projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3a6fde6)
package/python-django: security bump to version 3.0.12
authorPeter Korsgaard <peter@korsgaard.com>
Mon, 1 Feb 2021 12:55:57 +0000 (13:55 +0100)
committerPeter Korsgaard <peter@korsgaard.com>
Tue, 2 Feb 2021 15:35:01 +0000 (16:35 +0100)
Fixes the following security issues:

CVE-2021-3281: Potential directory-traversal via archive.extract()

The django.utils.archive.extract() function, used by startapp --template and
startproject --template, allowed directory-traversal via an archive with
absolute paths or relative paths with dot segments.

For details, see the advisory:
https://www.djangoproject.com/weblog/2021/feb/01/security-releases/

Additionally, 3.0.11 fixed a regression:
https://docs.djangoproject.com/en/3.1/releases/3.0.11/

Update indentation in hash file (two spaces).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/python-django/python-django.hash patch | blob | history
package/python-django/python-django.mk patch | blob | history

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 8aebe62161bb7e3e5a201a9d1223b026a6dc0806..53f718ea0a0dc4f19cc2d8ac2068a640c37998fa 100644 (file)
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5    deec48e8713727e443a7cee6b54baaeb  Django-3.0.10.tar.gz
-sha256 2d14be521c3ae24960e5e83d4575e156a8c479a75c935224b671b1c6e66eddaf  Django-3.0.10.tar.gz
+md5  55291777e25bd9e0a286c6f64751246a  Django-3.0.12.tar.gz
+sha256  fd63e2c7acca5f2e7ad93dfb53d566e040d871404fc0f684a3e720006d221f9a  Django-3.0.12.tar.gz
 # Locally computed sha256 checksums
-sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
+sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 97bf75320d625098414d5da7947b88eb1251ef9b..512f2cd89c8bcf8b933cc52a15d7680b6ec83034 100644 (file)
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 3.0.10
+PYTHON_DJANGO_VERSION = 3.0.12
 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 # The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/f4/09/d7c995b128bec61233cfea0e5fa40e442cae54c127b4b2b0881e1fdd0023
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/32/e3/e7e9a9378321fdfc3eb55de151911dce968fa245d1f16d8c480c63ea4ed1
 PYTHON_DJANGO_LICENSE = BSD-3-Clause
 PYTHON_DJANGO_LICENSE_FILES = LICENSE
 PYTHON_DJANGO_SETUP_TYPE = setuptools