CVS commit: pkgsrc/www/py-django5

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/py-django5
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Wed, 13 May 2026 12:12:58 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Wed May 13 12:12:58 UTC 2026

Modified Files:
        pkgsrc/www/py-django5: Makefile distinfo

Log Message:
py-django5: updated to 5.2.14

Django 5.2.14 fixes three security issues with severity “low” in 5.2.13.

CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass¶

ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.

This issue has severity “low” according to the Django security policy.

CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST¶

Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user’s session after that user visits a cached public 
page.

This issue has severity “low” according to the Django security policy.

CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware¶

Previously, UpdateCacheMiddleware would erroneously cache requests where the Vary header contained an asterisk ('*'). This could lead to private data being stored and served.


To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/py-django5/Makefile \
    pkgsrc/www/py-django5/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django5/Makefile
diff -u pkgsrc/www/py-django5/Makefile:1.1 pkgsrc/www/py-django5/Makefile:1.2
--- pkgsrc/www/py-django5/Makefile:1.1  Wed Apr 22 07:26:16 2026
+++ pkgsrc/www/py-django5/Makefile      Wed May 13 12:12:58 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.1 2026/04/22 07:26:16 adam Exp $
+# $NetBSD: Makefile,v 1.2 2026/05/13 12:12:58 adam Exp $
 
-DISTNAME=      django-5.2.13
+DISTNAME=      django-5.2.14
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/
Index: pkgsrc/www/py-django5/distinfo
diff -u pkgsrc/www/py-django5/distinfo:1.1 pkgsrc/www/py-django5/distinfo:1.2
--- pkgsrc/www/py-django5/distinfo:1.1  Wed Apr 22 07:26:16 2026
+++ pkgsrc/www/py-django5/distinfo      Wed May 13 12:12:58 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.1 2026/04/22 07:26:16 adam Exp $
+$NetBSD: distinfo,v 1.2 2026/05/13 12:12:58 adam Exp $
 
-BLAKE2s (django-5.2.13.tar.gz) = 9c82d97eacc8a67c7085de27651db74468e0b2b8251ec99d773f2dfe159ecfe3
-SHA512 (django-5.2.13.tar.gz) = dfe3bcc9cf8cfcacf832e7968687605bb06590d1c77f89373bdf4228baefa857faa441e757a5bf1b7b8b75027daec86f88f5fd7a37d579f26918cdb54448581f
-Size (django-5.2.13.tar.gz) = 10890368 bytes
+BLAKE2s (django-5.2.14.tar.gz) = 585a415d15c36f680977ee4c30c2c2520508dae6a253f573d0b958b57de9dab4
+SHA512 (django-5.2.14.tar.gz) = e6e05195d4693209de15be99fc6621cc23b5a0d28fbcf2516b271274aa1637be4f55a6b607fb1c5dc8e913a78eca99d76645bce1cc71468a8dfed7e16c129a84
+Size (django-5.2.14.tar.gz) = 10895118 bytes

Prev by Date: CVS commit: pkgsrc/www/py-django
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/www/py-django
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index