Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1696450431227480"
MIME-Version: 1.0
Date: Wed, 4 Oct 2023 20:13:51 +0000
From: "Adam Ciarcinski" <adam@netbsd.org>
Subject: CVS commit: pkgsrc/www/py-django3
To: pkgsrc-changes@NetBSD.org
Approved: commit_and_comment
Reply-To: adam@netbsd.org
Message-Id: <20231004201351.99925FBDB@cvs.NetBSD.org>

This is a multi-part message in MIME format.

--_----------=_1696450431227480
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Module Name:	pkgsrc
Committed By:	adam
Date:		Wed Oct  4 20:13:51 UTC 2023

Modified Files:
	pkgsrc/www/py-django3: Makefile distinfo

Log Message:
py-django3: updated to 3.2.22

Django 3.2.22 fixes a security issue with severity “moderate” in 3.2.21.

CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator

Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.

The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable.

The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 pkgsrc/www/py-django3/Makefile
cvs rdiff -u -r1.33 -r1.34 pkgsrc/www/py-django3/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1696450431227480
Content-Disposition: inline
Content-Length: 1578
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/www/py-django3/Makefile
diff -u pkgsrc/www/py-django3/Makefile:1.34 pkgsrc/www/py-django3/Makefile:1.35
--- pkgsrc/www/py-django3/Makefile:1.34	Wed Sep 13 09:58:30 2023
+++ pkgsrc/www/py-django3/Makefile	Wed Oct  4 20:13:51 2023
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.34 2023/09/13 09:58:30 adam Exp $
+# $NetBSD: Makefile,v 1.35 2023/10/04 20:13:51 adam Exp $
 
-DISTNAME=	Django-3.2.21
+DISTNAME=	Django-3.2.22
 PKGNAME=	${PYPKGPREFIX}-${DISTNAME:tl}
 CATEGORIES=	www python
 MASTER_SITES=	https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/

Index: pkgsrc/www/py-django3/distinfo
diff -u pkgsrc/www/py-django3/distinfo:1.33 pkgsrc/www/py-django3/distinfo:1.34
--- pkgsrc/www/py-django3/distinfo:1.33	Wed Sep 13 09:58:30 2023
+++ pkgsrc/www/py-django3/distinfo	Wed Oct  4 20:13:51 2023
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.33 2023/09/13 09:58:30 adam Exp $
+$NetBSD: distinfo,v 1.34 2023/10/04 20:13:51 adam Exp $
 
-BLAKE2s (Django-3.2.21.tar.gz) = b9fcdd3ee2f9bd00fab0f9de79e6117db0698bbd20ab1d2f18297d2e1d7406df
-SHA512 (Django-3.2.21.tar.gz) = 614d5e79c323f43d893ca235d81f1cb06287ead56aa5b7baf9930b9a99446d77ec111c65675a864cbf7cf2b9dfceaa0ffab389855da9d7a5c6e36067ab42e5dd
-Size (Django-3.2.21.tar.gz) = 9836824 bytes
+BLAKE2s (Django-3.2.22.tar.gz) = 3cb82fdd6445f2bf06108aa7d58427f69e2ea18b8aa5d90939abcc396f1b47a2
+SHA512 (Django-3.2.22.tar.gz) = a2c81dc63609be521aa1a74c85be93e3263380d533c0d6888b4ba20f5a12f0d99c329286c99896734fc9a9b111d873934e4f553d18f246911cbfd65feea73b46
+Size (Django-3.2.22.tar.gz) = 9827193 bytes


--_----------=_1696450431227480--