From patchwork Thu Nov 30 12:23:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: nmali X-Patchwork-Id: 35438 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03474C4167B for ; Thu, 30 Nov 2023 12:24:13 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.70931.1701347044378421905 for ; Thu, 30 Nov 2023 04:24:04 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=sU40oLu9; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=0698061647=narpat.mali@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 3AUB5IPu027401; Thu, 30 Nov 2023 12:24:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=PPS06212021; bh=bEHin899gPEsurQS18 x5P0wKPCKKsasyn/lCPMluWs4=; b=sU40oLu9y4gHzXVcJyzQhWN3IT6X8/jaqo JdoS0OH/rAfquD67vpUl2tM/C++7JBtiiukQWVfoUz06wZ52aQqH02onHcr7hYWT 1WaLRNhRtoc6rNk8HfA3bD5eg1vOaTBFrllse2mxyxN6z3z1JY2WpXhgYPwMVsAw XCoLPlQTrpT0MM3WsWH7rIjV/xnibB1f01qPU08BxeeRd70m7W28xSyHLYfoMxOc dzlbTEXj3swE0NTn72kFXPFN9DITzaw/Hx/KZ+qiza4N7DfpMjs4ttklVtdSXM+4 9Y7uyIVDgYGs9Pt+VAaWeIqrIAVUzILxECtpqrezgieEB9ElIWnw== Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3uph0w8g86-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 30 Nov 2023 12:24:02 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 30 Nov 2023 04:24:07 -0800 From: nmali To: , Subject: [meta-python][kirkstone][PATCH 1/3] python3-django: Fix for CVE-2023-43665 and CVE-2023-46695 Date: Thu, 30 Nov 2023 12:23:37 +0000 Message-ID: <20231130122339.363700-1-narpat.mali@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (147.11.82.252) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-ORIG-GUID: ymkNQVc8UddlA9XkBbSE1wGkgGPW1JzX X-Proofpoint-GUID: ymkNQVc8UddlA9XkBbSE1wGkgGPW1JzX X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-16_25,2023-11-16_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 spamscore=0 mlxlogscore=999 impostorscore=0 bulkscore=0 phishscore=0 clxscore=1015 suspectscore=0 adultscore=0 lowpriorityscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311060001 definitions=main-2311300092 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 3AUB5IPu027401 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Nov 2023 12:24:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/107173 From: Narpat Mali CVE-2023-43665: In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. CVE-2023-46695: An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. References: https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ https://www.djangoproject.com/weblog/2023/nov/01/security-releases/ Signed-off-by: Narpat Mali --- .../python3-django/CVE-2023-43665.patch | 199 ++++++++++++++++++ .../python3-django/CVE-2023-46695.patch | 90 ++++++++ .../python/python3-django_2.2.28.bb | 2 + 3 files changed, 291 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch new file mode 100644 index 0000000000..dbfb9b68a8 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch @@ -0,0 +1,199 @@ +From b269a0063e9b10a6c88c92b24d1b92c7421950de Mon Sep 17 00:00:00 2001 +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Wed, 29 Nov 2023 12:20:01 +0000 +Subject: [PATCH 1/2] Fixed CVE-2023-43665 -- Mitigated potential DoS in + django.utils.text.Truncator when truncating HTML text. + +Thanks Wenchao Li of Alibaba Group for the report. + +CVE: CVE-2023-43665 + +Upstream-Status: Backport [https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5] + +Signed-off-by: Narpat Mali +--- + django/utils/text.py | 18 ++++++++++++++++- + docs/ref/templates/builtins.txt | 20 +++++++++++++++++++ + docs/releases/2.2.28.txt | 20 +++++++++++++++++++ + tests/utils_tests/test_text.py | 35 ++++++++++++++++++++++++--------- + 4 files changed, 83 insertions(+), 10 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index 1fae7b2..06a377b 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -57,7 +57,14 @@ def wrap(text, width): + class Truncator(SimpleLazyObject): + """ + An object used to truncate text, either by characters or words. ++ ++ When truncating HTML text (either chars or words), input will be limited to ++ at most `MAX_LENGTH_HTML` characters. + """ ++ ++ # 5 million characters are approximately 4000 text pages or 3 web pages. ++ MAX_LENGTH_HTML = 5_000_000 ++ + def __init__(self, text): + super().__init__(lambda: str(text)) + +@@ -154,6 +161,11 @@ class Truncator(SimpleLazyObject): + if words and length <= 0: + return '' + ++ size_limited = False ++ if len(text) > self.MAX_LENGTH_HTML: ++ text = text[: self.MAX_LENGTH_HTML] ++ size_limited = True ++ + html4_singlets = ( + 'br', 'col', 'link', 'base', 'img', + 'param', 'area', 'hr', 'input' +@@ -203,10 +215,14 @@ class Truncator(SimpleLazyObject): + # Add it to the start of the open tags list + open_tags.insert(0, tagname) + ++ truncate_text = self.add_truncation_text("", truncate) ++ + if current_len <= length: ++ if size_limited and truncate_text: ++ text += truncate_text + return text ++ + out = text[:end_text_pos] +- truncate_text = self.add_truncation_text('', truncate) + if truncate_text: + out += truncate_text + # Close any tags still open +diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt +index c4b0fa3..4faab38 100644 +--- a/docs/ref/templates/builtins.txt ++++ b/docs/ref/templates/builtins.txt +@@ -2318,6 +2318,16 @@ If ``value`` is ``"

