python3-django: fix CVE-2024-39329

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-39329 Upstream-patch: https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> 2025-11-30 17:22:48 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-30 15:16:34 +0100
commit: 740980aabacc371ed0b9156ca1c489d2d6677710 (patch)
tree: 6970a72dda9470a6ae8831cdc7d77957f50fbf9b /meta-python/recipes-devtools
parent: 21d389c8f9c82be11f50560668591d5f7ae80690 (diff)
download: meta-openembedded-740980aabacc371ed0b9156ca1c489d2d6677710.tar.gz
4 files changed, 227 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch
new file mode 100644
index 0000000000..9f2883885f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch
@@ -0,0 +1,114 @@
+From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001
+From: Michael Manfre <mike@manfre.net>
+Date: Fri, 14 Jun 2024 22:12:58 -0400
+Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of
+ verify_password() when checking unusuable passwords.
+Refs #20760.
+Thanks Michael Manfre for the fix and to Adam Johnson for the review.
+CVE: CVE-2024-39329
+Upstream-Status: Backport
+https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
+Signed-off-by: Michael Manfre <mike@manfre.net>
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+---
+ django/contrib/auth/hashers.py   | 10 ++++++++--
+ docs/releases/3.2.25.txt         |  7 +++++++
+ tests/auth_tests/test_hashers.py | 32 ++++++++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 2 deletions(-)
+diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
+index 86ae7f4..ee81b64 100644
+--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
+@@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'):
+     If setter is specified, it'll be called when you need to
+     regenerate the password.
+     """
+-    if password is None or not is_password_usable(encoded):
+-        return False
+    fake_runtime = password is None or not is_password_usable(encoded)
+ 
+     preferred = get_hasher(preferred)
+     try:
+         hasher = identify_hasher(encoded)
+     except ValueError:
+         # encoded is gibberish or uses a hasher that's no longer installed.
+        fake_runtime = True
+
+    if fake_runtime:
+        # Run the default password hasher once to reduce the timing difference
+        # between an existing user with an unusable password and a nonexistent
+        # user or missing hasher (similar to #20760).
+        make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
+         return False
+ 
+     hasher_changed = hasher.algorithm != preferred.algorithm
+diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
+index a2a58b5..a613b08 100644
+--- a/docs/releases/3.2.25.txt
+++ b/docs/releases/3.2.25.txt
+@@ -40,6 +40,13 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
+ using a suitably crafted dictionary, with dictionary expansion, as the
+ ``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
+ 
+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
+================================================================================================
+
+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
+allowed remote attackers to enumerate users via a timing attack involving login
+requests for users with unusable passwords.
+
+ Bugfixes
+ ========
+ 
+diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
+index 8bc61bc..a1ae940 100644
+--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
+@@ -474,6 +474,38 @@ class TestUtilsHashPass(SimpleTestCase):
+             check_password('wrong_password', encoded)
+             self.assertEqual(hasher.harden_runtime.call_count, 1)
+ 
+    def test_check_password_calls_make_password_to_fake_runtime(self):
+        hasher = get_hasher("default")
+        cases = [
+            (None, None, None),  # no plain text password provided
+            ("foo", make_password(password=None), None),  # unusable encoded
+            ("letmein", make_password(password="letmein"), ValueError),  # valid encoded
+        ]
+        for password, encoded, hasher_side_effect in cases:
+            with (
+                self.subTest(encoded=encoded),
+                mock.patch(
+                    "django.contrib.auth.hashers.identify_hasher",
+                    side_effect=hasher_side_effect,
+                ) as mock_identify_hasher,
+                mock.patch(
+                    "django.contrib.auth.hashers.make_password"
+                ) as mock_make_password,
+                mock.patch(
+                    "django.contrib.auth.hashers.get_random_string",
+                    side_effect=lambda size: "x" * size,
+                ),
+                mock.patch.object(hasher, "verify"),
+            ):
+                # Ensure make_password is called to standardize timing.
+                check_password(password, encoded)
+                self.assertEqual(hasher.verify.call_count, 0)
+                self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
+                self.assertEqual(
+                    mock_make_password.mock_calls,
+                    [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
+                )
+
+ 
+ class BasePasswordHasherTests(SimpleTestCase):
+     not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method'
+-- 
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch
new file mode 100644
index 0000000000..c302c0df18
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch
@@ -0,0 +1,111 @@
+From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001
+From: Michael Manfre <mike@manfre.net>
+Date: Fri, 14 Jun 2024 22:12:58 -0400
+Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of
+ verify_password() when checking unusuable passwords.
+Refs #20760.
+Thanks Michael Manfre for the fix and to Adam Johnson for the review.
