package/python-django: security bump to 5.0.2

Message ID	20240208130838.196406-1-buildroot@bubu1.eu
State	Accepted
Headers	show Return-Path: <buildroot-bounces@buildroot.org> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=176.9.145.28; helo=smtp.bubu1.eu; envelope-from=buildroot@bubu1.eu; receiver=<UNKNOWN> DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 7992E41DAD To: buildroot@buildroot.org Date: Thu, 8 Feb 2024 14:08:37 +0100 Message-Id: <20240208130838.196406-1-buildroot@bubu1.eu> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bubu1.eu; s=bubu; t=1707397722; bh=L+jng98BA3VvVmxe8DWizQWLl4pH5ITFkkihDUvAnPQ=; h=From:To:Cc:Subject:Date; b=oVV8MIH1cTawIgaGERX7CYMWFth5rESvowuehYiaNKqLDaL+sKd83awUUoHLen7/H BVB9yiSesvZfc2qoDLq4m/FkgC0QkVBUdzN5Ta1kvDp6xGANkONxVu7iVDLXELgvay CLnzMveNF2MyIRCk2WC0csUXbE0UcUVCeUX0MttYwWrnnCPmzJXqqrMNWTwxvTKJHS SDpAvwBsNCRyDmEejG9fTHhfc7T4GxFUGFYADCbTLOF44gxxJcRwC2lYKeoiIy7MQY Xq/7rqJNajWBLmRRq7spk60metRWTUrTi8Nvsr4kaCCo+AFdKuJBAAJ5JB1GGKCjYd Jh9B64e+v/3hg== X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=reject dis=none) header.from=bubu1.eu X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=bubu1.eu header.i=@bubu1.eu header.a=rsa-sha256 header.s=bubu header.b=oVV8MIH1 Subject: [Buildroot] [PATCH] package/python-django: security bump to 5.0.2 Precedence: list From: Marcus Hoffmann via buildroot <buildroot@buildroot.org> Reply-To: Marcus Hoffmann <buildroot@bubu1.eu> Cc: James Hilliard <james.hilliard1@gmail.com>, Oli Vogt <oli.vogt.pub01@gmail.com>, Asaf Kahlon <asafka7@gmail.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	package/python-django: security bump to 5.0.2 \| expand package/python-django: security bump to 5.0.2

Message ID

20240208130838.196406-1-buildroot@bubu1.eu

State

Accepted

Headers

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=176.9.145.28;
 helo=smtp.bubu1.eu; envelope-from=buildroot@bubu1.eu; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 7992E41DAD
To: buildroot@buildroot.org
Date: Thu,  8 Feb 2024 14:08:37 +0100
Message-Id: <20240208130838.196406-1-buildroot@bubu1.eu>
MIME-Version: 1.0
X-Mailman-Original-Authentication-Results: smtp2.osuosl.org;
 dmarc=pass (p=reject dis=none)
 header.from=bubu1.eu
X-Mailman-Original-Authentication-Results: smtp2.osuosl.org;
 dkim=pass (2048-bit key) header.d=bubu1.eu header.i=@bubu1.eu
 header.a=rsa-sha256 header.s=bubu header.b=oVV8MIH1
Subject: [Buildroot] [PATCH] package/python-django: security bump to 5.0.2
X-BeenThere: buildroot@buildroot.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.buildroot.org>
List-Unsubscribe: <https://lists.buildroot.org/mailman/options/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=unsubscribe>
List-Archive: <http://lists.buildroot.org/pipermail/buildroot/>
List-Post: <mailto:buildroot@buildroot.org>
List-Help: <mailto:buildroot-request@buildroot.org?subject=help>
List-Subscribe: <https://lists.buildroot.org/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=subscribe>
From: Marcus Hoffmann via buildroot <buildroot@buildroot.org>
Reply-To: Marcus Hoffmann <buildroot@bubu1.eu>
Cc: James Hilliard <james.hilliard1@gmail.com>,
 Oli Vogt <oli.vogt.pub01@gmail.com>, Asaf Kahlon <asafka7@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@buildroot.org
Sender: "buildroot" <buildroot-bounces@buildroot.org>

Series

package/python-django: security bump to 5.0.2 | expand

Commit Message

Marcus Hoffmann Feb. 8, 2024, 1:08 p.m. UTC

Minor 5.0 bugfix release [1] fixing one "moderate" severity CVE.

