Sync from SUSE:ALP:Source:Standard:1.0 python-Django revision 07a0c96c91c540715f2c117e8a28f3b1

2025-03-14 14:17:38 +01:00 · 2025-03-14 14:17:38 +01:00 · 75542dd270
commit 75542dd270
parent 572e03dca0
19 changed files with 1541 additions and 328 deletions
--- a/CVE-2024-27351.patch
+++ b/CVE-2024-27351.patch
@ -1,121 +0,0 @@
 From 2d173757922183f7e9b79d31fd4ccd9086cc6ce2 Mon Sep 17 00:00:00 2001
 From: Shai Berger <shai@platonix.com>
 Date: Mon, 19 Feb 2024 13:56:37 +0100
 Subject: [PATCH] [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in
 Truncator.words().
 Thanks Seokchan Yoon for the report.
 Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 ---
 django/utils/text.py           | 57 ++++++++++++++++++++++++++++++++--
 docs/releases/3.2.25.txt       |  8 +++++
 docs/releases/4.2.11.txt       |  8 +++++
 tests/utils_tests/test_text.py | 26 ++++++++++++++++
 4 files changed, 97 insertions(+), 2 deletions(-)
 Index: Django-4.2.6/django/utils/text.py
 ===================================================================
 --- Django-4.2.6.orig/django/utils/text.py
 +++ Django-4.2.6/django/utils/text.py
@@ -23,8 +23,61 @@ def capfirst(x):
     return x[0].upper() + x[1:]
 -# Set up regular expressions
 -re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S)
 +# ----- Begin security-related performance workaround -----
 +
 +# We used to have, below
 +#
 +# re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S)
 +#
 +# But it was shown that this regex, in the way we use it here, has some
 +# catastrophic edge-case performance features. Namely, when it is applied to
 +# text with only open brackets "<<<...". The class below provides the services
 +# and correct answers for the use cases, but in these edge cases does it much
 +# faster.
 +re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S)
 +re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S)
 +
 +
 +class WordsRegex:
 +    @staticmethod
 +    def search(text, pos):
 +        # Look for "<" or a non-tag word.
 +        partial = re_prt.search(text, pos)
 +        if partial is None or partial[1] is not None:
 +            return partial
 +
 +        # "<" was found, look for a closing ">".
 +        end = text.find(">", partial.end(0))
 +        if end < 0:
 +            # ">" cannot be found, look for a word.
 +            return re_notag.search(text, pos + 1)
 +        else:
 +            # "<" followed by a ">" was found -- fake a match.
 +            end += 1
 +            return FakeMatch(text[partial.start(0) : end], end)
 +
 +
 +class FakeMatch:
 +    __slots__ = ["_text", "_end"]
 +
 +    def end(self, group=0):
 +        assert group == 0, "This specific object takes only group=0"
 +        return self._end
 +
 +    def __getitem__(self, group):
 +        if group == 1:
 +            return None
 +        assert group == 0, "This specific object takes only group in {0,1}"
 +        return self._text
 +
 +    def __init__(self, text, end):
 +        self._text, self._end = text, end
 +
 +
 +# ----- End security-related performance workaround -----
 +
 +# Set up regular expressions.
 +re_words = WordsRegex
 re_chars = _lazy_re_compile(r"<[^>]+?>|(.)", re.S)
 re_tag = _lazy_re_compile(r"<(/)?(\S+?)(?:(\s*/)|\s.*?)?>", re.S)
 re_newlines = _lazy_re_compile(r"\r\n|\r")  # Used in normalize_newlines
 Index: Django-4.2.6/tests/utils_tests/test_text.py
 ===================================================================
 --- Django-4.2.6.orig/tests/utils_tests/test_text.py
 +++ Django-4.2.6/tests/utils_tests/test_text.py
@@ -183,6 +183,32 @@ class TestUtilsText(SimpleTestCase):
         truncator = text.Truncator("<p>I &lt;3 python, what about you?</p>")
         self.assertEqual("<p>I &lt;3 python,…</p>", truncator.words(3, html=True))
 +        # Only open brackets.
 +        test = "<" * 60_000
 +        truncator = text.Truncator(test)
 +        self.assertEqual(truncator.words(1, html=True), test)
 +
 +        # Tags with special chars in attrs.
 +        truncator = text.Truncator(
 +            """<i style="margin: 5%; font: *;">Hello, my dear lady!</i>"""
 +        )
 +        self.assertEqual(
 +            """<i style="margin: 5%; font: *;">Hello, my dear…</i>""",
 +            truncator.words(3, html=True),
 +        )
 +
 +        # Tags with special non-latin chars in attrs.
 +        truncator = text.Truncator("""<p data-x="א">Hello, my dear lady!</p>""")
 +        self.assertEqual(
 +            """<p data-x="א">Hello, my dear…</p>""",
 +            truncator.words(3, html=True),
 +        )
 +
 +        # Misplaced brackets.
 +        truncator = text.Truncator("hello >< world")
 +        self.assertEqual(truncator.words(1, html=True), "hello…")
 +        self.assertEqual(truncator.words(2, html=True), "hello >< world")
 +
     @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
     def test_truncate_words_html_size_limit(self):
         max_len = text.Truncator.MAX_LENGTH_HTML
--- a/CVE-2024-41989.patch
+++ b/CVE-2024-41989.patch
@ -0,0 +1,79 @@
 From 0521744d21a7854e849336af1e3a3aad44cee017 Mon Sep 17 00:00:00 2001
 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 Date: Fri, 12 Jul 2024 11:38:34 +0200
 Subject: [PATCH 1/4] [4.2.x] Fixed CVE-2024-41989 -- Prevented excessive
 memory consumption in floatformat.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Thanks Elias Myllymäki for the report.
 Co-authored-by: Shai Berger <shai@platonix.com>
 ---
 django/template/defaultfilters.py               | 13 +++++++++++++
 .../filter_tests/test_floatformat.py            | 17 +++++++++++++++++
 3 files changed, 39 insertions(+)
 diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
 index d446b54ade..3f89eba6bb 100644
 --- a/django/template/defaultfilters.py
 +++ b/django/template/defaultfilters.py
@@ -163,6 +163,19 @@ def floatformat(text, arg=-1):
     except ValueError:
         return input_val
 +    _, digits, exponent = d.as_tuple()
 +    try:
 +        number_of_digits_and_exponent_sum = len(digits) + abs(exponent)
 +    except TypeError:
 +        # Exponent values can be "F", "n", "N".
 +        number_of_digits_and_exponent_sum = 0
 +
 +    # Values with more than 200 digits, or with a large exponent, are returned "as is"
 +    # to avoid high memory consumption and potential denial-of-service attacks.
 +    # The cut-off of 200 is consistent with django.utils.numberformat.floatformat().
