From: Haixiao Yan <[email protected]> - Fix: NameError: name '_lazy_re_compile' is not defined introduced by CVE-2024-27351.patch and CVE-2025-32873.patch - Revert the modification for docs/releases/2.2.28.txt
Signed-off-by: Haixiao Yan <[email protected]> --- v2: Fix a typo in the title .../python3-django/CVE-2024-27351.patch | 35 ++++------------ .../python3-django/CVE-2024-39329.patch | 27 +++--------- .../python3-django/CVE-2024-39330.patch | 40 +++++------------- .../python3-django/CVE-2024-56374.patch | 42 +++++-------------- .../python3-django/CVE-2025-26699.patch | 37 +++++----------- .../python3-django/CVE-2025-32873.patch | 33 ++++----------- .../python3-django/CVE-2025-57833.patch | 33 ++++----------- 7 files changed, 59 insertions(+), 188 deletions(-) diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-27351.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-27351.patch index a341897ebe24..e23025e23db3 100644 --- a/meta-python/recipes-devtools/python/python3-django/CVE-2024-27351.patch +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-27351.patch @@ -1,4 +1,4 @@ -From 072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 Mon Sep 17 00:00:00 2001 +From 44257057cb92c55ee3c9f66de76120c523aacbc3 Mon Sep 17 00:00:00 2001 From: Shai Berger <[email protected]> Date: Mon, 19 Feb 2024 13:56:37 +0100 Subject: [PATCH] Fixed CVE-2024-27351 -- Prevented potential ReDoS in @@ -14,16 +14,14 @@ https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 Signed-off-by: Shai Berger <[email protected]> Co-Authored-By: Mariusz Felisiak <[email protected]> Signed-off-by: Saravanan <[email protected]> - -%% original patch: CVE-2024-27351.patch +Signed-off-by: Haixiao Yan <[email protected]> --- django/utils/text.py | 57 ++++++++++++++++++++++++++++++++-- - docs/releases/2.2.28.txt | 9 ++++++ tests/utils_tests/test_text.py | 26 ++++++++++++++++ - 3 files changed, 90 insertions(+), 2 deletions(-) + 2 files changed, 81 insertions(+), 2 deletions(-) diff --git a/django/utils/text.py b/django/utils/text.py -index 06a377b..2c4040e 100644 +index 06a377b894a2..02dd0891686b 100644 --- a/django/utils/text.py +++ b/django/utils/text.py @@ -15,8 +15,61 @@ def capfirst(x): @@ -43,8 +41,8 @@ index 06a377b..2c4040e 100644 +# text with only open brackets "<<<...". The class below provides the services +# and correct answers for the use cases, but in these edge cases does it much +# faster. -+re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S) -+re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S) ++re_notag = re.compile(r"([^<>\s]+)", re.S) ++re_prt = re.compile(r"<|([^<>\s]+)", re.S) + + +class WordsRegex: @@ -90,25 +88,8 @@ index 06a377b..2c4040e 100644 re_chars = re.compile(r'<[^>]+?>|(.)', re.S) re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S) re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines -diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt -index c653cb6..7227452 100644 ---- a/docs/releases/2.2.28.txt -+++ b/docs/releases/2.2.28.txt -@@ -90,3 +90,12 @@ large number of Unicode characters. - In order to avoid the vulnerability, invalid values longer than - ``UsernameField.max_length`` are no longer normalized, since they cannot pass - validation anyway. -+ -+CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()`` -+========================================================================================================= -+ -+``django.utils.text.Truncator.words()`` method (with ``html=True``) and -+:tfilter:`truncatewords_html` template filter were subject to a potential -+regular expression denial-of-service attack using a suitably crafted string -+(follow up to :cve:`2019-14232` and :cve:`2023-43665`). -+ diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py -index cb3063d..7e9f2b3 100644 +index cb3063d460e0..7e9f2b3e96d5 100644 --- a/tests/utils_tests/test_text.py +++ b/tests/utils_tests/test_text.py @@ -156,6 +156,32 @@ class TestUtilsText(SimpleTestCase): @@ -145,5 +126,5 @@ index cb3063d..7e9f2b3 100644 def test_truncate_words_html_size_limit(self): max_len = text.Truncator.MAX_LENGTH_HTML -- -2.40.0 +2.34.1 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch index c302c0df186c..67c97f2601da 100644 --- a/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch @@ -1,4 +1,4 @@ -From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001 +From 7d7126caae786521290383d618dea49727d871f9 Mon Sep 17 00:00:00 2001 From: Michael Manfre <[email protected]> Date: Fri, 14 Jun 2024 22:12:58 -0400 Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of @@ -15,14 +15,14 @@ https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Signed-off-by: Michael Manfre <[email protected]> Signed-off-by: Saravanan <[email protected]> +Signed-off-by: Haixiao Yan <[email protected]> --- django/contrib/auth/hashers.py | 10 ++++++++-- - docs/releases/2.2.28.txt | 7 +++++++ tests/auth_tests/test_hashers.py | 32 ++++++++++++++++++++++++++++++++ - 3 files changed, 47 insertions(+), 2 deletions(-) + 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py -index 1e8d754..4acb81d 100644 +index 1e8d7547fc35..4acb81d3d0de 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'): @@ -48,23 +48,8 @@ index 1e8d754..4acb81d 100644 return False hasher_changed = hasher.algorithm != preferred.algorithm -diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt -index f3fb298..22fa80e 100644 ---- a/docs/releases/2.2.28.txt -+++ b/docs/releases/2.2.28.txt -@@ -124,3 +124,10 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases - using a suitably crafted dictionary, with dictionary expansion, as the - ``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`. - -+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords -+================================================================================================ -+ -+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method -+allowed remote attackers to enumerate users via a timing attack involving login -+requests for users with unusable passwords. -+ diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py -index ee6441b..391b3cc 100644 +index ee6441b237f6..391b3cc9b41b 100644 --- a/tests/auth_tests/test_hashers.py +++ b/tests/auth_tests/test_hashers.py @@ -433,6 +433,38 @@ class TestUtilsHashPass(SimpleTestCase): @@ -107,5 +92,5 @@ index ee6441b..391b3cc 100644 class BasePasswordHasherTests(SimpleTestCase): not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method' -- -2.40.0 +2.34.1 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-39330.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39330.patch index 759716617a69..bb521be7b0b6 100644 --- a/meta-python/recipes-devtools/python/python3-django/CVE-2024-39330.patch +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39330.patch @@ -1,8 +1,8 @@ -From 2b00edc0151a660d1eb86da4059904a0fc4e095e Mon Sep 17 00:00:00 2001 +From 44f8933ad6a969a6b509c31a7e46a2813d049d8f Mon Sep 17 00:00:00 2001 From: Natalia <[email protected]> Date: Wed, 20 Mar 2024 13:55:21 -0300 -Subject: [PATCH] Fixed CVE-2024-39330 -- Added extra file name validation in - Storage's save method. +Subject: [PATCH] Fixed CVE-2024-39330 -- Added extra file name validation + in Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews. @@ -13,17 +13,17 @@ Upstream-Status: Backport https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e Signed-off-by: Saravanan <[email protected]> +Signed-off-by: Haixiao Yan <[email protected]> --- django/core/files/storage.py | 11 ++++++ django/core/files/utils.py | 7 ++-- - docs/releases/2.2.28.txt | 12 ++++++ tests/file_storage/test_base.py | 70 +++++++++++++++++++++++++++++++++ tests/file_storage/tests.py | 6 --- - 5 files changed, 96 insertions(+), 10 