[Buildroot] [PATCH v2] package/python-django: security bump to v5.2.7
Thomas Perale
thomas.perale at mind.be
Thu Oct 9 14:57:56 UTC 2025
In reply of:
> This fixes the following vulnerabilities:
> - CVE-2025-59681:
> An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
> 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),
> QuerySet.aggregate(), and QuerySet.extra() are subject to SQL
> injection in column aliases, when using a suitably crafted dictionary,
> with dictionary expansion, as the **kwargs passed to these methods (on
> MySQL and MariaDB).
> https://www.cve.org/CVERecord?id=CVE-2025-59681
>
> - CVE-2025-59682:
> An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
> 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract()
> function, used by the "startapp --template" and "startproject
> --template" commands, allows partial directory traversal via an
> archive with file paths sharing a common prefix with the target
> directory.
> https://www.cve.org/CVERecord?id=CVE-2025-59682
>
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
Applied to 2025.05.x & 2025.08.x. Thanks
> ---
> Changes v1->v2:
> - Update hash for utils/archive.py, because this file was updated as part
> of the CVE fix
> ---
> package/python-django/python-django.hash | 6 +++---
> package/python-django/python-django.mk | 4 ++--
> 2 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index 3ff4eb4e36..1ec80dc1c2 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,6 +1,6 @@
> # md5, sha256 from https://pypi.org/pypi/django/json
> -md5 1f0327293cc3768903ce8cd390ec3f47 django-5.2.6.tar.gz
> -sha256 da5e00372763193d73cecbf71084a3848458cecf4cee36b9a1e8d318d114a87b django-5.2.6.tar.gz
> +md5 699a77ac347ca3484939762483dc4b08 django-5.2.7.tar.gz
> +sha256 e0f6f12e2551b1716a95a63a1366ca91bbcd7be059862c1b18f989b1da356cdd django-5.2.7.tar.gz
> # Locally computed sha256 checksums
> sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
> sha256 dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17 django/contrib/gis/measure.py
> @@ -12,4 +12,4 @@ sha256 4ee0cbc51370afde358652a0f977972053729ed578b6a42f5e2a037d114f0b39 django
> sha256 73af2949bff9296cb0f816c3be19a4da4e95adc94c1f924796e8bad3f03f2f29 django/contrib/admin/static/admin/js/vendor/xregexp/LICENSE.txt
> sha256 d114faff3488c16c319b3235dc41f90239d3d63d9853733033d8f7535f5c0004 django/contrib/admin/static/admin/img/LICENSE
> sha256 54004c4b606964ebc163af16d04607c16e428f8a78a026fecb53f70c09f4a94f django/dispatch/license.txt
> -sha256 1ce0483ad554cf135efec70ad2097e82ed72790194f17e1591821dc82c2416e0 django/utils/archive.py
> +sha256 9f37277d682cf06369041e60fb6fda5a85dfcf118d9176489087a3d40293f015 django/utils/archive.py
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index e3959f4192..139a15b13a 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,10 +4,10 @@
> #
> ################################################################################
>
> -PYTHON_DJANGO_VERSION = 5.2.6
> +PYTHON_DJANGO_VERSION = 5.2.7
> PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
> # The official Django site has an unpractical URL
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/4c/8c/2a21594337250a171d45dda926caa96309d5136becd1f48017247f9cdea0
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/b1/96/bd84e2bb997994de8bcda47ae4560991084e86536541d7214393880f01a8
> PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)
> PYTHON_DJANGO_LICENSE_FILES = LICENSE \
> django/contrib/gis/measure.py \
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list