CVS commit: pkgsrc/www/py-django

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/py-django
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Mon, 9 Jun 2025 10:20:19 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Jun  9 10:20:19 UTC 2025

Modified Files:
        pkgsrc/www/py-django: Makefile distinfo

Log Message:
py-django: updated to 5.2.2

Django 5.2.2 fixes a security issue with severity “low” and several bugs in 5.2.1.

CVE-2025-48432: Potential log injection via unescaped request path

Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or 
forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals.

Although this does not directly impact Django’s security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function 
now escapes all positional formatting arguments using a safe encoding.

Bugfixes

Fixed a crash when using select_related against a ForeignObject originating from a model with a CompositePrimaryKey

Fixed a bug in Django 5.2 where subqueries using "pk" to reference models with a CompositePrimaryKey failed to raise ValueError when too many or too few columns were selected

Fixed a regression in Django 5.2 that caused a crash when no arguments were passed into QuerySet.union()

Fixed a regression in Django 5.2 where subclasses of RemoteUserMiddleware that had overridden process_request() were no longer supported

Fixed a regression in Django 5.2 that caused a crash when using OuterRef in the filter argument of an Aggregate expression

Fixed a regression in Django 5.2 that caused a crash when using OuterRef in PostgreSQL aggregate functions ArrayAgg, StringAgg, and JSONBAgg

Fixed a regression in Django 5.2 where admin’s filter_horizontal buttons lacked type="button", causing them to intercept form submission when pressing the Enter key

Fixed a bug in Django 5.2 where calling QuerySet.in_bulk() with an id_list argument on models with a CompositePrimaryKey failed to observe database parameter limits

Fixed a bug in Django 5.2 where HttpRequest.get_preferred_type() did not account for media type parameters in Accept headers, reducing specificity in content negotiation

Fixed a regression in Django 5.2 that caused a crash when using QuerySet.prefetch_related() to prefetch a foreign key with a Prefetch queryset for a subclass of the foreign target


To generate a diff of this commit:
cvs rdiff -u -r1.143 -r1.144 pkgsrc/www/py-django/Makefile
cvs rdiff -u -r1.116 -r1.117 pkgsrc/www/py-django/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django/Makefile
diff -u pkgsrc/www/py-django/Makefile:1.143 pkgsrc/www/py-django/Makefile:1.144
--- pkgsrc/www/py-django/Makefile:1.143 Sat May 10 18:20:17 2025
+++ pkgsrc/www/py-django/Makefile       Mon Jun  9 10:20:19 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.143 2025/05/10 18:20:17 adam Exp $
+# $NetBSD: Makefile,v 1.144 2025/06/09 10:20:19 adam Exp $
 
-DISTNAME=      django-5.2.1
+DISTNAME=      django-5.2.2
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/
@@ -19,7 +19,6 @@ USE_LANGUAGES=        # none
 
 PYTHON_VERSIONS_INCOMPATIBLE=  39
 
-WHEEL_NAME=            ${DISTNAME:tl}
 REPLACE_PYTHON+=       django/conf/project_template/manage.py-tpl
 
 post-install:

Index: pkgsrc/www/py-django/distinfo
diff -u pkgsrc/www/py-django/distinfo:1.116 pkgsrc/www/py-django/distinfo:1.117
--- pkgsrc/www/py-django/distinfo:1.116 Sat May 10 18:20:17 2025
+++ pkgsrc/www/py-django/distinfo       Mon Jun  9 10:20:19 2025
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.116 2025/05/10 18:20:17 adam Exp $
+$NetBSD: distinfo,v 1.117 2025/06/09 10:20:19 adam Exp $
 
-BLAKE2s (django-5.2.1.tar.gz) = 8f6d12e1421266096fb0863efb272205ca7660ee622e8b52ad6f052b4b5d1df5
-SHA512 (django-5.2.1.tar.gz) = b97fc3221f2bcb499e2f55ea5fa8da61da9062266255a31e8d0a54afb7a41ea049dbe4b370ad7e8ca3b5105ab1d5a15f1fe3e48af4251590d27bc032fef17d25
-Size (django-5.2.1.tar.gz) = 10818735 bytes
+BLAKE2s (django-5.2.2.tar.gz) = 148f8a80179154d85149ecb2a56c954fbb84855f1914f89c01cf33e61e215724
+SHA512 (django-5.2.2.tar.gz) = b4d5be87bd0daf68df76e2f79781b72dc7cbe372148edd83aa1ab9ffbbda8785ee85e63309a06ea454d233ce23972ae51213680dcdd9824177cef8c3285ec439
+Size (django-5.2.2.tar.gz) = 10827542 bytes

Prev by Date: CVS commit: pkgsrc/sysutils/ansible-lint
Next by Date: CVS commit: pkgsrc/www/py-django4
Previous by Thread: CVS commit: pkgsrc/sysutils/ansible-lint
Next by Thread: CVS commit: pkgsrc/www/py-django4
Indexes:

Home | Main Index | Thread Index | Old Index