a525410582 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,6 +1,6 @@
> # md5, sha256 from https://pypi.org/pypi/django/json
> -md5 7f7a03e4f19ad7813d96f9fbbad65a5c django-5.1.12.tar.gz
> -sha256 8a8991b1ec052ef6a44fefd1ef336ab8daa221287bcb91a4a17d5e1abec5bbcc django-5.1.12.tar.gz
> +md5 dad76d0dbdbc86402061182fc708a442 django-5.1.13.tar.gz
> +sha256 543ff21679f15e80edfc01fe7ea35f8291b6d4ea589433882913626a7c1cf929 django-5.1.13.tar.gz
> # Locally computed sha256 checksums
> sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
> sha256 dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17 django/contrib/gis/measure.py
> @@ -12,4 +12,4 @@ sha256 4ee0cbc51370afde358652a0f977972053729ed578b6a42f5e2a037d114f0b39 django
> sha256 73af2949bff9296cb0f816c3be19a4da4e95adc94c1f924796e8bad3f03f2f29 django/contrib/admin/static/admin/js/vendor/xregexp/LICENSE.txt
> sha256 d114faff3488c16c319b3235dc41f90239d3d63d9853733033d8f7535f5c0004 django/contrib/admin/static/admin/img/LICENSE
> sha256 54004c4b606964ebc163af16d04607c16e428f8a78a026fecb53f70c09f4a94f django/dispatch/license.txt
> -sha256 1ce0483ad554cf135efec70ad2097e82ed72790194f17e1591821dc82c2416e0 django/utils/archive.py
> +sha256 9f37277d682cf06369041e60fb6fda5a85dfcf118d9176489087a3d40293f015 django/utils/archive.py
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index 3026c304be..c2581f5f90 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,10 +4,10 @@
> #
> ################################################################################
>
> -PYTHON_DJANGO_VERSION = 5.1.12
> +PYTHON_DJANGO_VERSION = 5.1.13
> PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
> # The official Django site has an unpractical URL
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/f0/99/a951d93a27a5bc59fb96edbcdbc03fb9bfac51177f1bc0110888de85af3f
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/bb/57/ad9905d03a2ee39064ee7ba69f8e2790db4a7ffaef9c54f95e7a8f2cb0a1
> PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)
> PYTHON_DJANGO_LICENSE_FILES = LICENSE \
> django/contrib/gis/measure.py \
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list