CVS commit: pkgsrc/www/py-django

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Dec  2 20:37:46 UTC 2025

Modified Files:
        pkgsrc/www/py-django: Makefile distinfo

Log Message:
py-django: updated to 5.2.9

Django 5.2.9 fixes one security issue with severity “high”, one security issue with severity “moderate”, and several bugs in 5.2.8.

CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL

FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on 
PostgreSQL.

CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer

XML Serialization was subject to a potential denial-of-service attack due to quadratic time complexity when deserializing crafted documents containing many nested invalid elements. The internal 
helper django.core.serializers.xml_serializer.getInnerText() previously accumulated inner text inefficiently during recursion. It now collects text per element, avoiding excessive resource usage.

Bugfixes

Fixed a bug in Django 5.2 where django.utils.feedgenerator.Stylesheet.__str__() did not escape the url, mimetype, and media attributes, potentially leading to invalid XML markup.

Fixed a bug in Django 5.2 on PostgreSQL where bulk_create() did not apply a field’s custom query placeholders.

Fixed a regression in Django 5.2.2 that caused a crash when using aggregate functions with an empty Q filter over a queryset with annotations.

Fixed a regression in Django 5.2.8 where DisallowedRedirect was raised by HttpResponseRedirect and HttpResponsePermanentRedirect for URLs longer than 2048 characters. The limit is now 16384 
characters.

Fixed a crash on Python 3.14+ that prevented template tag functions from being registered when their type annotations required deferred evaluation.


To generate a diff of this commit:
cvs rdiff -u -r1.151 -r1.152 pkgsrc/www/py-django/Makefile
cvs rdiff -u -r1.123 -r1.124 pkgsrc/www/py-django/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django/Makefile
diff -u pkgsrc/www/py-django/Makefile:1.151 pkgsrc/www/py-django/Makefile:1.152
--- pkgsrc/www/py-django/Makefile:1.151 Tue Nov 11 10:42:37 2025
+++ pkgsrc/www/py-django/Makefile       Tue Dec  2 20:37:45 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.151 2025/11/11 10:42:37 adam Exp $
+# $NetBSD: Makefile,v 1.152 2025/12/02 20:37:45 adam Exp $
 
-DISTNAME=      django-5.2.8
+DISTNAME=      django-5.2.9
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/

Index: pkgsrc/www/py-django/distinfo
diff -u pkgsrc/www/py-django/distinfo:1.123 pkgsrc/www/py-django/distinfo:1.124
--- pkgsrc/www/py-django/distinfo:1.123 Tue Nov 11 10:42:37 2025
+++ pkgsrc/www/py-django/distinfo       Tue Dec  2 20:37:45 2025
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.123 2025/11/11 10:42:37 adam Exp $
+$NetBSD: distinfo,v 1.124 2025/12/02 20:37:45 adam Exp $
 
-BLAKE2s (django-5.2.8.tar.gz) = ad7c8d45a998db2c986f8c5dc65347f5abd0e783769aad14cb2b60906f4fb2ad
-SHA512 (django-5.2.8.tar.gz) = e360b69d45841c5c6068e96560621155cba5450901c0f598da226bc6fb9ea89c5a909f5568e4b492aa852006e7b00ab3528aa8f5ff6d97baa6227e7dcf8c068c
-Size (django-5.2.8.tar.gz) = 10849032 bytes
+BLAKE2s (django-5.2.9.tar.gz) = 199b4e4431837d8a0ef9dd424c166adf95ba0a2fee61e873d1d81110bc1b9bee
+SHA512 (django-5.2.9.tar.gz) = 669bb4e21b2073fd7a59971efa6d662c5bbfc05284867b562f93b6e56039b06f843726a1a964a4763458c211e238b21d1f91e70cda394d78031a2324bbf35d7f
+Size (django-5.2.9.tar.gz) = 10848762 bytes