Wed Jun 3 15:29:36 2020 UTC ()
py-django3: updated to 3.0.7

Django 3.0.7 fixes two security issues and several bugs in 3.0.6.

CVE-2020-13254: Potential data leakage via malformed memcached keys

In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.

CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget

Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.

Bugfixes

Fixed a regression in Django 3.0 by restoring the ability to use field lookups in Meta.ordering.
Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and a subquery annotation.
Fixed a regression in Django 3.0 where aggregates used wrong annotations when a queryset has multiple subqueries annotations.
Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and an Exists() annotation on Oracle.
Fixed a regression in Django 3.0 where all resolved Subquery() expressions were considered equal.
Fixed a regression in Django 3.0.5 that affected translation loading for apps providing translations for territorial language variants as well as a generic language, where the project has different plural equations for the language.
Tracking a jQuery security release, upgraded the version of jQuery used by the admin from 3.4.1 to 3.5.1.


(adam)
diff -r1.4 -r1.5 pkgsrc/www/py-django3/Makefile
diff -r1.4 -r1.5 pkgsrc/www/py-django3/distinfo
cvs diff -r1.4 -r1.5 pkgsrc/www/py-django3/Makefile (expand / switch to unified diff)

--- pkgsrc/www/py-django3/Makefile 2020/05/12 06:55:19 1.4
+++ pkgsrc/www/py-django3/Makefile 2020/06/03 15:29:36 1.5
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1# $NetBSD: Makefile,v 1.4 2020/05/12 06:55:19 adam Exp $ 1# $NetBSD: Makefile,v 1.5 2020/06/03 15:29:36 adam Exp $
2 2
3DISTNAME= Django-3.0.6 3DISTNAME= Django-3.0.7
4PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl} 4PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl}
5CATEGORIES= www python 5CATEGORIES= www python
6MASTER_SITES= https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/ 6MASTER_SITES= https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/
7MASTER_SITES+= ${MASTER_SITE_PYPI:=D/Django/} 7MASTER_SITES+= ${MASTER_SITE_PYPI:=D/Django/}
8 8
9MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
10HOMEPAGE= https://www.djangoproject.com/ 10HOMEPAGE= https://www.djangoproject.com/
11COMMENT= Django, a high-level Python Web framework 11COMMENT= Django, a high-level Python Web framework
12LICENSE= modified-bsd 12LICENSE= modified-bsd
13 13
14DEPENDS+= ${PYPKGPREFIX}-asgiref>=3.2:../../www/py-asgiref 14DEPENDS+= ${PYPKGPREFIX}-asgiref>=3.2:../../www/py-asgiref
15DEPENDS+= ${PYPKGPREFIX}-pytz-[0-9]*:../../time/py-pytz 15DEPENDS+= ${PYPKGPREFIX}-pytz-[0-9]*:../../time/py-pytz
16DEPENDS+= ${PYPKGPREFIX}-sqlparse>=0.2.2:../../databases/py-sqlparse 16DEPENDS+= ${PYPKGPREFIX}-sqlparse>=0.2.2:../../databases/py-sqlparse
cvs diff -r1.4 -r1.5 pkgsrc/www/py-django3/distinfo (expand / switch to unified diff)

--- pkgsrc/www/py-django3/distinfo 2020/05/12 06:55:19 1.4
+++ pkgsrc/www/py-django3/distinfo 2020/06/03 15:29:36 1.5
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
1$NetBSD: distinfo,v 1.4 2020/05/12 06:55:19 adam Exp $ 1$NetBSD: distinfo,v 1.5 2020/06/03 15:29:36 adam Exp $
2 2
3SHA1 (Django-3.0.6.tar.gz) = c2d4bb41760eae528ae2f67cb087f64456910673 3SHA1 (Django-3.0.7.tar.gz) = 71938dec22f3f6adae6f3edac6a288fee69def24
4RMD160 (Django-3.0.6.tar.gz) = 3b90cc648f3fad4f9afc2e20fe5adf34c07c94b6 4RMD160 (Django-3.0.7.tar.gz) = ce33cbdf81ab9bd30563773216892c9a3cf4e438
5SHA512 (Django-3.0.6.tar.gz) = 4c92c51386919c389037d6c6d1de3cb6ec443bd1f216f20797fb20fb24ea8d021701a03805ba693deadfa82b1aee38ae0d7fc03cae94cd744b1d1fa47ddc46ad 5SHA512 (Django-3.0.7.tar.gz) = 566a78c3686baaea2ea8f2db2c1762a78ec5e5ae44f0be43f49c83899c2a0a9d1b2297a05ce8f4bc6bc580c494dde66bb2be47a8269cce3e1b007fedd857e5d3
6Size (Django-3.0.6.tar.gz) = 9070990 bytes 6Size (Django-3.0.7.tar.gz) = 8947502 bytes