Fixes: CVE-2024-24680

[1] https://docs.djangoproject.com/en/5.0/releases/5.0.2/#django-5-0-2-release-notes

Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
 package/python-django/python-django.hash | 4 ++--
 package/python-django/python-django.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

Comments

Marcus Hoffmann Feb. 8, 2024, 1:13 p.m. UTC | #1

Hi Peter,

On 08.02.24 14:08, Marcus Hoffmann via buildroot wrote:
> Minor 5.0 bugfix release [1] fixing one "moderate" severity CVE.
> 
> Fixes: CVE-2024-24680
> 
> [1] https://docs.djangoproject.com/en/5.0/releases/5.0.2/#django-5-0-2-release-notes

Buildroot stable releases should probably be updated to 4.2.10:
https://www.djangoproject.com/weblog/2024/feb/06/security-releases/

> 
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
> ---
>   package/python-django/python-django.hash | 4 ++--
>   package/python-django/python-django.mk   | 4 ++--
>   2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
> index 39fd9afdae..20b66a4106 100644
> --- a/package/python-django/python-django.hash
> +++ b/package/python-django/python-django.hash
> @@ -1,5 +1,5 @@
>   # md5, sha256 from https://pypi.org/pypi/django/json
> -md5  5ff3c69d7e6b4f5ed378ec5713af8df7  Django-5.0.1.tar.gz
> -sha256  8c8659665bc6e3a44fefe1ab0a291e5a3fb3979f9a8230be29de975e57e8f854  Django-5.0.1.tar.gz
> +md5  5d0df847e1b751a4a5d2bde1563c75fc  Django-5.0.2.tar.gz
> +sha256  b5bb1d11b2518a5f91372a282f24662f58f66749666b0a286ab057029f728080  Django-5.0.2.tar.gz
>   # Locally computed sha256 checksums
>   sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
> diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
> index ed4f4bcdf1..231de0b833 100644
> --- a/package/python-django/python-django.mk
> +++ b/package/python-django/python-django.mk
> @@ -4,10 +4,10 @@
>   #
>   ################################################################################
>   
> -PYTHON_DJANGO_VERSION = 5.0.1
> +PYTHON_DJANGO_VERSION = 5.0.2
>   PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
>   # The official Django site has an unpractical URL
> -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/53/82/c8e8ed137da1c72fa110e3be9ab0f26bcfcf6f3d2994601d164dfac86269
> +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/50/98/499a2d11eb0b22fdd55ce5895e0f5ce6d7d4957a785f237a89317cb478fa
>   PYTHON_DJANGO_LICENSE = BSD-3-Clause
>   PYTHON_DJANGO_LICENSE_FILES = LICENSE
>   PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject

Peter Korsgaard Feb. 8, 2024, 1:51 p.m. UTC | #2

>>>>> "Marcus" == Marcus Hoffmann <buildroot@bubu1.eu> writes:

 > Hi Peter,
 > On 08.02.24 14:08, Marcus Hoffmann via buildroot wrote:
 >> Minor 5.0 bugfix release [1] fixing one "moderate" severity CVE.
 >> Fixes: CVE-2024-24680
 >> [1]
 >> https://docs.djangoproject.com/en/5.0/releases/5.0.2/#django-5-0-2-release-notes

 > Buildroot stable releases should probably be updated to 4.2.10:
 > https://www.djangoproject.com/weblog/2024/feb/06/security-releases/

Yes, care to send a patch?

2023.02.x is using 4.1.13, but it looks like the 4.1.x series is EOL, so
I'll also update that to 4.2.10.

Peter Korsgaard Feb. 8, 2024, 2:29 p.m. UTC | #3

>>>>> "Marcus" == Marcus Hoffmann via buildroot <buildroot@buildroot.org> writes:

 > Minor 5.0 bugfix release [1] fixing one "moderate" severity CVE.
 > Fixes: CVE-2024-24680

 > [1] https://docs.djangoproject.com/en/5.0/releases/5.0.2/#django-5-0-2-release-notes

 > Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>

Committed, thanks.

