diff --git a/CVE-2023-41164.patch b/CVE-2023-41164.patch deleted file mode 100644 index f0071a3678ce25f9f0508bb96ab71a81ab2cd4c7..0000000000000000000000000000000000000000 --- a/CVE-2023-41164.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 9c51b4dcfa0cefcb48231f4d71cafa80821f87b9 Mon Sep 17 00:00:00 2001 -From: Mariusz Felisiak -Date: Tue, 22 Aug 2023 08:53:03 +0200 -Subject: [PATCH] [4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in - django.utils.encoding.uri_to_iri(). - -Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. - -Origin: https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9 - -Co-authored-by: nessita <124304+nessita@users.noreply.github.com> ---- - django/utils/encoding.py | 6 ++++-- - docs/releases/3.2.21.txt | 7 ++++++- - docs/releases/4.1.11.txt | 7 ++++++- - docs/releases/4.2.5.txt | 7 +++++++ - tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++- - 5 files changed, 43 insertions(+), 5 deletions(-) - -diff --git a/django/utils/encoding.py b/django/utils/encoding.py -index 43847b538510..23473930fd96 100644 ---- a/django/utils/encoding.py -+++ b/django/utils/encoding.py -@@ -219,6 +219,7 @@ def repercent_broken_unicode(path): - repercent-encode any octet produced that is not part of a strictly legal - UTF-8 octet sequence. - """ -+ changed_parts = [] - while True: - try: - path.decode() -@@ -226,9 +227,10 @@ def repercent_broken_unicode(path): - # CVE-2019-14235: A recursion shouldn't be used since the exception - # handling uses massive amounts of memory - repercent = quote(path[e.start : e.end], safe=b"/#%[]=:;$&()+,!?*@'~") -- path = path[: e.start] + repercent.encode() + path[e.end :] -+ changed_parts.append(path[: e.start] + repercent.encode()) -+ path = path[e.end :] - else: -- return path -+ return b"".join(changed_parts) + path - - - def filepath_to_uri(path): -diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py -index 6dea260b841b..2b52b1607c97 100644 ---- a/tests/utils_tests/test_encoding.py -+++ b/tests/utils_tests/test_encoding.py -@@ -1,9 +1,10 @@ - import datetime -+import inspect - import sys - import unittest - from pathlib import Path - from unittest import mock --from urllib.parse import quote_plus -+from urllib.parse import quote, quote_plus - - from django.test import SimpleTestCase - from django.utils.encoding import ( -@@ -120,6 +121,24 @@ def test_repercent_broken_unicode_recursion_error(self): - except RecursionError: - self.fail("Unexpected RecursionError raised.") - -+ def test_repercent_broken_unicode_small_fragments(self): -+ data = b"test\xfctest\xfctest\xfc" -+ decoded_paths = [] -+ -+ def mock_quote(*args, **kwargs): -+ # The second frame is the call to repercent_broken_unicode(). -+ decoded_paths.append(inspect.currentframe().f_back.f_locals["path"]) -+ return quote(*args, **kwargs) -+ -+ with mock.patch("django.utils.encoding.quote", mock_quote): -+ self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC") -+ -+ # decode() is called on smaller fragment of the path each time. -+ self.assertEqual( -+ decoded_paths, -+ [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"], -+ ) -+ - - class TestRFC3987IEncodingUtils(unittest.TestCase): - def test_filepath_to_uri(self): diff --git a/CVE-2023-43665.patch b/CVE-2023-43665.patch deleted file mode 100644 index 1e1270a5527d4c3796947f7477c2620d1c350080..0000000000000000000000000000000000000000 --- a/CVE-2023-43665.patch +++ /dev/null @@ -1,167 +0,0 @@ -From be9c27c4d18c2e6a5be8af4e53c0797440794473 Mon Sep 17 00:00:00 2001 -From: Natalia <124304+nessita@users.noreply.github.com> -Date: Tue, 19 Sep 2023 09:51:48 -0300 -Subject: [PATCH] [4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in - django.utils.text.Truncator when truncating HTML text. - -Thanks Wenchao Li of Alibaba Group for the report. - -Origin: -https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473 ---- - django/utils/text.py | 17 ++++++++++++++++- - docs/ref/templates/builtins.txt | 20 ++++++++++++++++++++ - tests/utils_tests/test_text.py | 33 +++++++++++++++++++++++++-------- - 3 files changed, 61 insertions(+), 9 deletions(-) - -diff --git a/django/utils/text.py b/django/utils/text.py -index 86d3b52..2663164 100644 ---- a/django/utils/text.py -+++ b/django/utils/text.py -@@ -67,8 +67,14 @@ def wrap(text, width): - class Truncator(SimpleLazyObject): - """ - An object used to truncate text, either by characters or words. -+ -+ When truncating HTML text (either chars or words), input will be limited to -+ at most `MAX_LENGTH_HTML` characters. - """ - -+ # 5 million characters are approximately 4000 text pages or 3 web pages. -+ MAX_LENGTH_HTML = 5_000_000 -+ - def __init__(self, text): - super().__init__(lambda: str(text)) - -@@ -164,6 +170,11 @@ class Truncator(SimpleLazyObject): - if words and length <= 0: - return "" - -+ size_limited = False -+ if len(text) > self.MAX_LENGTH_HTML: -+ text = text[: self.MAX_LENGTH_HTML] -+ size_limited = True -+ - html4_singlets = ( - "br", - "col", -@@ -220,10 +231,14 @@ class Truncator(SimpleLazyObject): - # Add it to the start of the open tags list - open_tags.insert(0, tagname) - -+ truncate_text = self.add_truncation_text("", truncate) -+ - if current_len <= length: -+ if size_limited and truncate_text: -+ text += truncate_text - return text -+ - out = text[:end_text_pos] -- truncate_text = self.add_truncation_text("", truncate) - if truncate_text: - out += truncate_text - # Close any tags still open -diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt -index bee7807..02d6431 100644 ---- a/docs/ref/templates/builtins.txt -+++ b/docs/ref/templates/builtins.txt -@@ -2651,6 +2651,16 @@ If ``value`` is ``"

