diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-01-23 18:02:12 +0100 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-01-26 10:04:44 +0530 |
| commit | a627e747a79760daff2b794f1a363f672773b004 (patch) | |
| tree | a922fe106995989b103d3dcfb2d8ea8f63911142 /meta-python/recipes-devtools/python | |
| parent | c72ce4fc7ea87d1260030d08742302a16fbc5e3a (diff) | |
| download | meta-openembedded-a627e747a79760daff2b794f1a363f672773b004.tar.gz | |
python3-django: upgrade 4.2.20 -> 4.2.27
Upstream has switched from setuptools3 build backend to setuptools_build_meta,
however their setuptools requirements are higher than what's available in oe-core.
As a workaround, add a patch that lowers the requirements. This change has been
tested by successfully executing the django test suite in qemu (without Selenium tests).
Changes:
4.2.27: https://docs.djangoproject.com/en/6.0/releases/4.2.27/
- Fix CVE-2025-13372
- Fix CVE-2025-64460
- Fixed a regression in Django 4.2.26 where DisallowedRedirect was raised by
HttpResponseRedirect and HttpResponsePermanentRedirect for URLs longer than 2048 characters.
The limit is now 16384 characters
4.2.26: https://docs.djangoproject.com/en/6.0/releases/4.2.26/
- Fix CVE-2025-64458
- Fix CVE-2025-64459
4.2.25: https://docs.djangoproject.com/en/6.0/releases/4.2.25/
- Fix CVE-2025-59681
- Fix CVE-2025-59682
4.2.24: https://docs.djangoproject.com/en/6.0/releases/4.2.24/
- Fix CVE-2025-57833
4.2.23: https://docs.djangoproject.com/en/6.0/releases/4.2.23/
- Fix CVE-2025-48432
4.2.22: https://docs.djangoproject.com/en/6.0/releases/4.2.22/
- Fix CVE-2025-48432
4.2.21: https://docs.djangoproject.com/en/6.0/releases/4.2.21/
- Change build backend
- Fix CVE-2025-32873
- Fixed a data corruption possibility in file_move_safe() when
allow_overwrite=True, where leftover content from a previously larger file could
remain after overwriting with a smaller one due to lack of truncation
- Fixed a regression in Django 4.2.20, introduced when fixing CVE 2025-26699,
where the wordwrap template filter did not preserve empty lines between paragraphs
after wrapping text
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-python/recipes-devtools/python')
3 files changed, 42 insertions, 14 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch b/meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch new file mode 100644 index 0000000000..5f6707467b --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch | |||
| @@ -0,0 +1,25 @@ | |||
| 1 | From 10ddc1ee660ed5ee4d9aa21f751eb07a1b260b6c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Fri, 23 Jan 2026 13:49:53 +0100 | ||
| 4 | Subject: [PATCH] lower setuptools requirements | ||
| 5 | |||
| 6 | Scarthgap ships with version 69.1.1 - adjust the requirements for that. | ||
| 7 | |||
| 8 | Upstream-Status: Inappropriate [specific to OE LTS versions] | ||
| 9 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 10 | --- | ||
| 11 | pyproject.toml | 2 +- | ||
| 12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 13 | |||
| 14 | diff --git a/pyproject.toml b/pyproject.toml | ||
| 15 | index 4635d0e..319b261 100644 | ||
| 16 | --- a/pyproject.toml | ||
| 17 | +++ b/pyproject.toml | ||
| 18 | @@ -1,6 +1,6 @@ | ||
| 19 | [build-system] | ||
| 20 | requires = [ | ||
| 21 | - "setuptools>=75.8.1; python_version >= '3.9'", | ||
| 22 | + "setuptools>=69.0.0; python_version >= '3.9'", | ||
| 23 | "setuptools<75.4.0; python_version < '3.9'", | ||
| 24 | ] | ||
| 25 | build-backend = "setuptools.build_meta" | ||
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb deleted file mode 100644 index 3fb8b03224..0000000000 --- a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb +++ /dev/null | |||
| @@ -1,14 +0,0 @@ | |||
| 1 | require python-django.inc | ||
| 2 | inherit setuptools3 | ||
| 3 | |||
| 4 | SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789" | ||
| 5 | |||
| 6 | RDEPENDS:${PN} += "\ | ||
| 7 | python3-sqlparse \ | ||
| 8 | python3-asgiref \ | ||
| 9 | " | ||
| 10 | |||
| 11 | # Set DEFAULT_PREFERENCE so that the LTS version of django is built by | ||
| 12 | # default. To build the 4.x branch, | ||
| 13 | # PREFERRED_VERSION_python3-django = "4.2.20" can be added to local.conf | ||
| 14 | DEFAULT_PREFERENCE = "-1" | ||
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.27.bb b/meta-python/recipes-devtools/python/python3-django_4.2.27.bb new file mode 100644 index 0000000000..038b0220fa --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django_4.2.27.bb | |||
| @@ -0,0 +1,17 @@ | |||
| 1 | require python-django.inc | ||
| 2 | inherit python_setuptools_build_meta | ||
| 3 | |||
| 4 | SRC_URI += "file://0001-lower-setuptools-requirements.patch" | ||
| 5 | SRC_URI[sha256sum] = "b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92" | ||
| 6 | |||
| 7 | RDEPENDS:${PN} += "\ | ||
| 8 | python3-sqlparse \ | ||
| 9 | python3-asgiref \ | ||
| 10 | " | ||
| 11 | |||
| 12 | PYPI_PACKAGE = "django" | ||
| 13 | |||
| 14 | # Set DEFAULT_PREFERENCE so that the LTS version of django is built by | ||
| 15 | # default. To build the 4.x branch, | ||
| 16 | # PREFERRED_VERSION_python3-django = "4.2.%" can be added to local.conf | ||
| 17 | DEFAULT_PREFERENCE = "-1" | ||