aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2019-06-05 19:23:07 +0200
committerGravatar Peter Korsgaard <peter@korsgaard.com>2019-06-06 22:38:46 +0200
commit7b23d35df4130859df0b1ea584cb5a7fe36c4914 (patch)
treea374d7a5cccc4e5ba053af0f4c29d90de1e2230b
parentbc5213f7df41209f12ff4f52338b9a2a91a96884 (diff)
downloadbuildroot-7b23d35df4130859df0b1ea584cb5a7fe36c4914.tar.gz
buildroot-7b23d35df4130859df0b1ea584cb5a7fe36c4914.tar.bz2
package/python-django: security bump to version 2.1.9
Fixes the following security issues: CVE-2019-12308: AdminURLFieldWidget XSS¶ The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customize the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using formfield_overrides. Patched bundled jQuery for CVE-2019-11358: Prototype pollution¶ jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. The bundled version of jQuery used by the Django admin has been patched to allow for the select2 library’s use of jQuery.extend(). For more details, see the release notes: https://docs.djangoproject.com/en/dev/releases/2.1.9/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 426084e25f1ab5c337adceb4bea6352314ff34c7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rw-r--r--package/python-django/python-django.hash4
-rw-r--r--package/python-django/python-django.mk4
2 files changed, 4 insertions, 4 deletions
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 93ca1080c5..c325116779 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 a042e6ba117d2e01950d842cceb5eee0 Django-2.1.7.tar.gz
-sha256 939652e9d34d7d53d74d5d8ef82a19e5f8bb2de75618f7e5360691b6e9667963 Django-2.1.7.tar.gz
+md5 909c2e7761893a922dcf721521d9239e Django-2.1.9.tar.gz
+sha256 5052def4ff0a84bdf669827fdbd7b7cc1ac058f10232be6b21f37c6824f578da Django-2.1.9.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 5922a6c07c..041822ea13 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 2.1.7
+PYTHON_DJANGO_VERSION = 2.1.9
PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/7e/ae/29c28f6afddae0e305326078f31372f03d7f2e6d6210c9963843196ce67e
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/c1/b3/3cdc60dc2e3c11236539f9470e42c5075a2e9c9f4885f5b4b912e9f19992
PYTHON_DJANGO_LICENSE = BSD-3-Clause
PYTHON_DJANGO_LICENSE_FILES = LICENSE
PYTHON_DJANGO_SETUP_TYPE = setuptools