Joel is a slug

"``, the output will be - - Newlines in the HTML content will be preserved. - -+.. admonition:: Size of input string -+ -+ Processing large, potentially malformed HTML strings can be -+ resource-intensive and impact service performance. ``truncatechars_html`` -+ limits input to the first five million characters. -+ -+.. versionchanged:: 3.2.22 -+ -+ In older versions, strings over five million characters were processed. -+ - .. templatefilter:: truncatewords - - ``truncatewords`` -@@ -2693,6 +2703,16 @@ If ``value`` is ``"

Joel is a slug

"``, the output will be - - Newlines in the HTML content will be preserved. - -+.. admonition:: Size of input string -+ -+ Processing large, potentially malformed HTML strings can be -+ resource-intensive and impact service performance. ``truncatewords_html`` -+ limits input to the first five million characters. -+ -+.. versionchanged:: 3.2.22 -+ -+ In older versions, strings over five million characters were processed. -+ - .. templatefilter:: unordered_list - - ``unordered_list`` -diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py -index cb2959f..7d20445 100644 ---- a/tests/utils_tests/test_text.py -+++ b/tests/utils_tests/test_text.py -@@ -1,5 +1,6 @@ - import json - import sys -+from unittest.mock import patch - - from django.core.exceptions import SuspiciousFileOperation - from django.test import SimpleTestCase -@@ -94,11 +95,17 @@ class TestUtilsText(SimpleTestCase): - text.Truncator(lazystr("The quick brown fox")).chars(10), "The quick…" - ) - -- def test_truncate_chars_html(self): -+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) -+ def test_truncate_chars_html_size_limit(self): -+ max_len = text.Truncator.MAX_LENGTH_HTML -+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 -+ valid_html = "

Joel is a slug

" # 14 chars - perf_test_values = [ -- (("", None), -- ("&" * 50000, "&" * 9 + "…"), -+ ("", None), -+ ("", "", None), -+ (valid_html * bigger_len, "

Joel is a…

"), # 10 chars - ] - for value, expected in perf_test_values: - with self.subTest(value=value): -@@ -176,15 +183,25 @@ class TestUtilsText(SimpleTestCase): - truncator = text.Truncator("

I <3 python, what about you?