Joel is a slug

"``, the output will be + + Newlines in the HTML content will be preserved. + ++.. admonition:: Size of input string ++ ++ Processing large, potentially malformed HTML strings can be ++ resource-intensive and impact service performance. ``truncatechars_html`` ++ limits input to the first five million characters. ++ ++.. versionchanged:: 2.2.28 ++ ++ In older versions, strings over five million characters were processed. ++ + .. templatefilter:: truncatewords + + ``truncatewords`` +@@ -2356,6 +2366,16 @@ If ``value`` is ``"

Joel is a slug

"``, the output will be + + Newlines in the HTML content will be preserved. + ++.. admonition:: Size of input string ++ ++ Processing large, potentially malformed HTML strings can be ++ resource-intensive and impact service performance. ``truncatewords_html`` ++ limits input to the first five million characters. ++ ++.. versionchanged:: 2.2.28 ++ ++ In older versions, strings over five million characters were processed. ++ + .. templatefilter:: unordered_list + + ``unordered_list`` +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index 40eb230..6a38e9c 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -56,3 +56,23 @@ CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.enco + ``django.utils.encoding.uri_to_iri()`` was subject to potential denial of + service attack via certain inputs with a very large number of Unicode + characters. ++ ++Backporting the CVE-2023-43665 fix on Django 2.2.28. ++ ++CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator`` ++================================================================================ ++ ++Following the fix for :cve:`2019-14232`, the regular expressions used in the ++implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` ++methods (with ``html=True``) were revised and improved. However, these regular ++expressions still exhibited linear backtracking complexity, so when given a ++very long, potentially malformed HTML input, the evaluation would still be ++slow, leading to a potential denial of service vulnerability. ++ ++The ``chars()`` and ``words()`` methods are used to implement the ++:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template ++filters, which were thus also vulnerable. ++ ++The input processed by ``Truncator``, when operating in HTML mode, has been ++limited to the first five million characters in order to avoid potential ++performance and memory issues. +diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py +index 27e440b..cb3063d 100644 +--- a/tests/utils_tests/test_text.py ++++ b/tests/utils_tests/test_text.py +@@ -1,5 +1,6 @@ + import json + import sys ++from unittest.mock import patch + + from django.core.exceptions import SuspiciousFileOperation + from django.test import SimpleTestCase +@@ -87,11 +88,17 @@ class TestUtilsText(SimpleTestCase): + # lazy strings are handled correctly + self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…') + +- def test_truncate_chars_html(self): ++ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) ++ def test_truncate_chars_html_size_limit(self): ++ max_len = text.Truncator.MAX_LENGTH_HTML ++ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 ++ valid_html = "

Joel is a slug

" # 14 chars + perf_test_values = [ +- (('', None), +- ('&' * 50000, '&' * 9 + '…'), +- ('_X<<<<<<<<<<<>', None), ++ ("", None), ++ ("", "", None), ++ (valid_html * bigger_len, "

Joel is a…

"), # 10 chars + ] + for value, expected in perf_test_values: + with self.subTest(value=value): +@@ -149,15 +156,25 @@ class TestUtilsText(SimpleTestCase): + truncator = text.Truncator('

I <3 python, what about you?

