[Buildroot] [PATCH for 2025.02.x] package/python-django: security bump to v5.2.12
Titouan Christophe
titouan.christophe at mind.be
Mon Mar 30 09:06:48 UTC 2026
See the release notes:
https://docs.djangoproject.com/en/5.2/releases/5.2.12/
This fixes the following vulnerabilities:
- CVE-2026-25673:
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and
4.2 before 4.2.29. `URLField.to_python()` in Django calls
`urllib.parse.urlsplit()`, which performs NFKC normalization on
Windows that is disproportionately slow for certain Unicode
characters, allowing a remote attacker to cause denial of service via
large URL inputs containing these characters. Earlier, unsupported
Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and
may also be affected. Django would like to thank Seokchan Yoon for
reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2026-25673
- CVE-2026-25674:
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and
4.2 before 4.2.29. Race condition in file-system storage and file-
based cache backends in Django allows an attacker to cause file system
objects to be created with incorrect permissions via concurrent
requests, where one thread's temporary `umask` change affects other
threads in multi-threaded environments. Earlier, unsupported Django
series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may
also be affected. Django would like to thank Tarek Nakkouch for
reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2026-25674
Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 1cd2959b69..b1859b0647 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,6 +1,6 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 051357d45eb71a115a64e6d2a79c7c51 django-5.2.11.tar.gz
-sha256 7f2d292ad8b9ee35e405d965fbbad293758b858c34bbf7f3df551aeeac6f02d3 django-5.2.11.tar.gz
+md5 9b60bb1145abcc97d276694f3f82a3b8 django-5.2.12.tar.gz
+sha256 6b809af7165c73eff5ce1c87fdae75d4da6520d6667f86401ecf55b681eb1eeb django-5.2.12.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
sha256 dcac1c86cb7ab491702bdb4c41be680fafde51536748cc8aaee3840eec53ed17 django/contrib/gis/measure.py
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 4b840701f4..52d0a2b740 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 5.2.11
+PYTHON_DJANGO_VERSION = 5.2.12
PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/17/f2/3e57ef696b95067e05ae206171e47a8e53b9c84eec56198671ef9eaa51a6
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/bd/55/b9445fc0695b03746f355c05b2eecc54c34e05198c686f4fc4406b722b52
PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js)
PYTHON_DJANGO_LICENSE_FILES = LICENSE \
django/contrib/gis/measure.py \
--
2.53.0
More information about the buildroot
mailing list