 +    if number_of_digits_and_exponent_sum > 200:
 +        return input_val
 +
     try:
         m = int(d) - d
     except (ValueError, OverflowError, InvalidOperation):
 diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py
 index db17622309..c22b5dca6b 100644
 --- a/tests/template_tests/filter_tests/test_floatformat.py
 +++ b/tests/template_tests/filter_tests/test_floatformat.py
@@ -77,6 +77,7 @@ class FunctionTests(SimpleTestCase):
         self.assertEqual(floatformat(1.5e-15, 20), "0.00000000000000150000")
         self.assertEqual(floatformat(1.5e-15, -20), "0.00000000000000150000")
         self.assertEqual(floatformat(1.00000000000000015, 16), "1.0000000000000002")
 +        self.assertEqual(floatformat("1e199"), "1" + "0" * 199)
     def test_force_grouping(self):
         with translation.override("en"):
@@ -134,6 +135,22 @@ class FunctionTests(SimpleTestCase):
         self.assertEqual(floatformat(pos_inf), "inf")
         self.assertEqual(floatformat(neg_inf), "-inf")
         self.assertEqual(floatformat(pos_inf / pos_inf), "nan")
 +        self.assertEqual(floatformat("inf"), "inf")
 +        self.assertEqual(floatformat("NaN"), "NaN")
 +
 +    def test_too_many_digits_to_render(self):
 +        cases = [
 +            "1e200",
 +            "1E200",
 +            "1E10000000000000000",
 +            "-1E10000000000000000",
 +            "1e10000000000000000",
 +            "-1e10000000000000000",
 +            "1" + "0" * 1_000_000,
 +        ]
 +        for value in cases:
 +            with self.subTest(value=value):
 +                self.assertEqual(floatformat(value), value)
     def test_float_dunder_method(self):
         class FloatWrapper:
 -- 
 2.34.1
--- a/CVE-2024-41990.patch
+++ b/CVE-2024-41990.patch
@ -0,0 +1,64 @@
 From 729d7934e34ff91f262f3e7089e32cab701b09ca Mon Sep 17 00:00:00 2001
 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 Date: Thu, 18 Jul 2024 13:19:34 +0200
 Subject: [PATCH 2/4] [4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS
 in urlize and urlizetrunc template filters.
 Thanks to MProgrammer for the report.
 ---
 django/utils/html.py           | 18 ++++++++----------
 tests/utils_tests/test_html.py |  2 ++
 3 files changed, 17 insertions(+), 10 deletions(-)
 diff --git a/django/utils/html.py b/django/utils/html.py
 index fd313ff9ca..dd52f1f7fe 100644
 --- a/django/utils/html.py
 +++ b/django/utils/html.py
@@ -378,7 +378,11 @@ class Urlizer:
                         trimmed_something = True
                         counts[closing] -= strip
 -            rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon)
 +            amp = middle.rfind("&")
 +            if amp == -1:
 +                rstripped = middle.rstrip(self.trailing_punctuation_chars)
 +            else:
 +                rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon)
             if rstripped != middle:
                 trail = middle[len(rstripped) :] + trail
                 middle = rstripped
@@ -386,15 +390,9 @@ class Urlizer:
             if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"):
                 # Only strip if not part of an HTML entity.
 -                amp = middle.rfind("&")
 -                if amp == -1:
 -                    can_strip = True
 -                else:
 -                    potential_entity = middle[amp:]
 -                    escaped = html.unescape(potential_entity)
 -                    can_strip = (escaped == potential_entity) or escaped.endswith(";")
 -
 -                if can_strip:
 +                potential_entity = middle[amp:]
 +                escaped = html.unescape(potential_entity)
 +                if escaped == potential_entity or escaped.endswith(";"):
                     rstripped = middle.rstrip(";")
                     amount_stripped = len(middle) - len(rstripped)
                     if amp > -1 and amount_stripped > 1:
 diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
 index 6dab41634a..c45e0dfac1 100644
 --- a/tests/utils_tests/test_html.py
 +++ b/tests/utils_tests/test_html.py
@@ -349,6 +349,8 @@ class TestUtilsHtml(SimpleTestCase):
             "[(" * 100_000 + ":" + ")]" * 100_000,
             "([[" * 100_000 + ":" + "]])" * 100_000,
             "&:" + ";" * 100_000,
 +            "&.;" * 100_000,
 +            ".;" * 100_000,
         )
         for value in tests:
             with self.subTest(value=value):
 -- 
 2.34.1
--- a/CVE-2024-41991.patch
+++ b/CVE-2024-41991.patch
@ -0,0 +1,117 @@
 From 772a73f70c3d249c99c23012849e66276b7b0715 Mon Sep 17 00:00:00 2001
 From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 Date: Wed, 10 Jul 2024 20:30:12 +0200
 Subject: [PATCH 3/4] [4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS
 in django.utils.html.urlize() and AdminURLFieldWidget.
 Thanks Seokchan Yoon for the report.
 Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 ---
 django/contrib/admin/widgets.py |  2 +-
 django/utils/html.py            | 10 ++++++++--
 tests/admin_widgets/tests.py    |  7 ++++++-
 tests/utils_tests/test_html.py  | 13 +++++++++++++
 5 files changed, 35 insertions(+), 4 deletions(-)
 diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
 index 5e3416bc28..3d11a40efe 100644
 --- a/django/contrib/admin/widgets.py
 +++ b/django/contrib/admin/widgets.py
@@ -383,7 +383,7 @@ class AdminURLFieldWidget(forms.URLInput):
         context["current_label"] = _("Currently:")
         context["change_label"] = _("Change:")
         context["widget"]["href"] = (
 -            smart_urlquote(context["widget"]["value"]) if value else ""
 +            smart_urlquote(context["widget"]["value"]) if url_valid else ""
         )
         context["url_valid"] = url_valid
         return context
 diff --git a/django/utils/html.py b/django/utils/html.py
 index dd52f1f7fe..23575d3c11 100644
 --- a/django/utils/html.py
 +++ b/django/utils/html.py
@@ -13,6 +13,8 @@ from django.utils.regex_helper import _lazy_re_compile
 from django.utils.safestring import SafeData, SafeString, mark_safe
 from django.utils.text import normalize_newlines
 +MAX_URL_LENGTH = 2048
 +
 @keep_lazy(SafeString)
 def escape(text):
@@ -300,9 +302,9 @@ class Urlizer:
             # Make URL we want to point to.
             url = None
             nofollow_attr = ' rel="nofollow"' if nofollow else ""
 -            if self.simple_url_re.match(middle):
 +            if len(middle) <= MAX_URL_LENGTH and self.simple_url_re.match(middle):
                 url = smart_urlquote(html.unescape(middle))
 -            elif self.simple_url_2_re.match(middle):
 +            elif len(middle) <= MAX_URL_LENGTH and self.simple_url_2_re.match(middle):
                 url = smart_urlquote("http://%s" % html.unescape(middle))
             elif ":" not in middle and self.is_email_simple(middle):
                 local, domain = middle.rsplit("@", 1)
@@ -417,6 +419,10 @@ class Urlizer:
         except ValueError:
             # value contains more than one @.
             return False
 +        # Max length for domain name labels is 63 characters per RFC 1034.
 +        # Helps to avoid ReDoS vectors in the domain part.