') + self.assertEqual('

I <3 python,…

', truncator.words(3, html=True)) + ++ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) ++ def test_truncate_words_html_size_limit(self): ++ max_len = text.Truncator.MAX_LENGTH_HTML ++ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 ++ valid_html = "

Joel is a slug

" # 4 words + perf_test_values = [ +- ('', +- '&' * 50000, +- '_X<<<<<<<<<<<>', ++ ("", None), ++ ("", "", None), ++ (valid_html * bigger_len, valid_html * 12 + "

Joel is…

"), # 50 words + ] +- for value in perf_test_values: ++ for value, expected in perf_test_values: + with self.subTest(value=value): + truncator = text.Truncator(value) +- self.assertEqual(value, truncator.words(50, html=True)) ++ self.assertEqual( ++ expected if expected else value, truncator.words(50, html=True) ++ ) + + def test_wrap(self): + digits = '1234 67 9' +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch new file mode 100644 index 0000000000..b7dda41f8f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch @@ -0,0 +1,90 @@ +From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Wed, 29 Nov 2023 12:49:41 +0000 +Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in + UsernameField on Windows. + +Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. + +CVE: CVE-2023-46695 + +Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b] + +Signed-off-by: Narpat Mali +--- + django/contrib/auth/forms.py | 10 +++++++++- + docs/releases/2.2.28.txt | 14 ++++++++++++++ + tests/auth_tests/test_forms.py | 8 +++++++- + 3 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py +index e6f73fe..26d3ca7 100644 +--- a/django/contrib/auth/forms.py ++++ b/django/contrib/auth/forms.py +@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field): + + class UsernameField(forms.CharField): + def to_python(self, value): +- return unicodedata.normalize('NFKC', super().to_python(value)) ++ value = super().to_python(value) ++ if self.max_length is not None and len(value) > self.max_length: ++ # Normalization can increase the string length (e.g. ++ # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no ++ # point in normalizing invalid data. Moreover, Unicode ++ # normalization is very slow on Windows and can be a DoS attack ++ # vector. ++ return value ++ return unicodedata.normalize("NFKC", value) + + + class UserCreationForm(forms.ModelForm): +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index 6a38e9c..c653cb6 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -76,3 +76,17 @@ filters, which were thus also vulnerable. + The input processed by ``Truncator``, when operating in HTML mode, has been + limited to the first five million characters in order to avoid potential + performance and memory issues. ++ ++Backporting the CVE-2023-46695 fix on Django 2.2.28. ++ ++CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows ++========================================================================================= ++ ++The :func:`NFKC normalization ` is slow on ++Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was ++subject to a potential denial of service attack via certain inputs with a very ++large number of Unicode characters. ++ ++In order to avoid the vulnerability, invalid values longer than ++``UsernameField.max_length`` are no longer normalized, since they cannot pass ++validation anyway. +diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py +index bed23af..e73d4b8 100644 +--- a/tests/auth_tests/test_forms.py ++++ b/tests/auth_tests/test_forms.py +@@ -6,7 +6,7 @@ from django import forms + from django.contrib.auth.forms import ( + AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm, + PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget, +- SetPasswordForm, UserChangeForm, UserCreationForm, ++ SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField, + ) + from django.contrib.auth.models import User + from django.contrib.auth.signals import user_login_failed +@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase): + self.assertNotEqual(user.username, ohm_username) + self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA + ++ def test_invalid_username_no_normalize(self): ++ field = UsernameField(max_length=254) ++ # Usernames are not normalized if they are too long. ++ self.assertEqual(field.to_python("½" * 255), "½" * 255) ++ self.assertEqual(field.to_python("ff" * 254), "ff" * 254) ++ + def test_duplicate_normalized_unicode(self): + """ + To prevent almost identical usernames, visually identical but differing +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index c35323f455..8c955e6bd8 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb @@ -8,6 +8,8 @@ inherit setuptools3 SRC_URI += "file://CVE-2023-31047.patch \ file://CVE-2023-36053.patch \ file://CVE-2023-41164.patch \ + file://CVE-2023-43665.patch \ + file://CVE-2023-46695.patch \ " SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413" From patchwork Thu Nov 30 12:23:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: nmali X-Patchwork-Id: 35437 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08AABC46CA0 for ; Thu, 30 Nov 2023 12:24:13 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.70932.1701347045935600850 for ; Thu, 30 Nov 2023 04:24:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=C1uulelA; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=0698061647=narpat.mali@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 3AU8qqe2005932; Thu, 30 Nov 2023 12:24:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from:to:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding:content-type; s= PPS06212021; bh=cLh0JmuOQHakWHoO8Vv2BP2oKMh/i5xM7O0NAIb5KIU=; b= C1uulelANdYZh8lNe3776r8j5HRizxtNXFZggT5g3FmMvoaLjQyTIHw7MhIoqwK1 1mSfp8dchgEVud5ZRNK5qwMr2WlYKRdYGvEO8g5MXzgpO/6xOL45HADTRLqpd6yM WFM7IaGFriHevt71wsvOrXZxlO2xXuIyFKdtE/MOhCQf8PIXxUC6UDGq0uQQNnGx OR+DtP3UcuhzSDmKnT+yJrGKZJddCYsMCz6+QiC03w2cqx2AH7cfNMWqraR9u0yy Ia2WFfVT7ivymL4NIC3amGjpdsUBwbhgK5KC3/UC70mCxw0E9AJ3StAPKfFTNlOi tcUl5R8/rw+jgc9cVH7ARA== Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3uph0w8g88-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 30 Nov 2023 12:24:04 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 30 Nov 2023 04:24:09 -0800 From: nmali To: , Subject: [meta-python][kirkstone][PATCH 2/3] python3-django: upgrade 3.2.21 -> 3.2.23 Date: Thu, 30 Nov 2023 12:23:38 +0000 Message-ID: <20231130122339.363700-2-narpat.mali@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20231130122339.363700-1-narpat.mali@windriver.com> References: <20231130122339.363700-1-narpat.mali@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (147.11.82.252) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-ORIG-GUID: N7ZISndSVWVdJ19gBhlTBwAdedC64h2o X-Proofpoint-GUID: N7ZISndSVWVdJ19gBhlTBwAdedC64h2o X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-16_25,2023-11-16_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 spamscore=0 mlxlogscore=999 impostorscore=0 bulkscore=0 phishscore=0 clxscore=1015 suspectscore=0 adultscore=0 lowpriorityscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311060001 definitions=main-2311300092 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Nov 2023 12:24:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/107174 From: Narpat Mali The delta between 3.2.21 and 3.2.23 contains the fixes for CVE-2023-43665, CVE-2023-46695 and other bugfixes. git log --oneline 3.2.21..3.2.23 shows: 60e648a7ae (tag: 3.2.23) [3.2.x] Bumped version for 3.2.23 release. f9a7fb8466 [3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. e6d2591d9e [3.2.x] Added stub release notes for 3.2.23. 3c04b74293 [3.2.x] Added CVE-2023-43665 to security archive. 86a14d653f [3.2.x] Post release version bump. 3106e94e52 (tag: 3.2.22) [3.2.x] Bumped version for 3.2.22 release. ccdade1a02 [3.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text. 6caf7b313d [3.2.x] Added stub release notes for 3.2.22. 9e814c3a5e [3.2.x] Added CVE-2023-41164 to security archive. 4b439dcd05 [3.2.x] Post-release version bump. Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.23/ Signed-off-by: Narpat Mali --- .../{python3-django_3.2.21.bb => python3-django_3.2.23.