deletions(-) + 4 files changed, 84 insertions(+), 10 deletions(-) create mode 100644 tests/file_storage/test_base.py diff --git a/django/core/files/storage.py b/django/core/files/storage.py -index ea5bbc8..8c633ec 100644 +index ea5bbc82d0e2..8c633ec040ed 100644 --- a/django/core/files/storage.py +++ b/django/core/files/storage.py @@ -50,7 +50,18 @@ class Storage: @@ -46,7 +46,7 @@ index ea5bbc8..8c633ec 100644 # Ensure that the name returned from the storage system is still valid. validate_file_name(name, allow_relative_path=True) diff --git a/django/core/files/utils.py b/django/core/files/utils.py -index f28cea1..a1fea44 100644 +index f28cea107758..a1fea44ded67 100644 --- a/django/core/files/utils.py +++ b/django/core/files/utils.py @@ -10,10 +10,9 @@ def validate_file_name(name, allow_relative_path=False): @@ -63,29 +63,9 @@ index f28cea1..a1fea44 100644 if path.is_absolute() or '..' in path.parts: raise SuspiciousFileOperation( "Detected path traversal attempt in '%s'" % name -diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt -index 22fa80e..3503f38 100644 ---- a/docs/releases/2.2.28.txt -+++ b/docs/releases/2.2.28.txt -@@ -131,3 +131,15 @@ The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method - allowed remote attackers to enumerate users via a timing attack involving login - requests for users with unusable passwords. - -+CVE-2024-39330: Potential directory-traversal via ``Storage.save()`` -+==================================================================== -+ -+Derived classes of the :class:`~django.core.files.storage.Storage` base class -+which override :meth:`generate_filename() -+<django.core.files.storage.Storage.generate_filename()>` without replicating -+the file path validations existing in the parent class, allowed for potential -+directory-traversal via certain inputs when calling :meth:`save() -+<django.core.files.storage.Storage.save()>`. -+ -+Built-in ``Storage`` sub-classes were not affected by this vulnerability. -+ diff --git a/tests/file_storage/test_base.py b/tests/file_storage/test_base.py new file mode 100644 -index 0000000..c5338b8 +index 000000000000..c5338b8e668f --- /dev/null +++ b/tests/file_storage/test_base.py @@ -0,0 +1,70 @@ @@ -160,7 +140,7 @@ index 0000000..c5338b8 + ): + s.save("valid-file-name.txt", content="irrelevant") diff --git a/tests/file_storage/tests.py b/tests/file_storage/tests.py -index 4c6f692..0e69264 100644 +index 4c6f6920ed2d..0e692644b7fd 100644 --- a/tests/file_storage/tests.py +++ b/tests/file_storage/tests.py @@ -291,12 +291,6 @@ class FileStorageTests(SimpleTestCase): @@ -177,5 +157,5 @@ index 4c6f692..0e69264 100644 with TemporaryUploadedFile('test', 'text/plain', 1, 'utf8') as file: file.write(b'1') -- -2.48.1 +2.34.1 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch index 3b86eacc4195..7cd7c09c72fb 100644 --- a/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch @@ -1,4 +1,4 @@ -From ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Mon Sep 17 00:00:00 2001 +From bd4fcf0ed96b5a74a4143ab4d9e9391f6bf7122c Mon Sep 17 00:00:00 2001 From: Natalia <[email protected]> Date: Mon, 6 Jan 2025 15:51:45 -0300 Subject: [PATCH] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 @@ -15,20 +15,18 @@ https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Signed-off-by: Natalia <[email protected]> Co-authored-by: Natalia <[email protected]> Signed-off-by: Saravanan <[email protected]> - -%% original patch: CVE-2024-56374.patch +Signed-off-by: Haixiao Yan <[email protected]> --- django/db/models/fields/__init__.py | 6 +-- django/forms/fields.py | 7 +++- django/utils/ipv6.py | 22 ++++++++-- docs/ref/forms/fields.txt | 13 +++++- - docs/releases/2.2.28.txt | 12 ++++++ .../field_tests/test_genericipaddressfield.py | 35 +++++++++++++++- tests/utils_tests/test_ipv6.py | 40 +++++++++++++++++-- - 7 files changed, 120 