 +        if len(p2) > 63:
 +            return False
         # Dot must be in p2 (e.g. example.com)
         if "." not in p2 or p2.startswith("."):
             return False
 diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py
 index 0e20206048..4281ed07c6 100644
 --- a/tests/admin_widgets/tests.py
 +++ b/tests/admin_widgets/tests.py
@@ -461,7 +461,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
 class AdminURLWidgetTest(SimpleTestCase):
     def test_get_context_validates_url(self):
         w = widgets.AdminURLFieldWidget()
 -        for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']:
 +        for invalid in [
 +            "",
 +            "/not/a/full/url/",
 +            'javascript:alert("Danger XSS!")',
 +            "http://" + "한.글." * 1_000_000 + "com",
 +        ]:
             with self.subTest(url=invalid):
                 self.assertFalse(w.get_context("name", invalid, {})["url_valid"])
         self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"])
 diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
 index c45e0dfac1..83ebe4334b 100644
 --- a/tests/utils_tests/test_html.py
 +++ b/tests/utils_tests/test_html.py
@@ -328,6 +328,15 @@ class TestUtilsHtml(SimpleTestCase):
                 'Search for <a href="http://google.com/?q=">google.com/?q=</a>!',
             ),
             ("foo@example.com", '<a href="mailto:foo@example.com">foo@example.com</a>'),
 +            (
 +                "test@" + "한.글." * 15 + "aaa",
 +                '<a href="mailto:test@'
 +                + "xn--6q8b.xn--bj0b." * 15
 +                + 'aaa">'
 +                + "test@"
 +                + "한.글." * 15
 +                + "aaa</a>",
 +            ),
         )
         for value, output in tests:
             with self.subTest(value=value):
@@ -336,6 +345,10 @@ class TestUtilsHtml(SimpleTestCase):
     def test_urlize_unchanged_inputs(self):
         tests = (
             ("a" + "@a" * 50000) + "a",  # simple_email_re catastrophic test
 +            # Unicode domain catastrophic tests.
 +            "a@" + "한.글." * 1_000_000 + "a",
 +            "http://" + "한.글." * 1_000_000 + "com",
 +            "www." + "한.글." * 1_000_000 + "com",
             ("a" + "." * 1000000) + "a",  # trailing_punctuation catastrophic test
             "foo@",
             "@foo.com",
 -- 
 2.34.1
--- a/CVE-2024-42005.patch
+++ b/CVE-2024-42005.patch
@ -0,0 +1,78 @@
 From b6de28f897709ee5d94ca2da21bcc98f9dade01c Mon Sep 17 00:00:00 2001
 From: Simon Charette <charette.s@gmail.com>
 Date: Thu, 25 Jul 2024 18:19:13 +0200
 Subject: [PATCH 4/4] [4.2.x] Fixed CVE-2024-42005 -- Mitigated
 QuerySet.values() SQL injection attacks against JSON fields.
 Thanks Eyal (eyalgabay) for the report.
 ---
 django/db/models/sql/query.py             |  2 ++
 tests/expressions/models.py               |  7 +++++++
 tests/expressions/test_queryset_values.py | 17 +++++++++++++++--
 4 files changed, 31 insertions(+), 2 deletions(-)
 diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
 index f98c6c668b..e68fd9efb7 100644
 --- a/django/db/models/sql/query.py
 +++ b/django/db/models/sql/query.py
@@ -2415,6 +2415,8 @@ class Query(BaseExpression):
         self.has_select_fields = True
         if fields:
 +            for field in fields:
 +                self.check_alias(field)
             field_names = []
             extra_names = []
             annotation_names = []
 diff --git a/tests/expressions/models.py b/tests/expressions/models.py
 index 0a8a0a6584..6b21e9ccf3 100644
 --- a/tests/expressions/models.py
 +++ b/tests/expressions/models.py
@@ -106,3 +106,10 @@ class UUIDPK(models.Model):
 class UUID(models.Model):
     uuid = models.UUIDField(null=True)
     uuid_fk = models.ForeignKey(UUIDPK, models.CASCADE, null=True)
 +
 +
 +class JSONFieldModel(models.Model):
 +    data = models.JSONField(null=True)
 +
 +    class Meta:
 +        required_db_features = {"supports_json_field"}
 diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
 index 80addef37b..47bd1358de 100644
 --- a/tests/expressions/test_queryset_values.py
 +++ b/tests/expressions/test_queryset_values.py
@@ -1,7 +1,7 @@
 from django.db.models import F, Sum
 -from django.test import TestCase
 +from django.test import TestCase, skipUnlessDBFeature
 -from .models import Company, Employee
 +from .models import Company, Employee, JSONFieldModel
 class ValuesExpressionsTests(TestCase):
@@ -43,6 +43,19 @@ class ValuesExpressionsTests(TestCase):
         with self.assertRaisesMessage(ValueError, msg):
             Company.objects.values(**{crafted_alias: F("ceo__salary")})
 +    @skipUnlessDBFeature("supports_json_field")
 +    def test_values_expression_alias_sql_injection_json_field(self):
 +        crafted_alias = """injected_name" from "expressions_company"; --"""
 +        msg = (
 +            "Column aliases cannot contain whitespace characters, quotation marks, "
 +            "semicolons, or SQL comments."
 +        )
 +        with self.assertRaisesMessage(ValueError, msg):
 +            JSONFieldModel.objects.values(f"data__{crafted_alias}")
 +
 +        with self.assertRaisesMessage(ValueError, msg):
 +            JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
 +
     def test_values_expression_group_by(self):
         # values() applies annotate() first, so values selected are grouped by
         # id, not firstname.
 -- 
 2.34.1
--- a/CVE-2024-45230.patch
+++ b/CVE-2024-45230.patch
@ -0,0 +1,133 @@
 From 65a776dd25b657cc32edafaad98d91aa0b51e641 Mon Sep 17 00:00:00 2001
 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 Date: Mon, 12 Aug 2024 15:17:57 +0200
 Subject: [PATCH 1/2] [4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS
 in urlize and urlizetrunc template filters.
 Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
 ---
 django/utils/html.py                          | 17 ++++++++------
 docs/ref/templates/builtins.txt               | 11 ++++++++++
 docs/releases/4.2.16.txt                      | 15 +++++++++++++
 docs/releases/index.txt                       |  1 +
 .../filter_tests/test_urlize.py               | 22 +++++++++++++++++++
 tests/utils_tests/test_html.py                |  1 +
 6 files changed, 60 insertions(+), 7 deletions(-)
 create mode 100644 docs/releases/4.2.16.txt
 Index: Django-4.2.11/django/utils/html.py
 ===================================================================
 --- Django-4.2.11.orig/django/utils/html.py
 +++ Django-4.2.11/django/utils/html.py
@@ -395,14 +395,17 @@ class Urlizer:
                 potential_entity = middle[amp:]
                 escaped = html.unescape(potential_entity)
                 if escaped == potential_entity or escaped.endswith(";"):
 -                    rstripped = middle.rstrip(";")
 -                    amount_stripped = len(middle) - len(rstripped)
 -                    if amp > -1 and amount_stripped > 1:
 -                        # Leave a trailing semicolon as might be an entity.
 -                        trail = middle[len(rstripped) + 1 :] + trail
 -                        middle = rstripped + ";"
 +                    rstripped = middle.rstrip(self.trailing_punctuation_chars)
 +                    trail_start = len(rstripped)
 +                    amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
 +                    if amp > -1 and amount_trailing_semicolons > 1:
 +                        # Leave up to most recent semicolon as might be an entity.
