Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=hardknott 2021-07-17T13:52:51+00:00 2021-07-17T13:52:51+00:00 Trevor Gamblin trevor.gamblin@windriver.com 2021-07-16T20:02:57+00:00 urn:sha1:98e00710b7c1cf20092b8ff8fa7c01f153ff95ab 3.2.5 fixes CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input. Additional release notes: - Fixed a regression in Django 3.2 that caused a crash of QuerySet.values_list(…, named=True) after prefetch_related() (#32812). - Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when altering BinaryField, JSONField, or TextField to non-nullable (#32503). - Fixed a regression in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when adding nullable BinaryField, JSONField, or TextField with a default value (#32832). - Fixed a bug in Django 3.2 where a system check would crash on a model with an invalid app_label (#32863). There is no corresponding uprev for the 2.x LTS branch since it is already at the latest version (2.2.24). Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit fe50bd100548500842667210df9757d84ec11b16) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2021-06-27T14:50:07+00:00 Leon Anavi leon.anavi@konsulko.com 2021-06-02T13:36:02+00:00 urn:sha1:f0812a84c9cc84aadde1778d1bdc31c6f69c8357 Upgrade to release 3.2.4: - CVE-2021-33203: Potential directory traversal via admindocs - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses - Fixed a bug in Django 3.2 where a final catch-all view in the admin didn't respect the server-provided value of SCRIPT_NAME when redirecting unauthenticated users to the login page. - Fixed a bug in Django 3.2 where a system check would crash on an abstract model - Prevented unnecessary initialization of unused caches following a regression in Django 3.2 - Fixed a crash in Django 3.2 that could occur when running mod_wsgi with the recommended settings while the Windows colorama library was installed - Fixed a bug in Django 3.2 that would trigger the auto-reloader for template changes when directory paths were specified with strings - Fixed a regression in Django 3.2 that caused a crash of auto-reloader with AttributeError, e.g. inside a Conda environment - Fixed a regression in Django 3.2 that caused a loss of precision for operations with DecimalField on MySQL Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit 624e3e18982775d2ea88e55e16d179420f0575fc) Signed-off-by: Armin Kuster <akuster808@gmail.com>