linux/meta-openembedded.git/meta-python/recipes-devtools/python/python3-django_5.0.14.bb, branch scarthgap Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap 2026-04-15T08:42:18+00:00 python3-django: fix CVE-2025-59681 2026-04-15T08:42:18+00:00 Haixiao Yan haixiao.yan.cn@windriver.com 2026-04-10T07:05:07+00:00 urn:sha1:9757d0151b92601c4c6fd05baf7e328afa000213 QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods on MySQL and MariaDB. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-59681 Upstream-patch: https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> python3-django: fix CVE-2025-57833 2026-04-15T08:42:18+00:00 Haixiao Yan haixiao.yan.cn@windriver.com 2026-04-10T07:05:06+00:00 urn:sha1:838ca228086821cf82b3de83fb78412c6d2784c8 FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-57833 Upstream-patch: https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> python3-django: fix CVE-2025-64459 2026-04-15T08:40:33+00:00 Haixiao Yan haixiao.yan.cn@windriver.com 2026-04-10T07:04:59+00:00 urn:sha1:151e634ed297eec8d9b269c2b08001fd76f4cc62 The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64459 https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html Upstream-patch: https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241 https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> python3-django: patch CVE-2025-64460 2026-02-12T08:08:12+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-02-07T10:33:53+00:00 urn:sha1:4e29baa804edbb52d988bf3bcd44df2970f94b10 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64460 Backport the patch that explicitly references this CVE in its commit message. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> python3-django: upgrade 5.0.11 -> 5.0.14 2025-12-09T01:31:20+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2025-12-08T18:57:42+00:00 urn:sha1:873297afaa6398c261ef5ed9597a29db5175d63e Drop patch merged in the upstream. Release notes: https://docs.djangoproject.com/en/dev/releases/5.0.12/ https://docs.djangoproject.com/en/dev/releases/5.0.13/ https://docs.djangoproject.com/en/dev/releases/5.0.14/ Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>