CVS commit: pkgsrc/www/py-django

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/py-django
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Thu, 4 Jun 2026 09:19:59 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Jun  4 09:19:59 UTC 2026

Modified Files:
        pkgsrc/www/py-django: Makefile distinfo

Log Message:
py-django: updated to 6.0.6

Django 6.0.6 fixes five security issues with severity “low” and one bug in 6.0.5.

CVE-2026-6873: Signed cookie salt namespace collision

get_signed_cookie() derived the signing salt by concatenating the cookie name (key) and salt arguments. When distinct name and salt pairs produced the same concatenation, cookies could be accepted in 
a context different from the one where they were signed.

Cookies are now signed with an unambiguous salt derivation. For backwards compatibility, cookies signed by older Django versions are accepted until Django 7.0. Projects affected by the above 
ambiguity should set SIGNED_COOKIE_LEGACY_SALT_FALLBACK to False to reject older cookies immediately.

This issue has severity “low” according to the Django security policy.

CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend

When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a partially-initialized connection that would subsequently be reused for sending email without encryption. This can occur with 
fail_silently=True, as used by send_mail() and BrokenLinkEmailsMiddleware, among others. Connections configured with EMAIL_USE_SSL are not affected.

This issue has severity “low” according to the Django security policy.

CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives

UpdateCacheMiddleware and cache_page() incorrectly cached responses marked with private Cache-Control directives when using mixed or uppercase values (e.g. Private).

The cache_control() decorator and patch_cache_control() function were not affected, since they normalize directives to lowercase. This issue only affects responses where Cache-Control is set manually.

This issue has severity “low” according to the Django security policy.

CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization

UpdateCacheMiddleware and cache_page() decorator allowed responses to requests bearing an Authorization header (and without Cache-Control: public) to be cached. To conform with the existing mechanism 
for constructing cache keys, responses to these requests will now vary on Authorization.

This issue has severity “low” according to the Django security policy.

CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header

UpdateCacheMiddleware incorrectly cached responses whose Vary header values contained leading or trailing whitespace. Because has_vary_header() failed to strip that, a Vary: * header value with 
surrounding whitespace was not recognized as containing the wildcard, causing it to be stored and potentially served from the cache when it should not have been.

This issue has severity “low” according to the Django security policy.

Bugfixes

Fixed a bug in Django 6.0 where an alert message on an admin changelist with ModelAdmin.list_editable referred to the “Run” button by its previous name


To generate a diff of this commit:
cvs rdiff -u -r1.155 -r1.156 pkgsrc/www/py-django/Makefile
cvs rdiff -u -r1.127 -r1.128 pkgsrc/www/py-django/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django/Makefile
diff -u pkgsrc/www/py-django/Makefile:1.155 pkgsrc/www/py-django/Makefile:1.156
--- pkgsrc/www/py-django/Makefile:1.155 Wed May 13 12:11:55 2026
+++ pkgsrc/www/py-django/Makefile       Thu Jun  4 09:19:59 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.155 2026/05/13 12:11:55 adam Exp $
+# $NetBSD: Makefile,v 1.156 2026/06/04 09:19:59 adam Exp $
 
-DISTNAME=      django-6.0.5
+DISTNAME=      django-6.0.6
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/

Index: pkgsrc/www/py-django/distinfo
diff -u pkgsrc/www/py-django/distinfo:1.127 pkgsrc/www/py-django/distinfo:1.128
--- pkgsrc/www/py-django/distinfo:1.127 Wed May 13 12:11:55 2026
+++ pkgsrc/www/py-django/distinfo       Thu Jun  4 09:19:59 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.127 2026/05/13 12:11:55 adam Exp $
+$NetBSD: distinfo,v 1.128 2026/06/04 09:19:59 adam Exp $
 
-BLAKE2s (django-6.0.5.tar.gz) = c5ea9c19450258dca6506201e6e0a20ab62eaed36bbf6d4dfa6e8bdfc79a1338
-SHA512 (django-6.0.5.tar.gz) = c8f06e11217a1ec5a089646c9d3581cbda7c0d1178cdad3547e0d8a3444bd78a093ecea04deebd2d15f6179f43cf9e427385e28ca310de56b8cd7310e3fcb260
-Size (django-6.0.5.tar.gz) = 10924131 bytes
+BLAKE2s (django-6.0.6.tar.gz) = d61586d8458be72e2d9d90d31d55a0024cabc9d7c7779d7416473d68c69ec43d
+SHA512 (django-6.0.6.tar.gz) = 0e8d651d2efa1c368b2177ae48e3a3e17656ab28d1655a3b561acac88558c1db66160461e79b2ef6d589fb589e1afa90e63c5f51d28a215c4abb91de1299f01b
+Size (django-6.0.6.tar.gz) = 10905525 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/www/py-django5
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/www/py-django5
Indexes:

Home | Main Index | Thread Index | Old Index