projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 83967ef)
package/python-django: security bump to version 2.1.9
authorPeter Korsgaard <peter@korsgaard.com>
Wed, 5 Jun 2019 17:23:07 +0000 (19:23 +0200)
committerPeter Korsgaard <peter@korsgaard.com>
Thu, 6 Jun 2019 12:20:41 +0000 (14:20 +0200)
Fixes the following security issues:

CVE-2019-12308: AdminURLFieldWidget XSS¶

The clickable "Current URL" link generated by AdminURLFieldWidget displayed
the provided value without validating it as a safe URL.  Thus, an
unvalidated value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator
before displaying the clickable link.  You may customize the validator by
passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g.
when using formfield_overrides.

Patched bundled jQuery for CVE-2019-11358: Prototype pollution¶

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of
Object.prototype pollution.  If an unsanitized source object contained an
enumerable __proto__ property, it could extend the native Object.prototype.

The bundled version of jQuery used by the Django admin has been patched to
allow for the select2 library’s use of jQuery.extend().

For more details, see the release notes:
https://docs.djangoproject.com/en/dev/releases/2.1.9/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/python-django/python-django.hash patch | blob | history
package/python-django/python-django.mk patch | blob | history

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 93ca1080c58b7cab74d5285309be6daac1ae40a0..c32511677955dac8bb7890b35c2a032017f8071d 100644 (file)
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5    a042e6ba117d2e01950d842cceb5eee0  Django-2.1.7.tar.gz
-sha256 939652e9d34d7d53d74d5d8ef82a19e5f8bb2de75618f7e5360691b6e9667963  Django-2.1.7.tar.gz
+md5    909c2e7761893a922dcf721521d9239e  Django-2.1.9.tar.gz
+sha256 5052def4ff0a84bdf669827fdbd7b7cc1ac058f10232be6b21f37c6824f578da  Django-2.1.9.tar.gz
 # Locally computed sha256 checksums
 sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 5922a6c07cce874b5eaa03ae212933def48ff260..041822ea139028a11a5d888535a40f7f4c53996c 100644 (file)
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 2.1.7
+PYTHON_DJANGO_VERSION = 2.1.9
 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 # The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/7e/ae/29c28f6afddae0e305326078f31372f03d7f2e6d6210c9963843196ce67e
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/c1/b3/3cdc60dc2e3c11236539f9470e42c5075a2e9c9f4885f5b4b912e9f19992
 PYTHON_DJANGO_LICENSE = BSD-3-Clause
 PYTHON_DJANGO_LICENSE_FILES = LICENSE
 PYTHON_DJANGO_SETUP_TYPE = setuptools