+CVE: CVE-2024-39329
+Upstream-Status: Backport
+https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
+Signed-off-by: Michael Manfre <mike@manfre.net>
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+---
+ django/contrib/auth/hashers.py   | 10 ++++++++--
+ docs/releases/2.2.28.txt         |  7 +++++++
+ tests/auth_tests/test_hashers.py | 32 ++++++++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 2 deletions(-)
+diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
+index 1e8d754..4acb81d 100644
+--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
+@@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'):
+     If setter is specified, it'll be called when you need to
+     regenerate the password.
+     """
+-    if password is None or not is_password_usable(encoded):
+-        return False
+    fake_runtime = password is None or not is_password_usable(encoded)
+ 
+     preferred = get_hasher(preferred)
+     try:
+         hasher = identify_hasher(encoded)
+     except ValueError:
+         # encoded is gibberish or uses a hasher that's no longer installed.
+        fake_runtime = True
+
+    if fake_runtime:
+        # Run the default password hasher once to reduce the timing difference
+        # between an existing user with an unusable password and a nonexistent
+        # user or missing hasher (similar to #20760).
+        make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
+         return False
+ 
+     hasher_changed = hasher.algorithm != preferred.algorithm
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index f3fb298..22fa80e 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -124,3 +124,10 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
+ using a suitably crafted dictionary, with dictionary expansion, as the
+ ``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
+ 
+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
+================================================================================================
+
+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
+allowed remote attackers to enumerate users via a timing attack involving login
+requests for users with unusable passwords.
+
+diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
+index ee6441b..391b3cc 100644
+--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
+@@ -433,6 +433,38 @@ class TestUtilsHashPass(SimpleTestCase):
+             check_password('wrong_password', encoded)
+             self.assertEqual(hasher.harden_runtime.call_count, 1)
+ 
+    def test_check_password_calls_make_password_to_fake_runtime(self):
+        hasher = get_hasher("default")
+        cases = [
+            (None, None, None),  # no plain text password provided
+            ("foo", make_password(password=None), None),  # unusable encoded
+            ("letmein", make_password(password="letmein"), ValueError),  # valid encoded
+        ]
+        for password, encoded, hasher_side_effect in cases:
+            with (
+                self.subTest(encoded=encoded),
+                mock.patch(
+                    "django.contrib.auth.hashers.identify_hasher",
+                    side_effect=hasher_side_effect,
+                ) as mock_identify_hasher,
+                mock.patch(
+                    "django.contrib.auth.hashers.make_password"
+                ) as mock_make_password,
+                mock.patch(
+                    "django.contrib.auth.hashers.get_random_string",
+                    side_effect=lambda size: "x" * size,
+                ),
+                mock.patch.object(hasher, "verify"),
+            ):
+                # Ensure make_password is called to standardize timing.
+                check_password(password, encoded)
+                self.assertEqual(hasher.verify.call_count, 0)
+                self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
+                self.assertEqual(
+                    mock_make_password.mock_calls,
+                    [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
+                )
+
+ 
+ class BasePasswordHasherTests(SimpleTestCase):
+     not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method'
+-- 
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index 82cdcb2328..3000e93f81 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -28,6 +28,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2025-26699.patch \
            file://CVE-2024-56374.patch \
            file://CVE-2025-57833.patch \
+            file://CVE-2024-39329.patch \
           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
index fe438016f9..4301eccaae 100644
--- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
+++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
@@ -10,6 +10,7 @@ SRC_URI += "\
       file://CVE-2025-26699.patch \
       file://CVE-2024-56374.patch \
       file://CVE-2025-57833.patch \
+       file://CVE-2024-39329.patch \
 "
 # Set DEFAULT_PREFERENCE so that the LTS version of django is built by
author	Saravanan <saravanan.kadambathursubramaniyam@windriver.com>	2025-11-30 17:22:48 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-30 15:16:34 +0100
commit	740980aabacc371ed0b9156ca1c489d2d6677710 (patch)
tree	6970a72dda9470a6ae8831cdc7d77957f50fbf9b /meta-python/recipes-devtools
parent	21d389c8f9c82be11f50560668591d5f7ae80690 (diff)
download	meta-openembedded-740980aabacc371ed0b9156ca1c489d2d6677710.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch new file mode 100644 index 0000000000..9f2883885f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch
@@ -0,0 +1,114 @@
		1	From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001
		2	From: Michael Manfre <mike@manfre.net>
		3	Date: Fri, 14 Jun 2024 22:12:58 -0400
		4	Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of
		5	verify_password() when checking unusuable passwords.