 +                        recent_semicolon = middle[trail_start:].index(";")
 +                        middle_semicolon_index = recent_semicolon + trail_start + 1
 +                        trail = middle[middle_semicolon_index:] + trail
 +                        middle = rstripped + middle[trail_start:middle_semicolon_index]
                     else:
 -                        trail = middle[len(rstripped) :] + trail
 +                        trail = middle[trail_start:] + trail
                         middle = rstripped
                     trimmed_something = True
 Index: Django-4.2.11/docs/ref/templates/builtins.txt
 ===================================================================
 --- Django-4.2.11.orig/docs/ref/templates/builtins.txt
 +++ Django-4.2.11/docs/ref/templates/builtins.txt
@@ -2831,6 +2831,17 @@ Django's built-in :tfilter:`escape` filt
     email addresses that contain single quotes (``'``), things won't work as
     expected. Apply this filter only to plain text.
 +.. warning::
 +
 +    Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
 +    can become severe when applied to user controlled values such as content
 +    stored in a :class:`~django.db.models.TextField`. You can use
 +    :tfilter:`truncatechars` to add a limit to such inputs:
 +
 +    .. code-block:: html+django
 +
 +        {{ value|truncatechars:500|urlize }}
 +
 .. templatefilter:: urlizetrunc
 ``urlizetrunc``
 Index: Django-4.2.11/docs/releases/4.2.16.txt
 ===================================================================
 --- /dev/null
 +++ Django-4.2.11/docs/releases/4.2.16.txt
@@ -0,0 +1,15 @@
 +===========================
 +Django 4.2.16 release notes
 +===========================
 +
 +*September 3, 2024*
 +
 +Django 4.2.16 fixes one security issue with severity "moderate" and one
 +security issues with severity "low" in 4.2.15.
 +
 +CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
 +===========================================================================================
 +
 +:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
 +denial-of-service attack via very large inputs with a specific sequence of
 +characters.
 Index: Django-4.2.11/tests/template_tests/filter_tests/test_urlize.py
 ===================================================================
 --- Django-4.2.11.orig/tests/template_tests/filter_tests/test_urlize.py
 +++ Django-4.2.11/tests/template_tests/filter_tests/test_urlize.py
@@ -305,6 +305,28 @@ class FunctionTests(SimpleTestCase):
             "http://testing.com/example</a>.,:;)&quot;!",
         )
 +    def test_trailing_semicolon(self):
 +        self.assertEqual(
 +            urlize("http://example.com?x=&amp;", autoescape=False),
 +            '<a href="http://example.com?x=" rel="nofollow">'
 +            "http://example.com?x=&amp;</a>",
 +        )
 +        self.assertEqual(
 +            urlize("http://example.com?x=&amp;;", autoescape=False),
 +            '<a href="http://example.com?x=" rel="nofollow">'
 +            "http://example.com?x=&amp;</a>;",
 +        )
 +        self.assertEqual(
 +            urlize("http://example.com?x=&amp;;;", autoescape=False),
 +            '<a href="http://example.com?x=" rel="nofollow">'
 +            "http://example.com?x=&amp;</a>;;",
 +        )
 +        self.assertEqual(
 +            urlize("http://example.com?x=&amp.;...;", autoescape=False),
 +            '<a href="http://example.com?x=" rel="nofollow">'
 +            "http://example.com?x=&amp</a>.;...;",
 +        )
 +
     def test_brackets(self):
         """
         #19070 - Check urlize handles brackets properly
 Index: Django-4.2.11/tests/utils_tests/test_html.py
 ===================================================================
 --- Django-4.2.11.orig/tests/utils_tests/test_html.py
 +++ Django-4.2.11/tests/utils_tests/test_html.py
@@ -364,6 +364,7 @@ class TestUtilsHtml(SimpleTestCase):
             "&:" + ";" * 100_000,
             "&.;" * 100_000,
             ".;" * 100_000,
 +            "&" + ";:" * 100_000,
         )
         for value in tests:
             with self.subTest(value=value):
--- a/CVE-2024-45231.patch
+++ b/CVE-2024-45231.patch
@ -0,0 +1,159 @@
 From fe42da9cdacd9f43fb0d499244314c36f9a11a19 Mon Sep 17 00:00:00 2001
 From: Natalia <124304+nessita@users.noreply.github.com>
 Date: Mon, 19 Aug 2024 14:47:38 -0300
 Subject: [PATCH 2/2] [4.2.x] Fixed CVE-2024-45231 -- Avoided server error on
 password reset when email sending fails.
 On successful submission of a password reset request, an email is sent
 to the accounts known to the system. If sending this email fails (due to
 email backend misconfiguration, service provider outage, network issues,
 etc.), an attacker might exploit this by detecting which password reset
 requests succeed and which ones generate a 500 error response.
 Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak and
 Sarah Boyce for the reviews.
 ---
 django/contrib/auth/forms.py   |  9 ++++++++-
 docs/ref/logging.txt           | 12 ++++++++++++
 docs/releases/4.2.16.txt       | 11 +++++++++++
 docs/topics/auth/default.txt   |  4 +++-
 tests/auth_tests/test_forms.py | 21 +++++++++++++++++++++
 tests/mail/custombackend.py    |  5 +++++
 6 files changed, 60 insertions(+), 2 deletions(-)
 diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
 index 061dc81b42..20ce1ba39c 100644
 --- a/django/contrib/auth/forms.py
 +++ b/django/contrib/auth/forms.py
@@ -1,3 +1,4 @@
 +import logging
 import unicodedata
 from django import forms
@@ -16,6 +17,7 @@ from django.utils.translation import gettext
 from django.utils.translation import gettext_lazy as _
 UserModel = get_user_model()
 +logger = logging.getLogger("django.contrib.auth")
 def _unicode_ci_compare(s1, s2):
@@ -314,7 +316,12 @@ class PasswordResetForm(forms.Form):
             html_email = loader.render_to_string(html_email_template_name, context)
             email_message.attach_alternative(html_email, "text/html")
 -        email_message.send()
 +        try:
 +            email_message.send()
 +        except Exception:
 +            logger.exception(
 +                "Failed to send password reset email to %s:", context["user"].pk
 +            )
     def get_users(self, email):
         """Given an email, return matching user(s) who should receive a reset.
 diff --git a/docs/ref/logging.txt b/docs/ref/logging.txt
 index b11fb752f7..3d33e0af63 100644
 --- a/docs/ref/logging.txt
 +++ b/docs/ref/logging.txt
@@ -204,6 +204,18 @@ all database queries.
     Support for logging transaction management queries (``BEGIN``, ``COMMIT``,
     and ``ROLLBACK``) was added.
 +.. _django-contrib-auth-logger:
 +
 +``django.contrib.auth``
 +~~~~~~~~~~~~~~~~~~~~~~~
 +
 +.. versionadded:: 4.2.16
 +
 +Log messages related to :doc:`contrib/auth`, particularly ``ERROR`` messages
 +are generated when a :class:`~django.contrib.auth.forms.PasswordResetForm` is
 +successfully submitted but the password reset email cannot be delivered due to
 +a mail sending exception.
