From 06eb22a6062ad2fc4e0d36e37f17a1ef485b5d09 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Thu, 9 Apr 2026 08:25:28 +0300 Subject: [PATCH] python3-django: update to 6.0.4 Update package to 6.0.4. Security fixes: - CVE-2026-33033: DoS fix in MultiPartParser -- base64-encoded multipart uploads with excessive whitespace could cause repeated memory copying - CVE-2026-3902: ASGI header spoofing fixed -- headers containing underscores are now ignored by ASGIRequest to prevent hyphen/underscore conflation attacks - CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin -- add permissions on inline model instances were not validated against forged POST data - CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable -- changelist forms incorrectly allowed new instances to be created via forged POST data - CVE-2026-33034: DoS via ASGI memory upload limit bypass -- missing or understated Content-Length could bypass DATA_UPLOAD_MAX_MEMORY_SIZE Bug fixes: - alogin/alogout regression where request.user was not set/cleared if already materialized by sync middleware - RelatedFieldWidgetWrapper regression incorrectly wrapping all widgets in a fieldset in admin forms Signed-off-by: Alexandru Ardelean --- lang/python/django/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/django/Makefile b/lang/python/django/Makefile index cf38ceee4a..316efeba44 100644 --- a/lang/python/django/Makefile +++ b/lang/python/django/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=django -PKG_VERSION:=6.0.3 +PKG_VERSION:=6.0.4 PKG_RELEASE:=1 PYPI_NAME:=django -PKG_HASH:=90be765ee756af8a6cbd6693e56452404b5ad15294f4d5e40c0a55a0f4870fe1 +PKG_HASH:=8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac PKG_MAINTAINER:=Alexandru Ardelean , Peter Stadler PKG_LICENSE:=BSD-3-Clause