> ---
 >  package/python-django/python-django.hash | 4 ++--
 >  package/python-django/python-django.mk   | 4 ++--
 >  2 files changed, 4 insertions(+), 4 deletions(-)

 > diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
 > index 39fd9afdae..20b66a4106 100644
 > --- a/package/python-django/python-django.hash
 > +++ b/package/python-django/python-django.hash
 > @@ -1,5 +1,5 @@
 >  # md5, sha256 from https://pypi.org/pypi/django/json
 > -md5  5ff3c69d7e6b4f5ed378ec5713af8df7  Django-5.0.1.tar.gz
 > -sha256  8c8659665bc6e3a44fefe1ab0a291e5a3fb3979f9a8230be29de975e57e8f854  Django-5.0.1.tar.gz
 > +md5  5d0df847e1b751a4a5d2bde1563c75fc  Django-5.0.2.tar.gz
 > +sha256  b5bb1d11b2518a5f91372a282f24662f58f66749666b0a286ab057029f728080  Django-5.0.2.tar.gz
 >  # Locally computed sha256 checksums
 >  sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
 > diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
 > index ed4f4bcdf1..231de0b833 100644
 > --- a/package/python-django/python-django.mk
 > +++ b/package/python-django/python-django.mk
 > @@ -4,10 +4,10 @@
 >  #
 >  ################################################################################
 
 > -PYTHON_DJANGO_VERSION = 5.0.1
 > +PYTHON_DJANGO_VERSION = 5.0.2
 >  PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 >  # The official Django site has an unpractical URL
 > -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/53/82/c8e8ed137da1c72fa110e3be9ab0f26bcfcf6f3d2994601d164dfac86269
 > +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/50/98/499a2d11eb0b22fdd55ce5895e0f5ce6d7d4957a785f237a89317cb478fa
 >  PYTHON_DJANGO_LICENSE = BSD-3-Clause
 >  PYTHON_DJANGO_LICENSE_FILES = LICENSE
 >  PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject
 > -- 

 > 2.34.1

 > _______________________________________________
 > buildroot mailing list
 > buildroot@buildroot.org
 > https://lists.buildroot.org/mailman/listinfo/buildroot

Peter Korsgaard March 8, 2024, 2:40 p.m. UTC | #4

>>>>> "Marcus" == Marcus Hoffmann via buildroot <buildroot@buildroot.org> writes:

 > Minor 5.0 bugfix release [1] fixing one "moderate" severity CVE.
 > Fixes: CVE-2024-24680

 > [1] https://docs.djangoproject.com/en/5.0/releases/5.0.2/#django-5-0-2-release-notes

 > Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>

For 2023.02.x / 2023.11.x I have instead bumped to django 4.2.10, which
contains the same fix.

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 39fd9afdae..20b66a4106 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@ 
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5  5ff3c69d7e6b4f5ed378ec5713af8df7  Django-5.0.1.tar.gz
-sha256  8c8659665bc6e3a44fefe1ab0a291e5a3fb3979f9a8230be29de975e57e8f854  Django-5.0.1.tar.gz
+md5  5d0df847e1b751a4a5d2bde1563c75fc  Django-5.0.2.tar.gz
+sha256  b5bb1d11b2518a5f91372a282f24662f58f66749666b0a286ab057029f728080  Django-5.0.2.tar.gz
 # Locally computed sha256 checksums
 sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index ed4f4bcdf1..231de0b833 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@ 
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 5.0.1
+PYTHON_DJANGO_VERSION = 5.0.2
 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 # The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/53/82/c8e8ed137da1c72fa110e3be9ab0f26bcfcf6f3d2994601d164dfac86269
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/50/98/499a2d11eb0b22fdd55ce5895e0f5ce6d7d4957a785f237a89317cb478fa
 PYTHON_DJANGO_LICENSE = BSD-3-Clause
 PYTHON_DJANGO_LICENSE_FILES = LICENSE
 PYTHON_DJANGO_CPE_ID_VENDOR = djangoproject

package/python-django: security bump to 5.0.2

Commit Message

Comments

Patch