insertions(+), 15 deletions(-) + 6 files changed, 108 insertions(+), 15 deletions(-) diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py -index e2d1846..c77702f 100644 +index e2d1846ad625..c77702fdacae 100644 --- a/django/db/models/fields/__init__.py +++ b/django/db/models/fields/__init__.py @@ -26,7 +26,7 @@ from django.utils.dateparse import ( @@ -59,7 +57,7 @@ index e2d1846..c77702f 100644 return name, path, args, kwargs diff --git a/django/forms/fields.py b/django/forms/fields.py -index f939338..b3156b9 100644 +index f9393383ed81..b3156b9877dc 100644 --- a/django/forms/fields.py +++ b/django/forms/fields.py @@ -29,7 +29,7 @@ from django.forms.widgets import ( @@ -91,7 +89,7 @@ index f939338..b3156b9 100644 diff --git a/django/utils/ipv6.py b/django/utils/ipv6.py -index ddb8c80..aed7902 100644 +index ddb8c8091d2f..aed7902af919 100644 --- a/django/utils/ipv6.py +++ b/django/utils/ipv6.py @@ -3,9 +3,23 @@ import ipaddress @@ -139,7 +137,7 @@ index ddb8c80..aed7902 100644 return False return True diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt -index 3a888ef..688890a 100644 +index 3a888ef6b752..688890a5fba6 100644 --- a/docs/ref/forms/fields.txt +++ b/docs/ref/forms/fields.txt @@ -791,7 +791,7 @@ For each field, we describe the default widget used if you don't specify @@ -176,28 +174,8 @@ index 3a888ef..688890a 100644 ``MultipleChoiceField`` ----------------------- -diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt -index 7096d13..0e092f0 100644 ---- a/docs/releases/2.2.28.txt -+++ b/docs/releases/2.2.28.txt -@@ -105,3 +105,15 @@ CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text - The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a - potential denial-of-service attack when used with very long strings. - -+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation -+============================================================================ -+ -+Lack of upper bound limit enforcement in strings passed when performing IPv6 -+validation could lead to a potential denial-of-service attack. The undocumented -+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were -+vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field, -+which has now been updated to define a ``max_length`` of 39 characters. -+ -+The :class:`django.db.models.GenericIPAddressField` model field was not -+affected. -+ diff --git a/tests/forms_tests/field_tests/test_genericipaddressfield.py b/tests/forms_tests/field_tests/test_genericipaddressfield.py -index 97a83e3..4c79d78 100644 +index 97a83e38aedd..4c79d7852aa5 100644 --- a/tests/forms_tests/field_tests/test_genericipaddressfield.py +++ b/tests/forms_tests/field_tests/test_genericipaddressfield.py @@ -1,5 +1,6 @@ @@ -256,7 +234,7 @@ index 97a83e3..4c79d78 100644 f.clean('12345:2:3:4') with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"): diff --git a/tests/utils_tests/test_ipv6.py b/tests/utils_tests/test_ipv6.py -index 4e434f3..1ac6763 100644 +index 4e434f3c3aa0..1ac6763d9b93 100644 --- a/tests/utils_tests/test_ipv6.py +++ b/tests/utils_tests/test_ipv6.py @@ -1,9 +1,17 @@ @@ -311,5 +289,5 @@ index 4e434f3..1ac6763 100644 + ) + self.assertIn(value_error_msg % addr, exception_traceback.getvalue()) -- -2.40.0 +2.34.1 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch index 44e182057abb..3471a855c096 100644 --- a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch @@ -1,8 +1,8 @@ -From e88f7376fe68dbf4ebaf11fad1513ce700b45860 Mon Sep 17 00:00:00 2001 +From e8ff028d15324bd21b6378b539637d5c5eb3c4f1 Mon Sep 17 00:00:00 2001 From: Sarah Boyce <[email protected]> Date: Tue, 25 Feb 2025 09:40:54 +0100 -Subject: [PATCH] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap - template filter. +Subject: [PATCH] Fixed CVE-2025-26699 -- Mitigated potential DoS in + wordwrap template filter. Thanks sw0rd1ight for the report. @@ -15,16 +15,14 @@ https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860 Signed-off-by: Sarah Boyce <[email protected]> Signed-off-by: Saravanan <[email protected]> - -%% original patch: CVE-2025-26699.patch +Signed-off-by: Haixiao Yan <[email protected]> --- django/utils/text.py | 28 ++++++++----------- - docs/releases/2.2.28.txt | 6 ++++ - .../filter_tests/test_wordwrap.py | 12 ++++++++ - 3 files changed, 29 insertions(+), 17 deletions(-) + .../filter_tests/test_wordwrap.py | 11 ++++++++ + 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/django/utils/text.py b/django/utils/text.py -index 2c4040e..c474d56 100644 +index 02dd0891686b..e104b60c4f6c 100644 --- a/django/utils/text.py +++ b/django/utils/text.py @@ -1,5 +1,6 @@ @@ -68,25 +66,11 @@ index 2c4040e..c474d56 100644 class Truncator(SimpleLazyObject): -diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt -index 7227452..7096d13 100644 ---- a/docs/releases/2.2.28.txt -+++ b/docs/releases/2.2.28.txt -@@ -99,3 +99,9 @@ CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils - regular expression denial-of-service attack using a suitably crafted string - (follow up to :cve:`2019-14232` and :cve:`2023-43665`). - -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -+ diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py -index 02f8605..e6f2afb 100644 +index 02f860582ba7..f61842cb19aa 100644 --- a/tests/template_tests/filter_tests/test_wordwrap.py +++ b/tests/template_tests/filter_tests/test_wordwrap.py -@@ -51,3 +51,15 @@ class FunctionTests(SimpleTestCase): +@@ -51,3 +51,14 @@ class FunctionTests(SimpleTestCase): ), 14), 'this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\nI\'m afraid', ) @@ -101,7 +85,6 @@ index 02f8605..e6f2afb 100644 + "I'm afraid", + wordwrap(long_text, 10), + ) -+ -- -2.40.0 +2.34.1 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-32873.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-32873.patch index 701f9b574604..0d45c179bb72 100644 --- a/meta-python/recipes-devtools/python/python3-django/CVE-2025-32873.patch +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-32873.patch @@ -1,4 +1,4 @@ -From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001 +From ceb93eee32c9e9ad7e0fbaed725d6d54b09bf9d0 Mon Sep 17 00:00:00 2001 From: Marc Deslauriers <[email protected]> Date: Wed, 30 Apr 2025 10:34:27 -0400 Subject: [PATCH] Fixed CVE-2025-32873 -- Mitigated potential DoS in @@ -17,14 +17,14 @@ Upstream-Status: Backport https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Signed-off-by: Saravanan <[email protected]> +Signed-off-by: Haixiao Yan <[email protected]> --- django/utils/html.py | 6 ++++++ - docs/releases/2.2.28.txt | 11 +++++++++++ tests/utils_tests/test_html.py | 15 ++++++++++++++- - 3 files changed, 31 insertions(+), 1 deletion(-) + 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/django/utils/html.py b/django/utils/html.py -index 0d5ffd2..858a517 100644 +index 0d5ffd219baf..6eb8bc3dbf38 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -37,6 +37,9 @@ _html_escapes = { @@ -32,7 +32,7 @@ index 0d5ffd2..858a517 100644 } +# HTML tag that opens but has no closing ">" after 1k+ chars. -+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}") ++long_open_tag_without_closing_re = re.compile(r"<[a-zA-Z][^>]{1000,}") + @keep_lazy(str, SafeText) @@ -47,27 +47,8 @@ index 0d5ffd2..858a517 100644 # Note: in typical case this loop executes _strip_once twice (the second # execution does not remove any more tags). strip_tags_depth = 0 -diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt -index 3503f38..1676bbd 100644 ---- a/docs/releases/2.2.28.txt -+++ b/docs/releases/2.2.28.txt -@@ -143,3 +143,14 @@ directory-traversal via certain inputs when calling :meth:`save() - - Built-in ``Storage`` sub-classes were not affected by this