From: Alexandru Ardelean Date: Thu, 9 Apr 2026 05:25:28 +0000 (+0300) Subject: python3-django: update to 6.0.4 X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=06eb22a6062ad2fc4e0d36e37f17a1ef485b5d09;p=openwrt-packages.git python3-django: update to 6.0.4 Update package to 6.0.4. Security fixes: - CVE-2026-33033: DoS fix in MultiPartParser -- base64-encoded multipart uploads with excessive whitespace could cause repeated memory copying - CVE-2026-3902: ASGI header spoofing fixed -- headers containing underscores are now ignored by ASGIRequest to prevent hyphen/underscore conflation attacks - CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin -- add permissions on inline model instances were not validated against forged POST data - CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable -- changelist forms incorrectly allowed new instances to be created via forged POST data - CVE-2026-33034: DoS via ASGI memory upload limit bypass -- missing or understated Content-Length could bypass DATA_UPLOAD_MAX_MEMORY_SIZE Bug fixes: - alogin/alogout regression where request.user was not set/cleared if already materialized by sync middleware - RelatedFieldWidgetWrapper regression incorrectly wrapping all widgets in a fieldset in admin forms Signed-off-by: Alexandru Ardelean --- diff --git a/lang/python/django/Makefile b/lang/python/django/Makefile index cf38ceee4..316efeba4 100644 --- a/lang/python/django/Makefile +++ b/lang/python/django/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=django -PKG_VERSION:=6.0.3 +PKG_VERSION:=6.0.4 PKG_RELEASE:=1 PYPI_NAME:=django -PKG_HASH:=90be765ee756af8a6cbd6693e56452404b5ad15294f4d5e40c0a55a0f4870fe1 +PKG_HASH:=8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac PKG_MAINTAINER:=Alexandru Ardelean , Peter Stadler PKG_LICENSE:=BSD-3-Clause