CVS commit: pkgsrc/www/py-django4

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/py-django4
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Mon, 16 Feb 2026 12:34:49 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Feb 16 12:34:49 UTC 2026

Modified Files:
        pkgsrc/www/py-django4: Makefile distinfo
Removed Files:
        pkgsrc/www/py-django4: MESSAGE

Log Message:
py-django4: updated to 4.2.28

Django 4.2.28 fixes three security issues with severity “high”, two security issues with severity “moderate”, and one security issue with severity “low” in 4.2.27.

CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler

The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack.

This issue has severity “low” according to the Django security policy.

CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI

When receiving duplicates of a single header, ASGIRequest allowed a remote attacker to cause a potential denial-of-service via a specifically created request with multiple duplicate headers. The 
vulnerability resulted from repeated string concatenation while combining repeated headers, which produced super-linear computation resulting in service degradation or outage.

This issue has severity “moderate” according to the Django security policy.

CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS

Raster lookups on GIS fields (only implemented on PostGIS) were subject to SQL injection if untrusted data was used as a band index.

As a reminder, all untrusted user input should be validated before use.

This issue has severity “high” according to the Django security policy.

CVE-2026-1285: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods

django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters were subject to a potential denial-of-service 
attack via certain inputs with a large number of unmatched HTML end tags, which could cause quadratic time complexity during HTML parsing.

This issue has severity “moderate” according to the Django security policy.

CVE-2026-1287: Potential SQL injection in column aliases via control characters

FilteredRelation was subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate(), 
aggregate(), extra(), values(), values_list(), and alias().

This issue has severity “high” according to the Django security policy.

CVE-2026-1312: Potential SQL injection via QuerySet.order_by and FilteredRelation

QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias was, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r0 pkgsrc/www/py-django4/MESSAGE
cvs rdiff -u -r1.22 -r1.23 pkgsrc/www/py-django4/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/www/py-django4/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django4/Makefile
diff -u pkgsrc/www/py-django4/Makefile:1.22 pkgsrc/www/py-django4/Makefile:1.23
--- pkgsrc/www/py-django4/Makefile:1.22 Tue Dec  2 20:39:23 2025
+++ pkgsrc/www/py-django4/Makefile      Mon Feb 16 12:34:49 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.22 2025/12/02 20:39:23 adam Exp $
+# $NetBSD: Makefile,v 1.23 2026/02/16 12:34:49 adam Exp $
 
-DISTNAME=      django-4.2.27
+DISTNAME=      django-4.2.28
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/

Index: pkgsrc/www/py-django4/distinfo
diff -u pkgsrc/www/py-django4/distinfo:1.18 pkgsrc/www/py-django4/distinfo:1.19
--- pkgsrc/www/py-django4/distinfo:1.18 Tue Dec  2 20:39:23 2025
+++ pkgsrc/www/py-django4/distinfo      Mon Feb 16 12:34:49 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.18 2025/12/02 20:39:23 adam Exp $
+$NetBSD: distinfo,v 1.19 2026/02/16 12:34:49 adam Exp $
 
-BLAKE2s (django-4.2.27.tar.gz) = c7d846d083b39047d66bb965131f43c0f6e6536a61da4d6fc432c7a2a223502b
-SHA512 (django-4.2.27.tar.gz) = 8bb5e63ef13066aa8ee051ba2b7914f3c848f9c7406f2f53dd1fbaedf1ad752d342ea670485d81969d2b60a42dea2c6064065431e1415e408a7da026785e8ff1
-Size (django-4.2.27.tar.gz) = 10432781 bytes
+BLAKE2s (django-4.2.28.tar.gz) = 822aefc2ee1fb645123ecb36abf7be72314d162fc2a7a16628771dbb55d5b39a
+SHA512 (django-4.2.28.tar.gz) = 7d7e33d8bb08aed5d6f500058989b70cb0a4a7e81bf0c49e2da8f627885d0f7d408c40fed521ba500fef871091eecf80ebac662672573128a06006f77f7cfd1d
+Size (django-4.2.28.tar.gz) = 10464933 bytes

Prev by Date: CVS commit: pkgsrc/www/py-django
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/www/py-django
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index