		6
		7	Refs #20760.
		8
		9	Thanks Michael Manfre for the fix and to Adam Johnson for the review.
		10
		11	CVE: CVE-2024-39329
		12
		13	Upstream-Status: Backport
		14	https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
		15
		16	Signed-off-by: Michael Manfre <mike@manfre.net>
		17	Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
		18	---
		19	django/contrib/auth/hashers.py \| 10 ++++++++--
		20	docs/releases/3.2.25.txt \| 7 +++++++
		21	tests/auth_tests/test_hashers.py \| 32 ++++++++++++++++++++++++++++++++
		22	3 files changed, 47 insertions(+), 2 deletions(-)
		23
		24	diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
		25	index 86ae7f4..ee81b64 100644
		26	--- a/django/contrib/auth/hashers.py
		27	+++ b/django/contrib/auth/hashers.py
		28	@@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'):
		29	If setter is specified, it'll be called when you need to
		30	regenerate the password.
		31	"""
		32	- if password is None or not is_password_usable(encoded):
		33	- return False
		34	+ fake_runtime = password is None or not is_password_usable(encoded)
		35
		36	preferred = get_hasher(preferred)
		37	try:
		38	hasher = identify_hasher(encoded)
		39	except ValueError:
		40	# encoded is gibberish or uses a hasher that's no longer installed.
		41	+ fake_runtime = True
		42	+
		43	+ if fake_runtime:
		44	+ # Run the default password hasher once to reduce the timing difference
		45	+ # between an existing user with an unusable password and a nonexistent
		46	+ # user or missing hasher (similar to #20760).
		47	+ make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
		48	return False
		49
		50	hasher_changed = hasher.algorithm != preferred.algorithm
		51	diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
		52	index a2a58b5..a613b08 100644
		53	--- a/docs/releases/3.2.25.txt
		54	+++ b/docs/releases/3.2.25.txt
		55	@@ -40,6 +40,13 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
		56	using a suitably crafted dictionary, with dictionary expansion, as the
		57	``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
		58
		59	+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
		60	+================================================================================================
		61	+
		62	+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
		63	+allowed remote attackers to enumerate users via a timing attack involving login
		64	+requests for users with unusable passwords.
		65	+
		66	Bugfixes
		67	========
		68
		69	diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
		70	index 8bc61bc..a1ae940 100644
		71	--- a/tests/auth_tests/test_hashers.py
		72	+++ b/tests/auth_tests/test_hashers.py
		73	@@ -474,6 +474,38 @@ class TestUtilsHashPass(SimpleTestCase):
		74	check_password('wrong_password', encoded)
		75	self.assertEqual(hasher.harden_runtime.call_count, 1)
		76
		77	+ def test_check_password_calls_make_password_to_fake_runtime(self):
		78	+ hasher = get_hasher("default")
		79	+ cases = [
		80	+ (None, None, None), # no plain text password provided
		81	+ ("foo", make_password(password=None), None), # unusable encoded
		82	+ ("letmein", make_password(password="letmein"), ValueError), # valid encoded
		83	+ ]
		84	+ for password, encoded, hasher_side_effect in cases:
		85	+ with (
		86	+ self.subTest(encoded=encoded),
		87	+ mock.patch(
		88	+ "django.contrib.auth.hashers.identify_hasher",
		89	+ side_effect=hasher_side_effect,
		90	+ ) as mock_identify_hasher,
		91	+ mock.patch(
		92	+ "django.contrib.auth.hashers.make_password"
		93	+ ) as mock_make_password,
		94	+ mock.patch(
		95	+ "django.contrib.auth.hashers.get_random_string",
		96	+ side_effect=lambda size: "x" * size,
		97	+ ),
		98	+ mock.patch.object(hasher, "verify"),
		99	+ ):
		100	+ # Ensure make_password is called to standardize timing.
		101	+ check_password(password, encoded)
		102	+ self.assertEqual(hasher.verify.call_count, 0)
		103	+ self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
		104	+ self.assertEqual(
		105	+ mock_make_password.mock_calls,
		106	+ [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
		107	+ )
		108	+
		109
		110	class BasePasswordHasherTests(SimpleTestCase):
		111	not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method'
		112	--
		113	2.40.0
		114


diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch new file mode 100644 index 0000000000..c302c0df18 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch
@@ -0,0 +1,111 @@
		1	From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001
		2	From: Michael Manfre <mike@manfre.net>
		3	Date: Fri, 14 Jun 2024 22:12:58 -0400
		4	Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of
		5	verify_password() when checking unusuable passwords.
		6
		7	Refs #20760.
		8
		9	Thanks Michael Manfre for the fix and to Adam Johnson for the review.
		10
		11	CVE: CVE-2024-39329
		12
		13	Upstream-Status: Backport
		14	https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
		15
		16	Signed-off-by: Michael Manfre <mike@manfre.net>
		17	Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
		18	---
		19	django/contrib/auth/hashers.py \| 10 ++++++++--
		20	docs/releases/2.2.28.txt \| 7 +++++++
		21	tests/auth_tests/test_hashers.py \| 32 ++++++++++++++++++++++++++++++++
		22	3 files changed, 47 insertions(+), 2 deletions(-)
		23
		24	diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
		25	index 1e8d754..4acb81d 100644
		26	--- a/django/contrib/auth/hashers.py
		27	+++ b/django/contrib/auth/hashers.py
		28	@@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'):
		29	If setter is specified, it'll be called when you need to
		30	regenerate the password.