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-python/recipes-devtools/python/{python3-django_3.2.21.bb => python3-django_3.2.23.bb} (61%) diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.21.bb b/meta-python/recipes-devtools/python/python3-django_3.2.23.bb similarity index 61% rename from meta-python/recipes-devtools/python/python3-django_3.2.21.bb rename to meta-python/recipes-devtools/python/python3-django_3.2.23.bb index 1148669860..beecaa607c 100644 --- a/meta-python/recipes-devtools/python/python3-django_3.2.21.bb +++ b/meta-python/recipes-devtools/python/python3-django_3.2.23.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "a5de4c484e7b7418e6d3e52a5b8794f0e6b9f9e4ce3c037018cf1c489fa87f3c" +SRC_URI[sha256sum] = "82968f3640e29ef4a773af2c28448f5f7a08d001c6ac05b32d02aeee6509508b" RDEPENDS:${PN} += "\ ${PYTHON_PN}-sqlparse \ @@ -9,5 +9,5 @@ RDEPENDS:${PN} += "\ # Set DEFAULT_PREFERENCE so that the LTS version of django is built by # default. To build the 3.x branch, -# PREFERRED_VERSION_python3-django = "3.2.21" can be added to local.conf +# PREFERRED_VERSION_python3-django = "3.2.23" can be added to local.conf DEFAULT_PREFERENCE = "-1" From patchwork Thu Nov 30 12:23:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: nmali X-Patchwork-Id: 35439 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07879C07CA9 for ; Thu, 30 Nov 2023 12:24:13 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.70911.1701347047860534281 for ; Thu, 30 Nov 2023 04:24:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=rmBq5ByU; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=0698061647=narpat.mali@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 3AUCINgJ005460; Thu, 30 Nov 2023 12:24:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from:to:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding:content-type; s= PPS06212021; bh=j3MjJjLYlhGj0hN5HcrR6joStUJznAP4aYGcyJjklkI=; b= rmBq5ByUBrFIjjBTrcIn9wvVcuANAU96LOFDHVyd21so0ESL9zc8qVWTVQIXu2HZ VoRQ1VMfxHYEqZMRd5tEF1RkWlHq826unCTuWTzFm2XVMe/+/Uu3JnXThuvY9iw8 ghcr8WINDPJzI89zB4RQdjcifu7rGA7fC4u9JvIssTsjfeRaWdzRKs392hIsrHKH XE43kijk+UcFWsmJghCq388D0jduxIbrOtv8PB5Ky7oqPaY6ELvz0gjGLB1pRSxi fnCgS6nzmOXCY+t6xGY68WA/331V5K9o2cJN1DPwosHeorACx6bI+jxX+MBYbnMr QXO6vIkiPRHYit29oVfGEA== Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3uph108g07-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 30 Nov 2023 12:24:06 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 30 Nov 2023 04:24:11 -0800 From: nmali To: , Subject: [meta-python][kirkstone][PATCH 3/3] python3-django: upgrade 4.2.5 -> 4.2.7 Date: Thu, 30 Nov 2023 12:23:39 +0000 Message-ID: <20231130122339.363700-3-narpat.mali@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20231130122339.363700-1-narpat.mali@windriver.com> References: <20231130122339.363700-1-narpat.mali@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (147.11.82.252) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-ORIG-GUID: 1gSZVVL1xhp-L-QjgYfNI5rRNfvqUFpy X-Proofpoint-GUID: 1gSZVVL1xhp-L-QjgYfNI5rRNfvqUFpy X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-16_25,2023-11-16_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 priorityscore=1501 clxscore=1015 suspectscore=0 spamscore=0 bulkscore=0 lowpriorityscore=0 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311060001 definitions=main-2311300092 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Nov 2023 12:24:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/107175 From: Narpat Mali The delta between 4.2.5 and 4.2.7 contains the fixes for CVE-2023-43665, CVE-2023-46695 and other bugfixes. git log --oneline 4.2.5..4.2.7 shows: d254a54e7f (tag: 4.2.7) [4.2.x] Bumped version for 4.2.7 release. 048a9ebb6e [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. 3fae5d92da [4.2.x] Refs #30601 -- Fixed typos in docs/topics/db/transactions.txt. a8aa94062b [4.2.x] Refs #15578 -- Made cosmetic edits to fixtures docs. 109f39a38b [4.2.x] Fixed #34932 -- Restored varchar_pattern_ops/text_pattern_ops index creation when deterministic collaction is set. 61612990d8 [4.2.x] Fixed typos in docs/ref/models/expressions.txt. 696fbc32d6 [4.2.x] Fixed #30601 -- Doc'd the need to manually revert all app state on transaction rollbacks. ffba63180c [4.2.x] Fixed typo in docs/ref/contrib/gis/geos.txt. 43a3646070 [4.2.x] Fixed #15578 -- Stated the processing order of fixtures in the fixtures docs. 0cd8b867a0 [4.2.x] Added stub release notes and release date for 4.2.7, 4.1.13, and 3.2.23. 