") - self.assertEqual("

I <3 python,…

", truncator.words(3, html=True)) - -+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) -+ def test_truncate_words_html_size_limit(self): -+ max_len = text.Truncator.MAX_LENGTH_HTML -+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 -+ valid_html = "

Joel is a slug

" # 4 words - perf_test_values = [ -- ("", -- "&" * 50000, -- "_X<<<<<<<<<<<>", -+ ("", None), -+ ("", "", None), -+ (valid_html * bigger_len, valid_html * 12 + "

Joel is…

"), # 50 words - ] -- for value in perf_test_values: -+ for value, expected in perf_test_values: - with self.subTest(value=value): - truncator = text.Truncator(value) -- self.assertEqual(value, truncator.words(50, html=True)) -+ self.assertEqual( -+ expected if expected else value, truncator.words(50, html=True) -+ ) - - def test_wrap(self): - digits = "1234 67 9" --- -2.30.0 - diff --git a/CVE-2023-46695.patch b/CVE-2023-46695.patch deleted file mode 100644 index 88d09025bfd7b6a6e9ee5f80243d5bc124b952f5..0000000000000000000000000000000000000000 --- a/CVE-2023-46695.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 048a9ebb6ea468426cb4e57c71572cbbd975517f Mon Sep 17 00:00:00 2001 -From: Mariusz Felisiak -Date: Tue, 17 Oct 2023 11:48:32 +0200 -Subject: [PATCH] [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in - UsernameField on Windows. - -Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. ---- - django/contrib/auth/forms.py | 10 +++++++++- - tests/auth_tests/test_forms.py | 7 +++++++ - 2 files changed, 16 insertions(+), 1 deletion(-) - -diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py -index eaae0bf..061dc81 100644 ---- a/django/contrib/auth/forms.py -+++ b/django/contrib/auth/forms.py -@@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field): - - class UsernameField(forms.CharField): - def to_python(self, value): -- return unicodedata.normalize("NFKC", super().to_python(value)) -+ value = super().to_python(value) -+ if self.max_length is not None and len(value) > self.max_length: -+ # Normalization can increase the string length (e.g. -+ # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no -+ # point in normalizing invalid data. Moreover, Unicode -+ # normalization is very slow on Windows and can be a DoS attack -+ # vector. -+ return value -+ return unicodedata.normalize("NFKC", value) - - def widget_attrs(self, widget): - return { -diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py -index 7a80adb..81c56a4 100644 ---- a/tests/auth_tests/test_forms.py -+++ b/tests/auth_tests/test_forms.py -@@ -14,6 +14,7 @@ from django.contrib.auth.forms import ( - SetPasswordForm, - UserChangeForm, - UserCreationForm, -+ UsernameField, - ) - from django.contrib.auth.models import User - from django.contrib.auth.signals import user_login_failed -@@ -154,6 +155,12 @@ class BaseUserCreationFormTest(TestDataMixin, TestCase): - self.assertNotEqual(user.username, ohm_username) - self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA - -+ def test_invalid_username_no_normalize(self): -+ field = UsernameField(max_length=254) -+ # Usernames are not normalized if they are too long. -+ self.assertEqual(field.to_python("½" * 255), "½" * 255) -+ self.assertEqual(field.to_python("ff" * 254), "ff" * 254) -+ - def test_duplicate_normalized_unicode(self): - """ - To prevent almost identical usernames, visually identical but differing --- -2.30.0 - diff --git a/CVE-2024-24680.patch b/CVE-2024-24680.patch deleted file mode 100644 index 551aeca91f3f815099e560ff08609479d5b261f6..0000000000000000000000000000000000000000 --- a/CVE-2024-24680.