CVS commit: pkgsrc/www/py-django

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Wed May 13 12:11:55 UTC 2026

Modified Files:
        pkgsrc/www/py-django: Makefile distinfo

Log Message:
py-django: updated to 6.0.5

6.0.5

Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.

CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass

ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.

This issue has severity “low” according to the Django security policy.

CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user’s session after that user visits a cached public 
page.

This issue has severity “low” according to the Django security policy.

CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware

Previously, UpdateCacheMiddleware would erroneously cache requests where the Vary header contained an asterisk ('*'). This could lead to private data being stored and served.

This issue has severity “low” according to the Django security policy.

Bugfixes

Fixed a misplaced </div> in the django/contrib/admin/templates/admin/change_list.html template added in Django 6.0 that could be problematic when overriding the pagination block.

Fixed a bug in Django 6.0 where deprecation warnings incorrectly skipped lines from third-party packages prefixed with “django”.


To generate a diff of this commit:
cvs rdiff -u -r1.154 -r1.155 pkgsrc/www/py-django/Makefile
cvs rdiff -u -r1.126 -r1.127 pkgsrc/www/py-django/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django/Makefile
diff -u pkgsrc/www/py-django/Makefile:1.154 pkgsrc/www/py-django/Makefile:1.155
--- pkgsrc/www/py-django/Makefile:1.154 Wed Apr 22 07:25:39 2026
+++ pkgsrc/www/py-django/Makefile       Wed May 13 12:11:55 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.154 2026/04/22 07:25:39 adam Exp $
+# $NetBSD: Makefile,v 1.155 2026/05/13 12:11:55 adam Exp $
 
-DISTNAME=      django-6.0.4
+DISTNAME=      django-6.0.5
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/

Index: pkgsrc/www/py-django/distinfo
diff -u pkgsrc/www/py-django/distinfo:1.126 pkgsrc/www/py-django/distinfo:1.127
--- pkgsrc/www/py-django/distinfo:1.126 Wed Apr 22 07:25:39 2026
+++ pkgsrc/www/py-django/distinfo       Wed May 13 12:11:55 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.126 2026/04/22 07:25:39 adam Exp $
+$NetBSD: distinfo,v 1.127 2026/05/13 12:11:55 adam Exp $
 
-BLAKE2s (django-6.0.4.tar.gz) = 7fc67ae236c004c6c2e9b53080f8f26866321a6d5fd8cbb19e5831bb80fbfbea
-SHA512 (django-6.0.4.tar.gz) = 3a750cd96d5f7655d67adad0ead1079f350b4874234e8163c85155a757900119cc0070679b84ec838e9416cf61e3f2199b7a3a88e886cfc67a85d00e53ce5551
-Size (django-6.0.4.tar.gz) = 10907407 bytes
+BLAKE2s (django-6.0.5.tar.gz) = c5ea9c19450258dca6506201e6e0a20ab62eaed36bbf6d4dfa6e8bdfc79a1338
+SHA512 (django-6.0.5.tar.gz) = c8f06e11217a1ec5a089646c9d3581cbda7c0d1178cdad3547e0d8a3444bd78a093ecea04deebd2d15f6179f43cf9e427385e28ca310de56b8cd7310e3fcb260
+Size (django-6.0.5.tar.gz) = 10924131 bytes