2 files changed, 78 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch
new file mode 100644
index 0000000000..95a31305a4
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch
@@ -0,0 +1,77 @@
+From c019f2cb6fbe266e09c71cd890a22cbce3769b05 Mon Sep 17 00:00:00 2001
+From: Haixiao Yan <haixiao.yan.cn@windriver.com>
+Date: Tue, 13 Jan 2026 14:44:32 +0800
+Subject: [PATCH] python3-django: Fix missing JSONField in django.db.models
+Fix the following error introduced by CVE-2024-42005.patch:
+AttributeError: module 'django.db.models' has no attribute 'JSONField'
+The patch assumes JSONField is available from django.db.models, which
+is not the case for this Django version.
+Revert the changes in the following files to restore compatibility:
+tests/expressions/models.py
+tests/expressions/test_queryset_values.py
+Upstream-Status: Inappropriate [Fix the regression in the previous fix for CVE-2024-42005]
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ tests/expressions/models.py               |  7 -------
+ tests/expressions/test_queryset_values.py | 17 ++---------------
+ 2 files changed, 2 insertions(+), 22 deletions(-)
+diff --git a/tests/expressions/models.py b/tests/expressions/models.py
+index fb8093849cba..33f7850ac16e 100644
+--- a/tests/expressions/models.py
+++ b/tests/expressions/models.py
+@@ -97,10 +97,3 @@ class UUID(models.Model):
+ 
+     def __str__(self):
+         return "%s" % self.uuid
+-
+-
+-class JSONFieldModel(models.Model):
+-    data = models.JSONField(null=True)
+-
+-    class Meta:
+-        required_db_features = {"supports_json_field"}
+diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
+index bd52b8efc194..0804531869d9 100644
+--- a/tests/expressions/test_queryset_values.py
+++ b/tests/expressions/test_queryset_values.py
+@@ -1,8 +1,8 @@
+ from django.db.models.aggregates import Sum
+ from django.db.models.expressions import F
+-from django.test import TestCase, skipUnlessDBFeature
+from django.test import TestCase
+ 
+-from .models import Company, Employee, JSONFieldModel
+from .models import Company, Employee
+ 
+ 
+ class ValuesExpressionsTests(TestCase):
+@@ -36,19 +36,6 @@ class ValuesExpressionsTests(TestCase):
+         with self.assertRaisesMessage(ValueError, msg):
+             Company.objects.values(**{crafted_alias: F("ceo__salary")})
+ 
+-    @skipUnlessDBFeature("supports_json_field")
+-    def test_values_expression_alias_sql_injection_json_field(self):
+-        crafted_alias = """injected_name" from "expressions_company"; --"""
+-        msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+-        )
+-        with self.assertRaisesMessage(ValueError, msg):
+-            JSONFieldModel.objects.values(f"data__{crafted_alias}")
+-
+-        with self.assertRaisesMessage(ValueError, msg):
+-            JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
+-
+     def test_values_expression_group_by(self):
+         # values() applies annotate() first, so values selected are grouped by
+         # id, not firstname.
+-- 
+2.34.1
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index f2bb1de4f2..8e826b9b61 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -33,6 +33,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2025-32873.patch \
            file://CVE-2025-64459.patch \
            file://Fix-undefined-_lazy_re_compile.patch \
+            file://Fix-missing-JSONField-in-django.db.mo.patch \
           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"

diff --git a/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch new file mode 100644 index 0000000000..95a31305a4 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch
@@ -0,0 +1,77 @@
		1	From c019f2cb6fbe266e09c71cd890a22cbce3769b05 Mon Sep 17 00:00:00 2001
		2	From: Haixiao Yan <haixiao.yan.cn@windriver.com>
		3	Date: Tue, 13 Jan 2026 14:44:32 +0800
		4	Subject: [PATCH] python3-django: Fix missing JSONField in django.db.models
		5
		6	Fix the following error introduced by CVE-2024-42005.patch:
		7
		8	AttributeError: module 'django.db.models' has no attribute 'JSONField'
		9
		10	The patch assumes JSONField is available from django.db.models, which
		11	is not the case for this Django version.
		12
		13	Revert the changes in the following files to restore compatibility:
		14	tests/expressions/models.py
		15	tests/expressions/test_queryset_values.py
		16
		17	Upstream-Status: Inappropriate [Fix the regression in the previous fix for CVE-2024-42005]
		18
		19	Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
		20	---
		21	tests/expressions/models.py \| 7 -------
		22	tests/expressions/test_queryset_values.py \| 17 ++---------------
		23	2 files changed, 2 insertions(+), 22 deletions(-)
		24
		25	diff --git a/tests/expressions/models.py b/tests/expressions/models.py
		26	index fb8093849cba..33f7850ac16e 100644
		27	--- a/tests/expressions/models.py
		28	+++ b/tests/expressions/models.py
		29	@@ -97,10 +97,3 @@ class UUID(models.Model):
		30
		31	def __str__(self):
		32	return "%s" % self.uuid
		33	-
		34	-
		35	-class JSONFieldModel(models.Model):
		36	- data = models.JSONField(null=True)
		37	-
		38	- class Meta:
		39	- required_db_features = {"supports_json_field"}
		40	diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
		41	index bd52b8efc194..0804531869d9 100644
		42	--- a/tests/expressions/test_queryset_values.py
		43	+++ b/tests/expressions/test_queryset_values.py
		44	@@ -1,8 +1,8 @@
		45	from django.db.models.aggregates import Sum
		46	from django.db.models.expressions import F
		47	-from django.test import TestCase, skipUnlessDBFeature
		48	+from django.test import TestCase
		49
		50	-from .models import Company, Employee, JSONFieldModel
		51	+from .models import Company, Employee
		52
		53
		54	class ValuesExpressionsTests(TestCase):
		55	@@ -36,19 +36,6 @@ class ValuesExpressionsTests(TestCase):
		56	with self.assertRaisesMessage(ValueError, msg):
		57	Company.objects.values(**{crafted_alias: F("ceo__salary")})
		58
		59	- @skipUnlessDBFeature("supports_json_field")
		60	- def test_values_expression_alias_sql_injection_json_field(self):
		61	- crafted_alias = """injected_name" from "expressions_company"; --"""
		62	- msg = (
		63	- "Column aliases cannot contain whitespace characters, quotation marks, "
		64	- "semicolons, or SQL comments."
		65	- )
		66	- with self.assertRaisesMessage(ValueError, msg):
		67	- JSONFieldModel.objects.values(f"data__{crafted_alias}")
		68	-
		69	- with self.assertRaisesMessage(ValueError, msg):
		70	- JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
		71	-
		72	def test_values_expression_group_by(self):
		73	# values() applies annotate() first, so values selected are grouped by
		74	# id, not firstname.
		75	--
		76	2.34.1
		77


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index f2bb1de4f2..8e826b9b61 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -33,6 +33,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
33	file://CVE-2025-32873.patch \	33	file://CVE-2025-32873.patch \
34	file://CVE-2025-64459.patch \	34	file://CVE-2025-64459.patch \
35	file://Fix-undefined-_lazy_re_compile.patch \	35	file://Fix-undefined-_lazy_re_compile.patch \
		36	file://Fix-missing-JSONField-in-django.db.mo.patch \
36	"	37	"
37		38
38	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	39	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"