 +
 .. _django-security-logger:
 ``django.security.*``
 diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt
 index 043041a97f..4e632d5d77 100644
 --- a/docs/releases/4.2.16.txt
 +++ b/docs/releases/4.2.16.txt
@@ -13,3 +13,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html
 :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
 denial-of-service attack via very large inputs with a specific sequence of
 characters.
 +
 +CVE-2024-45231: Potential user email enumeration via response status on password reset
 +======================================================================================
 +
 +Due to unhandled email sending failures, the
 +:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
 +attackers to enumerate user emails by issuing password reset requests and
 +observing the outcomes.
 +
 +To mitigate this risk, exceptions occurring during password reset email sending
 +are now handled and logged using the :ref:`django-contrib-auth-logger` logger.
 diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
 index 528902416d..ad840c5e57 100644
 --- a/docs/topics/auth/default.txt
 +++ b/docs/topics/auth/default.txt
@@ -1661,7 +1661,9 @@ provides several built-in forms located in :mod:`django.contrib.auth.forms`:
     .. method:: send_mail(subject_template_name, email_template_name, context, from_email, to_email, html_email_template_name=None)
         Uses the arguments to send an ``EmailMultiAlternatives``.
 -        Can be overridden to customize how the email is sent to the user.
 +        Can be overridden to customize how the email is sent to the user. If
 +        you choose to override this method, be mindful of handling potential
 +        exceptions raised due to email sending failures.
         :param subject_template_name: the template for the subject.
         :param email_template_name: the template for the email body.
 diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
 index 81c56a428e..ccb1a26a2b 100644
 --- a/tests/auth_tests/test_forms.py
 +++ b/tests/auth_tests/test_forms.py
@@ -1245,6 +1245,27 @@ class PasswordResetFormTest(TestDataMixin, TestCase):
             )
         )
 +    @override_settings(EMAIL_BACKEND="mail.custombackend.FailingEmailBackend")
 +    def test_save_send_email_exceptions_are_catched_and_logged(self):
 +        (user, username, email) = self.create_dummy_user()
 +        form = PasswordResetForm({"email": email})
 +        self.assertTrue(form.is_valid())
 +
 +        with self.assertLogs("django.contrib.auth", level=0) as cm:
 +            form.save()
 +
 +        self.assertEqual(len(mail.outbox), 0)
 +        self.assertEqual(len(cm.output), 1)
 +        errors = cm.output[0].split("\n")
 +        pk = user.pk
 +        self.assertEqual(
 +            errors[0],
 +            f"ERROR:django.contrib.auth:Failed to send password reset email to {pk}:",
 +        )
 +        self.assertEqual(
 +            errors[-1], "ValueError: FailingEmailBackend is doomed to fail."
 +        )
 +
     @override_settings(AUTH_USER_MODEL="auth_tests.CustomEmailField")
     def test_custom_email_field(self):
         email = "test@mail.com"
 diff --git a/tests/mail/custombackend.py b/tests/mail/custombackend.py
 index 14e7f077ba..c6c567b642 100644
 --- a/tests/mail/custombackend.py
 +++ b/tests/mail/custombackend.py
@@ -12,3 +12,8 @@ class EmailBackend(BaseEmailBackend):
         # Messages are stored in an instance variable for testing.
         self.test_outbox.extend(email_messages)
         return len(email_messages)
 +
 +
 +class FailingEmailBackend(BaseEmailBackend):
 +    def send_messages(self, email_messages):
 +        raise ValueError("FailingEmailBackend is doomed to fail.")
 -- 
 2.46.0
--- a/CVE-2024-53907.patch
+++ b/CVE-2024-53907.patch
@ -0,0 +1,87 @@
 From 790eb058b0716c536a2f2e8d1c6d5079d776c22b Mon Sep 17 00:00:00 2001
 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 Date: Wed, 13 Nov 2024 15:06:23 +0100
 Subject: [PATCH] [4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in
 strip_tags().
 Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
 for the reviews.
 ---
 django/utils/html.py           | 10 ++++++++--
 docs/releases/4.2.17.txt       | 16 ++++++++++++++++
 tests/utils_tests/test_html.py |  7 +++++++
 3 files changed, 31 insertions(+), 2 deletions(-)
 diff --git a/django/utils/html.py b/django/utils/html.py
 index df38c2051994..a3a7238cba44 100644
 --- a/django/utils/html.py
 +++ b/django/utils/html.py
@@ -6,6 +6,7 @@
 from html.parser import HTMLParser
 from urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit
 +from django.core.exceptions import SuspiciousOperation
 from django.utils.encoding import punycode
 from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text
 from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
@@ -14,6 +15,7 @@
 from django.utils.text import normalize_newlines
 MAX_URL_LENGTH = 2048
 +MAX_STRIP_TAGS_DEPTH = 50
 @keep_lazy(SafeString)
@@ -172,15 +174,19 @@ def _strip_once(value):
 @keep_lazy_text
 def strip_tags(value):
     """Return the given HTML with all tags stripped."""
 -    # Note: in typical case this loop executes _strip_once once. Loop condition
 -    # is redundant, but helps to reduce number of executions of _strip_once.
     value = str(value)
 +    # Note: in typical case this loop executes _strip_once twice (the second
 +    # execution does not remove any more tags).
 +    strip_tags_depth = 0
     while "<" in value and ">" in value:
 +        if strip_tags_depth >= MAX_STRIP_TAGS_DEPTH:
 +            raise SuspiciousOperation
         new_value = _strip_once(value)
         if value.count("<") == new_value.count("<"):
             # _strip_once wasn't able to detect more tags.
             break
         value = new_value
 +        strip_tags_depth += 1
     return value
 diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
 index 7ff5020fb6d3..579bb2a1e359 100644
 --- a/tests/utils_tests/test_html.py
 +++ b/tests/utils_tests/test_html.py
@@ -1,6 +1,7 @@
 import os
 from datetime import datetime
 +from django.core.exceptions import SuspiciousOperation
 from django.core.serializers.json import DjangoJSONEncoder
 from django.test import SimpleTestCase
 from django.utils.functional import lazystr
@@ -113,12 +114,18 @@ def test_strip_tags(self):
             ("<script>alert()</script>&h", "alert()h"),
             ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
             ("X<<<<br>br>br>br>X", "XX"),
 +            ("<" * 50 + "a>" * 50, ""),
         )
         for value, output in items:
             with self.subTest(value=value, output=output):
                 self.check_output(strip_tags, value, output)
                 self.check_output(strip_tags, lazystr(value), output)
 +    def test_strip_tags_suspicious_operation(self):
 +        value = "<" * 51 + "a>" * 51, "<a>"
 +        with self.assertRaises(SuspiciousOperation):
 +            strip_tags(value)
 +
     def test_strip_tags_files(self):
         # Test with more lengthy content (also catching performance regressions)
         for filename in ("strip_tags1.html", "strip_tags2.txt"):
--- a/CVE-2024-53908.patch
+++ b/CVE-2024-53908.patch
@ -0,0 +1,144 @@
 From 7376bcbf508883282ffcc0f0fac5cf0ed2d6cbc5 Mon Sep 17 00:00:00 2001
 From: Simon Charette <charette.s@gmail.com>
 Date: Fri, 8 Nov 2024 21:27:31 -0500
 Subject: [PATCH] [4.2.x] Fixed CVE-2024-53908 -- Prevented SQL injections in
 direct HasKeyLookup usage on Oracle.
 Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah
 Boyce for the reviews.
 ---
 django/db/models/fields/json.py      | 53 ++++++++++++++++++----------
 docs/releases/4.2.17.txt             |  9 +++++
 tests/model_fields/test_jsonfield.py |  9 +++++
 3 files changed, 53 insertions(+), 18 deletions(-)
 diff --git a/django/db/models/fields/json.py b/django/db/models/fields/json.py
 index b7cde157c4fa..b9c6ff1752b9 100644
 --- a/django/db/models/fields/json.py
 +++ b/django/db/models/fields/json.py
@@ -216,20 +216,18 @@ def compile_json_path_final_key(self, key_transform):
         # Compile the final key without interpreting ints as array elements.
         return ".%s" % json.dumps(key_transform)
 -    def as_sql(self, compiler, connection, template=None):
 +    def _as_sql_parts(self, compiler, connection):
         # Process JSON path from the left-hand side.
         if isinstance(self.lhs, KeyTransform):
 -            lhs, lhs_params, lhs_key_transforms = self.lhs.preprocess_lhs(
 +            lhs_sql, lhs_params, lhs_key_transforms = self.lhs.preprocess_lhs(
                 compiler, connection
             )
             lhs_json_path = compile_json_path(lhs_key_transforms)
         else:
 -            lhs, lhs_params = self.process_lhs(compiler, connection)
 +            lhs_sql, lhs_params = self.process_lhs(compiler, connection)
             lhs_json_path = "$"
 -        sql = template % lhs
         # Process JSON path from the right-hand side.
         rhs = self.rhs
 -        rhs_params = []
         if not isinstance(rhs, (list, tuple)):
             rhs = [rhs]
         for key in rhs:
@@ -240,24 +238,43 @@ def as_sql(self, compiler, connection, template=None):
             *rhs_key_transforms, final_key = rhs_key_transforms
             rhs_json_path = compile_json_path(rhs_key_transforms, include_root=False)
             rhs_json_path += self.compile_json_path_final_key(final_key)
 -            rhs_params.append(lhs_json_path + rhs_json_path)
 +            yield lhs_sql, lhs_params, lhs_json_path + rhs_json_path
 +
 +    def _combine_sql_parts(self, parts):
         # Add condition for each key.
         if self.logical_operator:
 -            sql = "(%s)" % self.logical_operator.join([sql] * len(rhs_params))
 -        return sql, tuple(lhs_params) + tuple(rhs_params)
 +            return "(%s)" % self.logical_operator.join(parts)
 +        return "".join(parts)
 +
 +    def as_sql(self, compiler, connection, template=None):
 +        sql_parts = []
 +        params = []
 +        for lhs_sql, lhs_params, rhs_json_path in self._as_sql_parts(
 +            compiler, connection
 +        ):
 +            sql_parts.append(template % (lhs_sql, "%s"))
 +            params.extend(lhs_params + [rhs_json_path])
 +        return self._combine_sql_parts(sql_parts), tuple(params)
     def as_mysql(self, compiler, connection):
         return self.as_sql(
 -            compiler, connection, template="JSON_CONTAINS_PATH(%s, 'one', %%s)"
 +            compiler, connection, template="JSON_CONTAINS_PATH(%s, 'one', %s)"
         )
     def as_oracle(self, compiler, connection):
 -        sql, params = self.as_sql(
 -            compiler, connection, template="JSON_EXISTS(%s, '%%s')"
 -        )
 -        # Add paths directly into SQL because path expressions cannot be passed
 -        # as bind variables on Oracle.
 -        return sql % tuple(params), []
 +        template = "JSON_EXISTS(%s, '%s')"
 +        sql_parts = []
 +        params = []
 +        for lhs_sql, lhs_params, rhs_json_path in self._as_sql_parts(
 +            compiler, connection
 +        ):
 +            # Add right-hand-side directly into SQL because it cannot be passed
 +            # as bind variables to JSON_EXISTS. It might result in invalid
 +            # queries but it is assumed that it cannot be evaded because the
 +            # path is JSON serialized.
 +            sql_parts.append(template % (lhs_sql, rhs_json_path))
 +            params.extend(lhs_params)
 +        return self._combine_sql_parts(sql_parts), tuple(params)
     def as_postgresql(self, compiler, connection):
         if isinstance(self.rhs, KeyTransform):
@@ -269,7 +286,7 @@ def as_postgresql(self, compiler, connection):
     def as_sqlite(self, compiler, connection):
         return self.as_sql(
 -            compiler, connection, template="JSON_TYPE(%s, %%s) IS NOT NULL"
 +            compiler, connection, template="JSON_TYPE(%s, %s) IS NOT NULL"
         )
@@ -467,9 +484,9 @@ def as_oracle(self, compiler, connection):
         return "(NOT %s OR %s IS NULL)" % (sql, lhs), tuple(params) + tuple(lhs_params)
     def as_sqlite(self, compiler, connection):
 -        template = "JSON_TYPE(%s, %%s) IS NULL"
 +        template = "JSON_TYPE(%s, %s) IS NULL"
         if not self.rhs:
 -            template = "JSON_TYPE(%s, %%s) IS NOT NULL"
 +            template = "JSON_TYPE(%s, %s) IS NOT NULL"
         return HasKeyOrArrayIndex(self.lhs.lhs, self.lhs.key_name).as_sql(
             compiler,
             connection,
 diff --git a/tests/model_fields/test_jsonfield.py b/tests/model_fields/test_jsonfield.py
 index 4a1cc075b4c4..4c8d14bf9a17 100644
 --- a/tests/model_fields/test_jsonfield.py
 +++ b/tests/model_fields/test_jsonfield.py
@@ -29,6 +29,7 @@
 from django.db.models.expressions import RawSQL
 from django.db.models.fields.json import (
     KT,
 +    HasKey,
     KeyTextTransform,
     KeyTransform,
     KeyTransformFactory,
@@ -607,6 +608,14 @@ def test_has_key_deep(self):
                     [expected],
                 )
 +    def test_has_key_literal_lookup(self):
 +        self.assertSequenceEqual(
 +            NullableJSONModel.objects.filter(
 +                HasKey(Value({"foo": "bar"}, JSONField()), "foo")
 +            ).order_by("id"),
 +            self.objs,
 +        )
 +
     def test_has_key_list(self):
         obj = NullableJSONModel.objects.create(value=[{"a": 1}, {"b": "x"}])
         tests = [
--- a/CVE-2024-56374.patch
+++ b/CVE-2024-56374.patch
@ -0,0 +1,280 @@
 From ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Mon Sep 17 00:00:00 2001
 From: Natalia <124304+nessita@users.noreply.github.com>
 Date: Mon, 6 Jan 2025 15:51:45 -0300
 Subject: [PATCH] [4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in
 IPv6 validation.
 Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
 Felisiak for the reviews.
 Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 ---
 django/db/models/fields/__init__.py           |  6 +--
 django/forms/fields.py                        |  7 +++-
 django/utils/ipv6.py                          | 19 +++++++--
 docs/ref/forms/fields.txt                     | 13 +++++-
 docs/releases/4.2.18.txt                      | 12 ++++++
 .../field_tests/test_genericipaddressfield.py | 33 ++++++++++++++-
 tests/utils_tests/test_ipv6.py                | 40 +++++++++++++++++--
 7 files changed, 116 insertions(+), 14 deletions(-)
 diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py
 index b65948d783ae..0cfba4e0aab6 100644
 --- a/django/db/models/fields/__init__.py
 +++ b/django/db/models/fields/__init__.py
@@ -25,7 +25,7 @@
 )
 from django.utils.duration import duration_microseconds, duration_string
 from django.utils.functional import Promise, cached_property
 -from django.utils.ipv6 import clean_ipv6_address
 +from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
 from django.utils.itercompat import is_iterable
 from django.utils.text import capfirst
 from django.utils.translation import gettext_lazy as _
@@ -2160,7 +2160,7 @@ def __init__(
             invalid_error_message,
         ) = validators.ip_address_validators(protocol, unpack_ipv4)
         self.default_error_messages["invalid"] = invalid_error_message
 -        kwargs["max_length"] = 39
 +        kwargs["max_length"] = MAX_IPV6_ADDRESS_LENGTH
         super().__init__(verbose_name, name, *args, **kwargs)
     def check(self, **kwargs):
@@ -2187,7 +2187,7 @@ def deconstruct(self):
             kwargs["unpack_ipv4"] = self.unpack_ipv4
         if self.protocol != "both":
             kwargs["protocol"] = self.protocol
 -        if kwargs.get("max_length") == 39:
 +        if kwargs.get("max_length") == self.max_length:
             del kwargs["max_length"]
         return name, path, args, kwargs
 diff --git a/django/forms/fields.py b/django/forms/fields.py
 index 01cd831964ea..e62417f5523b 100644
 --- a/django/forms/fields.py
 +++ b/django/forms/fields.py
@@ -42,7 +42,7 @@
 from django.utils import formats
 from django.utils.dateparse import parse_datetime, parse_duration
 from django.utils.duration import duration_string
 -from django.utils.ipv6 import clean_ipv6_address
 +from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
 from django.utils.regex_helper import _lazy_re_compile
 from django.utils.translation import gettext_lazy as _
 from django.utils.translation import ngettext_lazy
@@ -1284,6 +1284,7 @@ def __init__(self, *, protocol="both", unpack_ipv4=False, **kwargs):
         self.default_validators = validators.ip_address_validators(
             protocol, unpack_ipv4
         )[0]
 +        kwargs.setdefault("max_length", MAX_IPV6_ADDRESS_LENGTH)
         super().__init__(**kwargs)
     def to_python(self, value):
@@ -1291,7 +1292,9 @@ def to_python(self, value):
             return ""
         value = value.strip()
         if value and ":" in value:
 -            return clean_ipv6_address(value, self.unpack_ipv4)
 +            return clean_ipv6_address(
 +                value, self.unpack_ipv4, max_length=self.max_length
 +            )
         return value
 diff --git a/django/utils/ipv6.py b/django/utils/ipv6.py
 index 88dd6ecb4b84..de41a97f7210 100644
 --- a/django/utils/ipv6.py
 +++ b/django/utils/ipv6.py
@@ -3,9 +3,22 @@
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _
 +MAX_IPV6_ADDRESS_LENGTH = 39
 +
 +
 +def _ipv6_address_from_str(ip_str, max_length=MAX_IPV6_ADDRESS_LENGTH):
 +    if len(ip_str) > max_length:
 +        raise ValueError(
 +            f"Unable to convert {ip_str} to an IPv6 address (value too long)."
 +        )
 +    return ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
 +
 def clean_ipv6_address(
 -    ip_str, unpack_ipv4=False, error_message=_("This is not a valid IPv6 address.")
 +    ip_str,
 +    unpack_ipv4=False,
 +    error_message=_("This is not a valid IPv6 address."),
 +    max_length=MAX_IPV6_ADDRESS_LENGTH,
 ):
     """
     Clean an IPv6 address string.
@@ -24,7 +37,7 @@ def clean_ipv6_address(
     Return a compressed IPv6 address or the same value.
     """
     try:
 -        addr = ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
 +        addr = _ipv6_address_from_str(ip_str, max_length)
     except ValueError:
         raise ValidationError(error_message, code="invalid")
@@ -41,7 +54,7 @@ def is_valid_ipv6_address(ip_str):
     Return whether or not the `ip_str` string is a valid IPv6 address.
     """
     try:
 -        ipaddress.IPv6Address(ip_str)
 +        _ipv6_address_from_str(ip_str)
     except ValueError:
         return False
     return True
 diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
 index 1a7274e0d1ad..76b4587e21a6 100644
 --- a/docs/ref/forms/fields.txt
 +++ b/docs/ref/forms/fields.txt
@@ -719,7 +719,7 @@ For each field, we describe the default widget used if you don't specify
     * Empty value: ``''`` (an empty string)
     * Normalizes to: A string. IPv6 addresses are normalized as described below.
     * Validates that the given value is a valid IP address.
 -    * Error message keys: ``required``, ``invalid``
 +    * Error message keys: ``required``, ``invalid``, ``max_length``
     The IPv6 address normalization follows :rfc:`4291#section-2.2` section 2.2,
     including using the IPv4 format suggested in paragraph 3 of that section, like
@@ -727,7 +727,7 @@ For each field, we describe the default widget used if you don't specify
     ``2001::1``, and ``::ffff:0a0a:0a0a`` to ``::ffff:10.10.10.10``. All characters
     are converted to lowercase.
 -    Takes two optional arguments:
 +    Takes three optional arguments:
     .. attribute:: protocol
@@ -742,6 +742,15 @@ For each field, we describe the default widget used if you don't specify
         ``192.0.2.1``. Default is disabled. Can only be used
         when ``protocol`` is set to ``'both'``.
 +    .. attribute:: max_length
 +
 +        Defaults to 39, and behaves the same way as it does for
 +        :class:`CharField`.
 +
 +    .. versionchanged:: 4.2.18
 +
 +        The default value for ``max_length`` was set to 39 characters.
 +
 ``ImageField``
 --------------
 diff --git a/tests/forms_tests/field_tests/test_genericipaddressfield.py b/tests/forms_tests/field_tests/test_genericipaddressfield.py
 index 80722f5c65c1..ef00a727a468 100644
 --- a/tests/forms_tests/field_tests/test_genericipaddressfield.py
 +++ b/tests/forms_tests/field_tests/test_genericipaddressfield.py
@@ -1,6 +1,7 @@
 from django.core.exceptions import ValidationError
 from django.forms import GenericIPAddressField
 from django.test import SimpleTestCase
 +from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH
 class GenericIPAddressFieldTest(SimpleTestCase):
@@ -125,6 +126,35 @@ def test_generic_ipaddress_as_ipv6_only(self):
         ):
             f.clean("1:2")
 +    def test_generic_ipaddress_max_length_custom(self):
 +        # Valid IPv4-mapped IPv6 address, len 45.
