CVS commit: pkgsrc/www/py-django

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Jul 11 18:51:35 UTC 2024

Modified Files:
        pkgsrc/www/py-django: Makefile distinfo

Log Message:
py-django: updated to 5.0.7

Django 5.0.7 fixes two security issues with severity “moderate”, two security issues with severity “low”, and one bug in 5.0.6.

CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize()

urlize and urlizetrunc were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords

The authenticate() method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via Storage.save()

Derived classes of the Storage base class which override generate_filename() without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via 
certain inputs when calling save().

Built-in Storage sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant()

get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

To mitigate this vulnerability, the language code provided to get_supported_language_variant() is now parsed up to a maximum length of 500 characters.

When the language code is over 500 characters, a ValueError will now be raised if strict is True, or if there is no generic variant and strict is False.

Bugfixes

Fixed a bug in Django 5.0 that caused a crash of Model.full_clean() on unsaved model instances with a GeneratedField and certain defined Meta.constraints.


To generate a diff of this commit:
cvs rdiff -u -r1.129 -r1.130 pkgsrc/www/py-django/Makefile
cvs rdiff -u -r1.105 -r1.106 pkgsrc/www/py-django/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django/Makefile
diff -u pkgsrc/www/py-django/Makefile:1.129 pkgsrc/www/py-django/Makefile:1.130
--- pkgsrc/www/py-django/Makefile:1.129 Tue May  7 18:16:55 2024
+++ pkgsrc/www/py-django/Makefile       Thu Jul 11 18:51:35 2024
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.129 2024/05/07 18:16:55 adam Exp $
+# $NetBSD: Makefile,v 1.130 2024/07/11 18:51:35 adam Exp $
 
-DISTNAME=      Django-5.0.6
+DISTNAME=      Django-5.0.7
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME:tl}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/

Index: pkgsrc/www/py-django/distinfo
diff -u pkgsrc/www/py-django/distinfo:1.105 pkgsrc/www/py-django/distinfo:1.106
--- pkgsrc/www/py-django/distinfo:1.105 Tue May  7 18:16:55 2024
+++ pkgsrc/www/py-django/distinfo       Thu Jul 11 18:51:35 2024
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.105 2024/05/07 18:16:55 adam Exp $
+$NetBSD: distinfo,v 1.106 2024/07/11 18:51:35 adam Exp $
 
-BLAKE2s (Django-5.0.6.tar.gz) = cc5a5e1dee3047f4b015ec873c8f2bf9ef07e3749d758db4e32110b0cb51d1d4
-SHA512 (Django-5.0.6.tar.gz) = 6dab32357c423762a4fdd7372aec0ae4855861431fb9a90d4a818144e675cf891c0673a11351ddf8344f31624ce0ea8c9d9c6bc3c4514f38380aecb48a684894
-Size (Django-5.0.6.tar.gz) = 10639679 bytes
+BLAKE2s (Django-5.0.7.tar.gz) = c0838fb6b9a8d8c96d52d86786c784cc2198aaac3bbf4d04297a16628273e36f
+SHA512 (Django-5.0.7.tar.gz) = 29aa4cd7bfdc5c00479c9d60d988653bab76dcfd8cd553ab446f6c274f99677ccaef0571b0afdf1579215918f500d87a0b098a98452c7526e89b1ab64f00b037
+Size (Django-5.0.7.tar.gz) = 10642686 bytes