[Buildroot] [git commit] package/python-django: security bump to version 2.1.9

Peter Korsgaard peter at korsgaard.com
Thu Jun 6 12:20:41 UTC 2019


commit: https://git.buildroot.net/buildroot/commit/?id=426084e25f1ab5c337adceb4bea6352314ff34c7
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

Fixes the following security issues:

CVE-2019-12308: AdminURLFieldWidget XSS¶

The clickable "Current URL" link generated by AdminURLFieldWidget displayed
the provided value without validating it as a safe URL.  Thus, an
unvalidated value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator
before displaying the clickable link.  You may customize the validator by
passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g.
when using formfield_overrides.

Patched bundled jQuery for CVE-2019-11358: Prototype pollution¶

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of
Object.prototype pollution.  If an unsanitized source object contained an
enumerable __proto__ property, it could extend the native Object.prototype.

The bundled version of jQuery used by the Django admin has been patched to
allow for the select2 library’s use of jQuery.extend().

For more details, see the release notes:
https://docs.djangoproject.com/en/dev/releases/2.1.9/

Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/python-django/python-django.hash | 4 ++--
 package/python-django/python-django.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 93ca1080c5..c325116779 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5	a042e6ba117d2e01950d842cceb5eee0  Django-2.1.7.tar.gz
-sha256	939652e9d34d7d53d74d5d8ef82a19e5f8bb2de75618f7e5360691b6e9667963  Django-2.1.7.tar.gz
+md5	909c2e7761893a922dcf721521d9239e  Django-2.1.9.tar.gz
+sha256	5052def4ff0a84bdf669827fdbd7b7cc1ac058f10232be6b21f37c6824f578da  Django-2.1.9.tar.gz
 # Locally computed sha256 checksums
 sha256	b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 5922a6c07c..041822ea13 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 2.1.7
+PYTHON_DJANGO_VERSION = 2.1.9
 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 # The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/7e/ae/29c28f6afddae0e305326078f31372f03d7f2e6d6210c9963843196ce67e
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/c1/b3/3cdc60dc2e3c11236539f9470e42c5075a2e9c9f4885f5b4b912e9f19992
 PYTHON_DJANGO_LICENSE = BSD-3-Clause
 PYTHON_DJANGO_LICENSE_FILES = LICENSE
 PYTHON_DJANGO_SETUP_TYPE = setuptools


More information about the buildroot mailing list