2 files changed, 120 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch
new file mode 100644
index 0000000000..6c42adfa42
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch
@@ -0,0 +1,57 @@
+From 45f5d17986f70f0aaf4a666b2d71ae6750beeb88 Mon Sep 17 00:00:00 2001
+From: Jacob Walls <jacobtylerwalls@gmail.com>
+Date: Wed, 24 Sep 2025 15:54:51 -0400
+Subject: [PATCH] [5.1.x] Fixed CVE-2025-64459 -- Prevented SQL injections
+ in Q/QuerySet via the _connector kwarg.
+Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
+Charette, and Jake Howard for the reviews.
+Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
+CVE: CVE-2025-64459
+Upstream-Status: Backport [https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241]
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ django/db/models/query_utils.py | 4 ++++
+ tests/queries/test_q.py         | 5 +++++
+ 2 files changed, 9 insertions(+)
+diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
+index a04bbad5e7f8..d8610bc54d46 100644
+--- a/django/db/models/query_utils.py
+++ b/django/db/models/query_utils.py
+@@ -47,8 +47,12 @@ class Q(tree.Node):
+     XOR = "XOR"
+     default = AND
+     conditional = True
+    connectors = (None, AND, OR, XOR)
+ 
+     def __init__(self, *args, _connector=None, _negated=False, **kwargs):
+        if _connector not in self.connectors:
+            connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
+            raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
+         super().__init__(
+             children=[*args, *sorted(kwargs.items())],
+             connector=_connector,
+diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
+index f7192a430a12..b21ec929a2ec 100644
+--- a/tests/queries/test_q.py
+++ b/tests/queries/test_q.py
+@@ -264,6 +264,11 @@ class QTests(SimpleTestCase):
+                     Q(*items, _connector=connector),
+                 )
+ 
+    def test_connector_validation(self):
+        msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None."
+        with self.assertRaisesMessage(ValueError, msg):
+            Q(_connector="evil")
+
+     def test_referenced_base_fields(self):
+         # Make sure Q.referenced_base_fields retrieves all base fields from
+         # both filters and F expressions.
+-- 
+2.34.1
diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch
new file mode 100644
index 0000000000..5a207f8f11
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch
@@ -0,0 +1,63 @@
+From 415912be531179e90e69f0be2e8bca301de53765 Mon Sep 17 00:00:00 2001
+From: Jacob Walls <jacobtylerwalls@gmail.com>
+Date: Wed, 24 Sep 2025 15:56:03 -0400
+Subject: [PATCH] [5.1.x] Refs CVE-2025-64459 -- Avoided propagating
+ invalid arguments to Q on dictionary expansion.
+Backport of 3c3f46357718166069948625354b8315a8505262 from main.
+CVE: CVE-2025-64459
+Upstream-Status: Backport [https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671]
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ django/db/models/query.py | 5 +++++
+ tests/queries/tests.py    | 8 ++++++++
+ 2 files changed, 13 insertions(+)
+diff --git a/django/db/models/query.py b/django/db/models/query.py
+index 153fb1193ebf..3308cd48db00 100644
+--- a/django/db/models/query.py
+++ b/django/db/models/query.py
+@@ -42,6 +42,8 @@ MAX_GET_RESULTS = 21
+ # The maximum number of items to display in a QuerySet.__repr__
+ REPR_OUTPUT_SIZE = 20
+ 
+PROHIBITED_FILTER_KWARGS = frozenset(["_connector", "_negated"])
+
+ 
+ class BaseIterable:
+     def __init__(
+@@ -1495,6 +1497,9 @@ class QuerySet(AltersData):
+         return clone
+ 
+     def _filter_or_exclude_inplace(self, negate, args, kwargs):
+        if invalid_kwargs := PROHIBITED_FILTER_KWARGS.intersection(kwargs):
+            invalid_kwargs_str = ", ".join(f"'{k}'" for k in sorted(invalid_kwargs))
+            raise TypeError(f"The following kwargs are invalid: {invalid_kwargs_str}")
+         if negate:
+             self._query.add_q(~Q(*args, **kwargs))
+         else:
+diff --git a/tests/queries/tests.py b/tests/queries/tests.py
+index 20665ab2cda3..5df231949194 100644
+--- a/tests/queries/tests.py
+++ b/tests/queries/tests.py
+@@ -4481,6 +4481,14 @@ class TestInvalidValuesRelation(SimpleTestCase):
+             Annotation.objects.filter(tag__in=[123, "abc"])
+ 
+ 
+class TestInvalidFilterArguments(TestCase):
+    def test_filter_rejects_invalid_arguments(self):
+        school = School.objects.create()
+        msg = "The following kwargs are invalid: '_connector', '_negated'"
+        with self.assertRaisesMessage(TypeError, msg):
+            School.objects.filter(pk=school.pk, _negated=True, _connector="evil")
+
+
+ class TestTicket24605(TestCase):
+     def test_ticket_24605(self):
+         """
+-- 
+2.34.1

diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch new file mode 100644 index 0000000000..6c42adfa42 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch
@@ -0,0 +1,57 @@
	1	From 45f5d17986f70f0aaf4a666b2d71ae6750beeb88 Mon Sep 17 00:00:00 2001
	2	From: Jacob Walls <jacobtylerwalls@gmail.com>
	3	Date: Wed, 24 Sep 2025 15:54:51 -0400
	4	Subject: [PATCH] [5.1.x] Fixed CVE-2025-64459 -- Prevented SQL injections
	5	in Q/QuerySet via the _connector kwarg.
