CVS commit: pkgsrc/www/py-django4

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Jun  9 10:21:01 UTC 2025

Modified Files:
        pkgsrc/www/py-django4: Makefile distinfo

Log Message:
py-django4: updated to 4.2.22

Django 4.2.22 fixes a security issue with severity “low” in 4.2.21.

CVE-2025-48432: Potential log injection via unescaped request path

Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or 
forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals.

Although this does not directly impact Django’s security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function 
now escapes all positional formatting arguments using a safe encoding.


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/py-django4/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/py-django4/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django4/Makefile
diff -u pkgsrc/www/py-django4/Makefile:1.16 pkgsrc/www/py-django4/Makefile:1.17
--- pkgsrc/www/py-django4/Makefile:1.16 Sat May 10 18:21:51 2025
+++ pkgsrc/www/py-django4/Makefile      Mon Jun  9 10:21:01 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.16 2025/05/10 18:21:51 adam Exp $
+# $NetBSD: Makefile,v 1.17 2025/06/09 10:21:01 adam Exp $
 
-DISTNAME=      django-4.2.21
+DISTNAME=      django-4.2.22
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/

Index: pkgsrc/www/py-django4/distinfo
diff -u pkgsrc/www/py-django4/distinfo:1.12 pkgsrc/www/py-django4/distinfo:1.13
--- pkgsrc/www/py-django4/distinfo:1.12 Sat May 10 18:21:51 2025
+++ pkgsrc/www/py-django4/distinfo      Mon Jun  9 10:21:01 2025
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.12 2025/05/10 18:21:51 adam Exp $
+$NetBSD: distinfo,v 1.13 2025/06/09 10:21:01 adam Exp $
 
-BLAKE2s (django-4.2.21.tar.gz) = e8052ea52deb286076f4498f2e3b999a7474def1c4ed99024dd37ef416e7cd23
-SHA512 (django-4.2.21.tar.gz) = 762201e56fff658b90d715545ba52420682f5382ebcb38602f25b921c82bce3877dcc54d07578c3b5bfcef62d5ce7836f19b7d638bb3230a5ca4987cc6e70f8e
-Size (django-4.2.21.tar.gz) = 10424638 bytes
+BLAKE2s (django-4.2.22.tar.gz) = dd501fb5a161fb9f453a1b4bbaec329ff79f2e2b7b10ca1e43ee7b3f646b109b
+SHA512 (django-4.2.22.tar.gz) = e008b87b5d8398e447cd35871693f3acd449452127fede1e965a93be412f9f4afb9236ee988c9469635065f644e2ae55bee4fbf6eb050fa12a5ed68d24224a01
+Size (django-4.2.22.tar.gz) = 10427236 bytes