510a512119 [4.2.x] Fixed typo in docs/releases/4.2.txt. b644f8bc1f [4.2.x] Corrected note about using accents in writing documentation contributing guide. a576ef98ae [4.2.x] Refs #34900, Refs #34118 -- Updated assertion in test_skip_class_unless_db_feature() test on Python 3.12.1+. 803caec60b [4.2.x] Fixed #34798 -- Fixed QuerySet.aggregate() crash when referencing expressions containing subqueries. caec4f4a6f [4.2.x] Refs #34840 -- Improved release note describing index regression. b6bb2f8099 [4.2.x] Refs #34840 -- Fixed test_validate_nullable_textfield_with_isnull_true() on databases that don's support table check constraints. e8fe48d3a0 [4.2.x] Fixed #34808 -- Doc'd aggregate function's default argument. 830990fa6c [4.2.x] Reorganized tutorial's part 4 to better understand changes needed in URLConf. 0cbc92bc3a [4.2.x] Refs #26029 -- Improved get_storage_class() deprecation warning with stacklevel=2. 9c7627da30 [4.2.x] Refs #34043 -- Clarified how to test UI changes. 0bd53ab86a [4.2.x] Added backticks to setuptools in docs. 99dcba90b4 [4.2.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs. 6697880219 [4.2.x] Refs #31435 -- Doc'd potential infinite recursion when accessing model fields in __init__. a9a3317a95 [4.2.x] Corrected wrap_socket() reference in docs/ref/settings.txt. 9962f94a97 [4.2.x] Added CVE-2023-43665 to security archive. b2d95bb301 [4.2.x] Added stub release notes for 4.2.7. 08d54f83a9 [4.2.x] Post release version bump. c22017bd1d (tag: 4.2.6) [4.2.x] Bumped version for 4.2.6 release. be9c27c4d1 [4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text. 39fc3f46a8 [4.2.x] Added stub release notes and release date for 4.2.6, 4.1.12, and 3.2.22. dd0bf63d3e [4.2.x] Added warning about flatpages and untrusted users. fec4ed0a25 [4.2.x] Refs #34320 -- Skipped SchemaTests.test_rename_field_with_check_to_truncated_name on MariaBD 10.5.2+. a148461f1f [4.2.x] Fixed #34840 -- Avoided casting string base fields on PostgreSQL. b08f53ff46 [4.2.x] Refs #34808 -- Doc'd that aggregation functions on empty groups can return None. c70f08c4aa [4.2.x] Added updating the Django release process on Trac to release steps. d485aa2732 [4.2.x] Fixed typo in docs/howto/custom-file-storage.txt. ff26e6ad84 [4.2.x] Corrected QuerySet.prefetch_related() note about GenericRelation(). 866122690d [4.2.x] Doc'd HttpResponse.cookies. 97e8a2afb1 [4.2.x] Fixed #34821 -- Prevented DEFAULT_FILE_STORAGE/STATICFILES_STORAGE settings from mutating the main STORAGES. 39cb3b08bc [4.2.x] Bumped checkout version in Github actions configuration. 592ebd8920 [4.2.x] Added stub release notes for 4.2.6. a1dd785139 [4.2.x] Added CVE-2023-41164 to security archive. a9686cb871 [4.2.x] Post-release version bump. Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.7/ Signed-off-by: Narpat Mali --- .../{python3-django_4.2.5.bb => python3-django_4.2.7.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-python/recipes-devtools/python/{python3-django_4.2.5.bb => python3-django_4.2.7.bb} (61%) diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.5.bb b/meta-python/recipes-devtools/python/python3-django_4.2.7.bb similarity index 61% rename from meta-python/recipes-devtools/python/python3-django_4.2.5.bb rename to meta-python/recipes-devtools/python/python3-django_4.2.7.bb index 7b81d427c4..580592d702 100644 --- a/meta-python/recipes-devtools/python/python3-django_4.2.5.bb +++ b/meta-python/recipes-devtools/python/python3-django_4.2.7.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "5e5c1c9548ffb7796b4a8a4782e9a2e5a3df3615259fc1bfd3ebc73b646146c1" +SRC_URI[sha256sum] = "8e0f1c2c2786b5c0e39fe1afce24c926040fad47c8ea8ad30aaf1188df29fc41" RDEPENDS:${PN} += "\ ${PYTHON_PN}-sqlparse \ @@ -9,5 +9,5 @@ RDEPENDS:${PN} += "\ # Set DEFAULT_PREFERENCE so that the LTS version of django is built by # default. To build the 4.x branch, -# PREFERRED_VERSION_python3-django = "4.2.5" can be added to local.conf +# PREFERRED_VERSION_python3-django = "4.2.7" can be added to local.conf DEFAULT_PREFERENCE = "-1"