		31	"""
		32	- if password is None or not is_password_usable(encoded):
		33	- return False
		34	+ fake_runtime = password is None or not is_password_usable(encoded)
		35
		36	preferred = get_hasher(preferred)
		37	try:
		38	hasher = identify_hasher(encoded)
		39	except ValueError:
		40	# encoded is gibberish or uses a hasher that's no longer installed.
		41	+ fake_runtime = True
		42	+
		43	+ if fake_runtime:
		44	+ # Run the default password hasher once to reduce the timing difference
		45	+ # between an existing user with an unusable password and a nonexistent
		46	+ # user or missing hasher (similar to #20760).
		47	+ make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
		48	return False
		49
		50	hasher_changed = hasher.algorithm != preferred.algorithm
		51	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
		52	index f3fb298..22fa80e 100644
		53	--- a/docs/releases/2.2.28.txt
		54	+++ b/docs/releases/2.2.28.txt
		55	@@ -124,3 +124,10 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
		56	using a suitably crafted dictionary, with dictionary expansion, as the
		57	``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
		58
		59	+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
		60	+================================================================================================
		61	+
		62	+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
		63	+allowed remote attackers to enumerate users via a timing attack involving login
		64	+requests for users with unusable passwords.
		65	+
		66	diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
		67	index ee6441b..391b3cc 100644
		68	--- a/tests/auth_tests/test_hashers.py
		69	+++ b/tests/auth_tests/test_hashers.py
		70	@@ -433,6 +433,38 @@ class TestUtilsHashPass(SimpleTestCase):
		71	check_password('wrong_password', encoded)
		72	self.assertEqual(hasher.harden_runtime.call_count, 1)
		73
		74	+ def test_check_password_calls_make_password_to_fake_runtime(self):
		75	+ hasher = get_hasher("default")
		76	+ cases = [
		77	+ (None, None, None), # no plain text password provided
		78	+ ("foo", make_password(password=None), None), # unusable encoded
		79	+ ("letmein", make_password(password="letmein"), ValueError), # valid encoded
		80	+ ]
		81	+ for password, encoded, hasher_side_effect in cases:
		82	+ with (
		83	+ self.subTest(encoded=encoded),
		84	+ mock.patch(
		85	+ "django.contrib.auth.hashers.identify_hasher",
		86	+ side_effect=hasher_side_effect,
		87	+ ) as mock_identify_hasher,
		88	+ mock.patch(
		89	+ "django.contrib.auth.hashers.make_password"
		90	+ ) as mock_make_password,
		91	+ mock.patch(
		92	+ "django.contrib.auth.hashers.get_random_string",
		93	+ side_effect=lambda size: "x" * size,
		94	+ ),
		95	+ mock.patch.object(hasher, "verify"),
		96	+ ):
		97	+ # Ensure make_password is called to standardize timing.
		98	+ check_password(password, encoded)
		99	+ self.assertEqual(hasher.verify.call_count, 0)
		100	+ self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
		101	+ self.assertEqual(
		102	+ mock_make_password.mock_calls,
		103	+ [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
		104	+ )
		105	+
		106
		107	class BasePasswordHasherTests(SimpleTestCase):
		108	not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method'
		109	--
		110	2.40.0
		111


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index 82cdcb2328..3000e93f81 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -28,6 +28,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
28	file://CVE-2025-26699.patch \	28	file://CVE-2025-26699.patch \
29	file://CVE-2024-56374.patch \	29	file://CVE-2024-56374.patch \
30	file://CVE-2025-57833.patch \	30	file://CVE-2025-57833.patch \
		31	file://CVE-2024-39329.patch \
31	"	32	"
32		33
33	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	34	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"


diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb index fe438016f9..4301eccaae 100644 --- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb +++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
@@ -10,6 +10,7 @@ SRC_URI += "\
10	file://CVE-2025-26699.patch \	10	file://CVE-2025-26699.patch \
11	file://CVE-2024-56374.patch \	11	file://CVE-2024-56374.patch \
12	file://CVE-2025-57833.patch \	12	file://CVE-2025-57833.patch \
		13	file://CVE-2024-39329.patch \
13	"	14	"
14		15
15	# Set DEFAULT_PREFERENCE so that the LTS version of django is built by	16	# Set DEFAULT_PREFERENCE so that the LTS version of django is built by