CVS commit: pkgsrc/www/py-django4

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Jul 11 18:52:42 UTC 2024

Modified Files:
        pkgsrc/www/py-django4: Makefile distinfo

Log Message:
py-django4: updated to 4.2.14

Django 4.2.14 fixes two security issues with severity “moderate” and two security issues with severity “low” in 4.2.13.

CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize()

urlize and urlizetrunc were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords

The authenticate() method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via Storage.save()

Derived classes of the Storage base class which override generate_filename() without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via 
certain inputs when calling save().

Built-in Storage sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant()

get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

To mitigate this vulnerability, the language code provided to get_supported_language_variant() is now parsed up to a maximum length of 500 characters.

When the language code is over 500 characters, a ValueError will now be raised if strict is True, or if there is no generic variant and strict is False.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/py-django4/Makefile \
    pkgsrc/www/py-django4/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django4/Makefile
diff -u pkgsrc/www/py-django4/Makefile:1.4 pkgsrc/www/py-django4/Makefile:1.5
--- pkgsrc/www/py-django4/Makefile:1.4  Tue May  7 18:17:40 2024
+++ pkgsrc/www/py-django4/Makefile      Thu Jul 11 18:52:42 2024
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.4 2024/05/07 18:17:40 adam Exp $
+# $NetBSD: Makefile,v 1.5 2024/07/11 18:52:42 adam Exp $
 
-DISTNAME=      Django-4.2.13
+DISTNAME=      Django-4.2.14
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME:tl}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/
Index: pkgsrc/www/py-django4/distinfo
diff -u pkgsrc/www/py-django4/distinfo:1.4 pkgsrc/www/py-django4/distinfo:1.5
--- pkgsrc/www/py-django4/distinfo:1.4  Tue May  7 18:17:40 2024
+++ pkgsrc/www/py-django4/distinfo      Thu Jul 11 18:52:42 2024
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.4 2024/05/07 18:17:40 adam Exp $
+$NetBSD: distinfo,v 1.5 2024/07/11 18:52:42 adam Exp $
 
-BLAKE2s (Django-4.2.13.tar.gz) = edcab706bf344ea205856508172edae5664bf642e49e90a622ad1861d0287861
-SHA512 (Django-4.2.13.tar.gz) = 2d141e2d710dbd55999db9c7005ca4a8d291dad57f0ef246eb41d4ffed76e62035b36969c5f338c3158ccd2d1677eb23de0b8f783606b4c62a3ee45e8988b712
-Size (Django-4.2.13.tar.gz) = 10430886 bytes
+BLAKE2s (Django-4.2.14.tar.gz) = 14af6fd8c35a6e6a65d3ddfa1eb964c3ad76b51c5528cab20ee28070353ae7d1
+SHA512 (Django-4.2.14.tar.gz) = 2663454c48f57a441d1620faad30ac25750d1e71bf34eddbdef3e6d8dd208913752ab657447ffea5e9d3a0676a4a4d501fa88a40a0ca0fd361df0782a6b3306b
+Size (Django-4.2.14.tar.gz) = 10432993 bytes