python3-django: update to 6.0.4
Update package to 6.0.4.
Security fixes:
- CVE-2026-33033: DoS fix in MultiPartParser -- base64-encoded multipart
uploads with excessive whitespace could cause repeated memory copying
- CVE-2026-3902: ASGI header spoofing fixed -- headers containing underscores
are now ignored by ASGIRequest to prevent hyphen/underscore conflation
attacks
- CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin -- add permissions
on inline model instances were not validated against forged POST data
- CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable -- changelist
forms incorrectly allowed new instances to be created via forged POST data
- CVE-2026-33034: DoS via ASGI memory upload limit bypass -- missing or
understated Content-Length could bypass DATA_UPLOAD_MAX_MEMORY_SIZE
Bug fixes:
- alogin/alogout regression where request.user was not set/cleared if already
materialized by sync middleware
- RelatedFieldWidgetWrapper regression incorrectly wrapping all widgets in a
fieldset in admin forms
Signed-off-by: Alexandru Ardelean <redacted>
git.99rst.org / openwrt-packages.git / commit