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 572ea07e84b38ea8de0551f4b4eda685d91d09d2 Mon Sep 17 00:00:00 2001 -From: Adam Johnson -Date: Mon, 22 Jan 2024 13:21:13 +0000 -Subject: [PATCH] [4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in - intcomma template filter. - -Thanks Seokchan Yoon for the report. - -Co-authored-by: Mariusz Felisiak -Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> -Co-authored-by: Shai Berger ---- - .../contrib/humanize/templatetags/humanize.py | 13 ++-- - tests/humanize_tests/tests.py | 64 +++++++++++++++++++ - 2 files changed, 71 insertions(+), 6 deletions(-) - -diff --git a/django/contrib/humanize/templatetags/humanize.py b/django/contrib/humanize/templatetags/humanize.py -index 2322477..2c26f89 100644 ---- a/django/contrib/humanize/templatetags/humanize.py -+++ b/django/contrib/humanize/templatetags/humanize.py -@@ -75,12 +75,13 @@ def intcomma(value, use_l10n=True): - return intcomma(value, False) - else: - return number_format(value, use_l10n=True, force_grouping=True) -- orig = str(value) -- new = re.sub(r"^(-?\d+)(\d{3})", r"\g<1>,\g<2>", orig) -- if orig == new: -- return new -- else: -- return intcomma(new, use_l10n) -+ result = str(value) -+ match = re.match(r"-?\d+", result) -+ if match: -+ prefix = match[0] -+ prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1] -+ result = prefix_with_commas + result[len(prefix) :] -+ return result - - - # A tuple of standard large number to their converters -diff --git a/tests/humanize_tests/tests.py b/tests/humanize_tests/tests.py -index cf29f58..a78bbad 100644 ---- a/tests/humanize_tests/tests.py -+++ b/tests/humanize_tests/tests.py -@@ -116,39 +116,71 @@ class HumanizeTests(SimpleTestCase): - def test_intcomma(self): - test_list = ( - 100, -+ -100, - 1000, -+ -1000, - 10123, -+ -10123, - 10311, -+ -10311, - 1000000, -+ -1000000, - 1234567.25, -+ -1234567.25, - "100", -+ "-100", - "1000", -+ "-1000", - "10123", -+ "-10123", - "10311", -+ "-10311", - "1000000", -+ "-1000000", - "1234567.1234567", -+ "-1234567.1234567", - Decimal("1234567.1234567"), -+ Decimal("-1234567.1234567"), - None, - "1234567", -+ "-1234567", - "1234567.12", -+ "-1234567.12", -+ "the quick brown fox jumped over the lazy dog", - ) - result_list = ( - "100", -+ "-100", - "1,000", -+ "-1,000", - "10,123", -+ "-10,123", - "10,311", -+ "-10,311", - "1,000,000", -+ "-1,000,000", - "1,234,567.25", -+ "-1,234,567.25", - "100", -+ "-100", - "1,000", -+ "-1,000", - "10,123", -+ "-10,123", - "10,311", -+ "-10,311", - "1,000,000", -+ "-1,000,000", - "1,234,567.1234567", -+ "-1,234,567.1234567", - "1,234,567.1234567", -+ "-1,234,567.1234567", - None, - "1,234,567", -+ "-1,234,567", - "1,234,567.12", -+ "-1,234,567.12", -+ "the quick brown fox jumped over the lazy dog", - ) - with translation.override("en"): - self.humanize_tester(test_list, result_list, "intcomma") -@@ -156,39 +188,71 @@ class HumanizeTests(SimpleTestCase): - def test_l10n_intcomma(self): - test_list = ( - 100, -+ -100, - 1000, -+ -1000, - 10123, -+ -10123, - 10311, -+ -10311, - 1000000, -+ -1000000, - 1234567.25, -+ -1234567.25, - "100", -+ "-100", - "1000", -+ "-1000", - "10123", -+ "-10123", - "10311", -+ "-10311", - "1000000", -+ "-1000000", - "1234567.1234567", -+ "-1234567.1234567", - Decimal("1234567.1234567"), -+ -Decimal("1234567.1234567"), - None, - "1234567", -+ "-1234567", - "1234567.12", -+ "-1234567.12", -+ "the quick brown fox jumped over the lazy dog", - ) - result_list = ( - "100", -+ "-100", - "1,000", -+ "-1,000", - "10,123", -+ "-10,123", - "10,311", -+ "-10,311", - "1,000,000", -+ "-1,000,000", - "1,234,567.25", -+ "-1,234,567.25", - "100", -+ "-100", - "1,000", -+ "-1,000", - "10,123", -+ "-10,123", - "10,311", -+ "-10,311", - "1,000,000", -+ "-1,000,000", - "1,234,567.1234567", -+ "-1,234,567.1234567", - "1,234,567.1234567", -+ "-1,234,567.1234567", - None, - "1,234,567", -+ "-1,234,567", - "1,234,567.12", -+ "-1,234,567.12", -+ "the quick brown fox jumped over the lazy dog", - ) - with self.settings(USE_THOUSAND_SEPARATOR=False): - with translation.override("en"): --- -2.33.0 - diff --git a/CVE-2024-27351.patch b/CVE-2024-27351.patch deleted file mode 100644 index d6698089a2e19b731ce8a9cefc2c47e99253d390..0000000000000000000000000000000000000000 --- a/CVE-2024-27351.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 3c9a2771cc80821e041b16eb36c1c37af5349d4a Mon Sep 17 00:00:00 2001 -From: Shai Berger -Date: Mon, 19 Feb 2024 13:56:37 +0100 -Subject: [PATCH] [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in - Truncator.words(). - -Thanks Seokchan Yoon for the report. - -Co-Authored-By: Mariusz Felisiak ---- - django/utils/text.py | 57 ++++++++++++++++++++++++++++++++-- - tests/utils_tests/test_text.py | 26 ++++++++++++++++ - 2 files changed, 81 insertions(+), 2 deletions(-) - -diff --git a/django/utils/text.py b/django/utils/text.py -index 2663164..e1b835e 100644 ---- a/django/utils/text.py -+++ b/django/utils/text.py -@@ -23,8 +23,61 @@ def capfirst(x): - return x[0].upper() + x[1:] - - --# Set up regular expressions --re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S) -+# ----- Begin security-related performance workaround ----- -+ -+# We used to have, below -+# -+# re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S) -+# -+# But it was shown that this regex, in the way we use it here, has some -+# catastrophic edge-case performance features. Namely, when it is applied to -+# text with only open brackets "<<<...". The class below provides the services -+# and correct answers for the use cases, but in these edge cases does it much -+# faster. -+re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S) -+re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S) -+ -+ -+class WordsRegex: -+ @staticmethod -+ def search(text, pos): -+ # Look for "<" or a non-tag word. -+ partial = re_prt.search(text, pos) -+ if partial is None or partial[1] is not None: -+ return partial -+ -+ # "<" was found, look for a closing ">". -+ end = text.find(">", partial.end(0)) -+ if end < 0: -+ # ">" cannot be found, look for a word. -+ return re_notag.search(text, pos + 1) -+ else: -+ # "<" followed by a ">" was found -- fake a match. -+ end += 1 -+ return FakeMatch(text[partial.start(0) : end], end) -+ -+ -+class FakeMatch: -+ __slots__ = ["_text", "_end"] -+ -+ def end(self, group=0): -+ assert group == 0, "This specific object takes only group=0" -+ return self._end -+ -+ def __getitem__(self, group): -+ if group == 1: -+ return None -+ assert group == 0, "This specific object takes only group in {0,1}" -+ return self._text -+ -+ def __init__(self, text, end): -+ self._text, self._end = text, end -+ -+ -+# ----- End security-related performance workaround ----- -+ -+# Set up regular expressions. -+re_words = WordsRegex - re_chars = _lazy_re_compile(r"<[^>]+?>|(.)", re.S) - re_tag = _lazy_re_compile(r"<(/)?(\S+?)(?:(\s*/)|\s.*?)?>", re.S) - re_newlines = _lazy_re_compile(r"\r\n|\r") # Used in normalize_newlines -diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py -index 7d20445..d1890e7 100644 ---- a/tests/utils_tests/test_text.py -+++ b/tests/utils_tests/test_text.py -@@ -183,6 +183,32 @@ class TestUtilsText(SimpleTestCase): - truncator = text.Truncator("

