From 151e634ed297eec8d9b269c2b08001fd76f4cc62 Mon Sep 17 00:00:00 2001 From: Haixiao Yan Date: Fri, 10 Apr 2026 15:04:59 +0800 Subject: python3-django: fix CVE-2025-64459 The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64459 https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html Upstream-patch: https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241 https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671 Signed-off-by: Haixiao Yan Signed-off-by: Jinfeng Wang Signed-off-by: Anuj Mittal --- meta-python/recipes-devtools/python/python3-django_5.0.14.bb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'meta-python/recipes-devtools/python/python3-django_5.0.14.bb') diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb index c2c44b4cc7..84dd9dd5f4 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb @@ -4,7 +4,10 @@ inherit setuptools3 # Windows-specific DoS via NFKC normalization, not applicable to Linux CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows" -SRC_URI += "file://CVE-2025-64460.patch" +SRC_URI += "file://CVE-2025-64460.patch \ + file://CVE-2025-64459-1.patch \ + file://CVE-2025-64459-2.patch \ + " SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11" RDEPENDS:${PN} += "\ -- cgit v1.2.3-54-g00ecf