vulnerability. - -+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` -+================================================================= -+ -+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs -+containing large sequences of incomplete HTML tags. This function is used to -+implement the :tfilter:`striptags` template filter, which was thus also -+vulnerable. -+ -+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` -+exception if it encounters an unusually large number of unclosed opening tags. -+ diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py -index 2f412e1..653deb2 100644 +index 2f412e103343..653deb2087e8 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -92,17 +92,30 @@ class TestUtilsHtml(SimpleTestCase): @@ -103,5 +84,5 @@ index 2f412e1..653deb2 100644 # Test with more lengthy content (also catching performance regressions) for filename in ('strip_tags1.html', 'strip_tags2.txt'): -- -2.40.0 +2.34.1 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-57833.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-57833.patch index 9d4edb8d7c5b..c17df1b530b1 100644 --- a/meta-python/recipes-devtools/python/python3-django/CVE-2025-57833.patch +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-57833.patch @@ -1,8 +1,8 @@ -From 31334e6965ad136a5e369993b01721499c5d1a92 Mon Sep 17 00:00:00 2001 +From 6fb375254ac11840ec66cd6d1ffdc4dbd57af190 Mon Sep 17 00:00:00 2001 From: Jake Howard <[email protected]> Date: Wed, 13 Aug 2025 14:13:42 +0200 -Subject: [PATCH] Fixed CVE-2025-57833 -- Protected FilteredRelation against - SQL injection in column aliases. +Subject: [PATCH] Fixed CVE-2025-57833 -- Protected FilteredRelation + against SQL injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. @@ -15,16 +15,14 @@ https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92 Signed-off-by: Jake Howard <[email protected]> Signed-off-by: Saravanan <[email protected]> - -%% original patch: CVE-2025-57833.patch +Signed-off-by: Haixiao Yan <[email protected]> --- django/db/models/sql/query.py | 1 + - docs/releases/2.2.28.txt | 7 +++++++ tests/annotations/tests.py | 18 ++++++++++++++++-- - 3 files changed, 24 insertions(+), 2 deletions(-) + 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py -index 9b054bd..96a6f5f 100644 +index 9b054bd10079..96a6f5fb5c8d 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -1369,6 +1369,7 @@ class Query: @@ -35,23 +33,8 @@ index 9b054bd..96a6f5f 100644 filtered_relation.alias = alias lookups = dict(get_children_from_q(filtered_relation.condition)) for lookup in chain((filtered_relation.relation_name,), lookups): -diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt -index 0e092f0..f3fb298 100644 ---- a/docs/releases/2.2.28.txt -+++ b/docs/releases/2.2.28.txt -@@ -117,3 +117,10 @@ which has now been updated to define a ``max_length`` of 39 characters. - The :class:`django.db.models.GenericIPAddressField` model field was not - affected. - -+CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases -+============================================================================== -+ -+:class:`.FilteredRelation` was subject to SQL injection in column aliases, -+using a suitably crafted dictionary, with dictionary expansion, as the -+``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`. -+ diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py -index 27cd7eb..cdffb07 100644 +index 27cd7ebfb826..cdffb0792009 100644 --- a/tests/annotations/tests.py +++ b/tests/annotations/tests.py @@ -3,8 +3,8 @@ from decimal import Decimal @@ -91,5 +74,5 @@ index 27cd7eb..cdffb07 100644 + **{crafted_alias: FilteredRelation("authors")} + ) -- -2.40.0 +2.34.1 -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123319): https://lists.openembedded.org/g/openembedded-devel/message/123319 Mute This Topic: https://lists.openembedded.org/mt/117189246/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