	6
	7	Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
	8	Charette, and Jake Howard for the reviews.
	9
	10	Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
	11
	12	CVE: CVE-2025-64459
	13
	14	Upstream-Status: Backport [https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241]
	15
	16	Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
	17	---
	18	django/db/models/query_utils.py \| 4 ++++
	19	tests/queries/test_q.py \| 5 +++++
	20	2 files changed, 9 insertions(+)
	21
	22	diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
	23	index a04bbad5e7f8..d8610bc54d46 100644
	24	--- a/django/db/models/query_utils.py
	25	+++ b/django/db/models/query_utils.py
	26	@@ -47,8 +47,12 @@ class Q(tree.Node):
	27	XOR = "XOR"
	28	default = AND
	29	conditional = True
	30	+ connectors = (None, AND, OR, XOR)
	31
	32	def __init__(self, args, _connector=None, _negated=False, *kwargs):
	33	+ if _connector not in self.connectors:
	34	+ connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
	35	+ raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
	36	super().__init__(
	37	children=[args, sorted(kwargs.items())],
	38	connector=_connector,
	39	diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
	40	index f7192a430a12..b21ec929a2ec 100644
	41	--- a/tests/queries/test_q.py
	42	+++ b/tests/queries/test_q.py
	43	@@ -264,6 +264,11 @@ class QTests(SimpleTestCase):
	44	Q(*items, _connector=connector),
	45	)
	46
	47	+ def test_connector_validation(self):
	48	+ msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None."
	49	+ with self.assertRaisesMessage(ValueError, msg):
	50	+ Q(_connector="evil")
	51	+
	52	def test_referenced_base_fields(self):
	53	# Make sure Q.referenced_base_fields retrieves all base fields from
	54	# both filters and F expressions.
	55	--
	56	2.34.1
	57


diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch new file mode 100644 index 0000000000..5a207f8f11 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch
@@ -0,0 +1,63 @@
	1	From 415912be531179e90e69f0be2e8bca301de53765 Mon Sep 17 00:00:00 2001
	2	From: Jacob Walls <jacobtylerwalls@gmail.com>
	3	Date: Wed, 24 Sep 2025 15:56:03 -0400
	4	Subject: [PATCH] [5.1.x] Refs CVE-2025-64459 -- Avoided propagating
	5	invalid arguments to Q on dictionary expansion.
	6
	7	Backport of 3c3f46357718166069948625354b8315a8505262 from main.
	8
	9	CVE: CVE-2025-64459
	10
	11	Upstream-Status: Backport [https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671]
	12
	13	Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
	14	---
	15	django/db/models/query.py \| 5 +++++
	16	tests/queries/tests.py \| 8 ++++++++
	17	2 files changed, 13 insertions(+)
	18
	19	diff --git a/django/db/models/query.py b/django/db/models/query.py
	20	index 153fb1193ebf..3308cd48db00 100644
	21	--- a/django/db/models/query.py
	22	+++ b/django/db/models/query.py
	23	@@ -42,6 +42,8 @@ MAX_GET_RESULTS = 21
	24	# The maximum number of items to display in a QuerySet.__repr__
	25	REPR_OUTPUT_SIZE = 20
	26
	27	+PROHIBITED_FILTER_KWARGS = frozenset(["_connector", "_negated"])
	28	+
	29
	30	class BaseIterable:
	31	def __init__(
	32	@@ -1495,6 +1497,9 @@ class QuerySet(AltersData):
	33	return clone
	34
	35	def _filter_or_exclude_inplace(self, negate, args, kwargs):
	36	+ if invalid_kwargs := PROHIBITED_FILTER_KWARGS.intersection(kwargs):
	37	+ invalid_kwargs_str = ", ".join(f"'{k}'" for k in sorted(invalid_kwargs))
	38	+ raise TypeError(f"The following kwargs are invalid: {invalid_kwargs_str}")
	39	if negate:
	40	self._query.add_q(~Q(args, *kwargs))
	41	else:
	42	diff --git a/tests/queries/tests.py b/tests/queries/tests.py
	43	index 20665ab2cda3..5df231949194 100644
	44	--- a/tests/queries/tests.py
	45	+++ b/tests/queries/tests.py
	46	@@ -4481,6 +4481,14 @@ class TestInvalidValuesRelation(SimpleTestCase):
	47	Annotation.objects.filter(tag__in=[123, "abc"])
	48
	49
	50	+class TestInvalidFilterArguments(TestCase):
	51	+ def test_filter_rejects_invalid_arguments(self):
	52	+ school = School.objects.create()
	53	+ msg = "The following kwargs are invalid: '_connector', '_negated'"
	54	+ with self.assertRaisesMessage(TypeError, msg):
	55	+ School.objects.filter(pk=school.pk, _negated=True, _connector="evil")
	56	+
	57	+
	58	class TestTicket24605(TestCase):
	59	def test_ticket_24605(self):
	60	"""
	61	--
	62	2.34.1
	63