I <3 python, what about you?

") - self.assertEqual("

I <3 python,…

", truncator.words(3, html=True)) - -+ # Only open brackets. -+ test = "<" * 60_000 -+ truncator = text.Truncator(test) -+ self.assertEqual(truncator.words(1, html=True), test) -+ -+ # Tags with special chars in attrs. -+ truncator = text.Truncator( -+ """Hello, my dear lady!""" -+ ) -+ self.assertEqual( -+ """Hello, my dear…""", -+ truncator.words(3, html=True), -+ ) -+ -+ # Tags with special non-latin chars in attrs. -+ truncator = text.Truncator("""

Hello, my dear lady!

""") -+ self.assertEqual( -+ """

Hello, my dear…

""", -+ truncator.words(3, html=True), -+ ) -+ -+ # Misplaced brackets. -+ truncator = text.Truncator("hello >< world") -+ self.assertEqual(truncator.words(1, html=True), "hello…") -+ self.assertEqual(truncator.words(2, html=True), "hello >< world") -+ - @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) - def test_truncate_words_html_size_limit(self): - max_len = text.Truncator.MAX_LENGTH_HTML --- -2.33.0 - diff --git a/Django-4.2.3.tar.gz b/Django-4.2.14.tar.gz similarity index 57% rename from Django-4.2.3.tar.gz rename to Django-4.2.14.tar.gz index 7ba120fa7e2d45a32d709fa1ef540770aee1afa5..1adca203d4c84ae31f3a0798fc6ab4c1ee276b95 100644 Binary files a/Django-4.2.3.tar.gz and b/Django-4.2.14.tar.gz differ diff --git a/python-django.spec b/python-django.spec index 6c210ae957e69906f606bc58f40aad9beca25138..9642cfc143a641309a94e5e639d14e660e739d69 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,20 +1,11 @@ %global _empty_manifest_terminate_build 0 Name: python-django -Version: 4.2.3 -Release: 7 +Version: 4.2.14 +Release: 1 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ -Source0: https://files.pythonhosted.org/packages/36/24/d0e78e667f98efcca76c8b670ef247583349a8f5241cdb3c98eeb92726ff/Django-4.2.3.tar.gz -Patch0: CVE-2023-41164.patch -# https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473 -Patch1: CVE-2023-43665.patch -# https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f -Patch2: CVE-2023-46695.patch -# https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2 -Patch3: CVE-2024-24680.patch -# https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a -Patch4: CVE-2024-27351.patch +Source0: https://files.pythonhosted.org/packages/source/d/Django/Django-%{version}.tar.gz BuildArch: noarch %description @@ -81,6 +72,13 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Fri Jul 12 2024 yaoxin - 4.2.14-1 +- Update to 4.2.14 + * CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize() + * CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords + * CVE-2024-39330: Potential directory-traversal via Storage.save() + * CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant() + * Tue Mar 05 2024 yaoxin - 4.2.3-7 - Fix CVE-2024-27351