 +        addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
 +        f = GenericIPAddressField(max_length=len(addr))
 +        f.clean(addr)
 +
 +    def test_generic_ipaddress_max_length_validation_error(self):
 +        # Valid IPv4-mapped IPv6 address, len 45.
 +        addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
 +
 +        cases = [
 +            ({}, MAX_IPV6_ADDRESS_LENGTH),  # Default value.
 +            ({"max_length": len(addr) - 1}, len(addr) - 1),
 +        ]
 +        for kwargs, max_length in cases:
 +            max_length_plus_one = max_length + 1
 +            msg = (
 +                f"Ensure this value has at most {max_length} characters (it has "
 +                f"{max_length_plus_one}).'"
 +            )
 +            with self.subTest(max_length=max_length):
 +                f = GenericIPAddressField(**kwargs)
 +                with self.assertRaisesMessage(ValidationError, msg):
 +                    f.clean("x" * max_length_plus_one)
 +                with self.assertRaisesMessage(
 +                    ValidationError, "This is not a valid IPv6 address."
 +                ):
 +                    f.clean(addr)
 +
     def test_generic_ipaddress_as_generic_not_required(self):
         f = GenericIPAddressField(required=False)
         self.assertEqual(f.clean(""), "")
@@ -150,7 +180,8 @@ def test_generic_ipaddress_as_generic_not_required(self):
             f.clean(" fe80::223:6cff:fe8a:2e8a "), "fe80::223:6cff:fe8a:2e8a"
         )
         self.assertEqual(
 -            f.clean(" 2a02::223:6cff:fe8a:2e8a "), "2a02::223:6cff:fe8a:2e8a"
 +            f.clean(" " * MAX_IPV6_ADDRESS_LENGTH + " 2a02::223:6cff:fe8a:2e8a "),
 +            "2a02::223:6cff:fe8a:2e8a",
         )
         with self.assertRaisesMessage(
             ValidationError, "'This is not a valid IPv6 address.'"
 diff --git a/tests/utils_tests/test_ipv6.py b/tests/utils_tests/test_ipv6.py
 index bf78ed91c08f..2d06507fa152 100644
 --- a/tests/utils_tests/test_ipv6.py
 +++ b/tests/utils_tests/test_ipv6.py
@@ -1,9 +1,17 @@
 -import unittest
 +import traceback
 +from io import StringIO
 -from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address
 +from django.core.exceptions import ValidationError
 +from django.test import SimpleTestCase
 +from django.utils.ipv6 import (
 +    MAX_IPV6_ADDRESS_LENGTH,
 +    clean_ipv6_address,
 +    is_valid_ipv6_address,
 +)
 +from django.utils.version import PY310
 -class TestUtilsIPv6(unittest.TestCase):
 +class TestUtilsIPv6(SimpleTestCase):
     def test_validates_correct_plain_address(self):
         self.assertTrue(is_valid_ipv6_address("fe80::223:6cff:fe8a:2e8a"))
         self.assertTrue(is_valid_ipv6_address("2a02::223:6cff:fe8a:2e8a"))
@@ -64,3 +72,29 @@ def test_unpacks_ipv4(self):
         self.assertEqual(
             clean_ipv6_address("::ffff:18.52.18.52", unpack_ipv4=True), "18.52.18.52"
         )
 +
 +    def test_address_too_long(self):
 +        addresses = [
 +            "0000:0000:0000:0000:0000:ffff:192.168.100.228",  # IPv4-mapped IPv6 address
 +            "0000:0000:0000:0000:0000:ffff:192.168.100.228%123456",  # % scope/zone
 +            "fe80::223:6cff:fe8a:2e8a:1234:5678:00000",  # MAX_IPV6_ADDRESS_LENGTH + 1
 +        ]
 +        msg = "This is the error message."
 +        value_error_msg = "Unable to convert %s to an IPv6 address (value too long)."
 +        for addr in addresses:
 +            with self.subTest(addr=addr):
 +                self.assertGreater(len(addr), MAX_IPV6_ADDRESS_LENGTH)
 +                self.assertEqual(is_valid_ipv6_address(addr), False)
 +                with self.assertRaisesMessage(ValidationError, msg) as ctx:
 +                    clean_ipv6_address(addr, error_message=msg)
 +                exception_traceback = StringIO()
 +                if PY310:
 +                    traceback.print_exception(ctx.exception, file=exception_traceback)
 +                else:
 +                    traceback.print_exception(
 +                        type(ctx.exception),
 +                        value=ctx.exception,
 +                        tb=ctx.exception.__traceback__,
 +                        file=exception_traceback,
 +                    )
 +                self.assertIn(value_error_msg % addr, exception_traceback.getvalue())
--- a/Django-4.2.11.checksum.txt
+++ b/Django-4.2.11.checksum.txt
@ -0,0 +1,67 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 This file contains MD5, SHA1, and SHA256 checksums for the source-code
 tarball and wheel files of Django 4.2.11, released March 4, 2024.
 To use this file, you will need a working install of PGP or other
 compatible public-key encryption software. You will also need to have
 the Django release manager's public key in your keyring. This key has
 the ID ``2EF56372BA48CD1B`` and can be imported from the MIT
 keyserver, for example, if using the open-source GNU Privacy Guard
 implementation of PGP:
    gpg --keyserver pgp.mit.edu --recv-key 2EF56372BA48CD1B
 or via the GitHub API:
    curl https://github.com/felixxm.gpg | gpg --import -
 Once the key is imported, verify this file:
    gpg --verify Django-4.2.11.checksum.txt
 Once you have verified this file, you can use normal MD5, SHA1, or SHA256
 checksumming applications to generate the checksums of the Django
 package and compare them to the checksums listed below.
 Release packages
 ================
 https://www.djangoproject.com/m/releases/4.2/Django-4.2.11-py3-none-any.whl
 https://www.djangoproject.com/m/releases/4.2/Django-4.2.11.tar.gz
 MD5 checksums
 =============
 5ac62cf0d75216275a8d5f3b9a87b7a1  Django-4.2.11-py3-none-any.whl
 33dc961e25b6ed54e22b62726b334d4d  Django-4.2.11.tar.gz
 SHA1 checksums
 ==============
 69943b2e90d352cd8d536f34a0cd38dc3d3026be  Django-4.2.11-py3-none-any.whl
 fda76a55736054cb5aafb73d2caa3f2d47765f9f  Django-4.2.11.tar.gz
 SHA256 checksums
 ================
 ddc24a0a8280a0430baa37aff11f28574720af05888c62b7cfe71d219f4599d3  Django-4.2.11-py3-none-any.whl
 6e6ff3db2d8dd0c986b4eec8554c8e4f919b5c1ff62a5b4390c17aff2ed6e5c4  Django-4.2.11.tar.gz
 -----BEGIN PGP SIGNATURE-----
 iQJPBAEBCAA5FiEEq7LCqM0B8WE2GLcNLvVjcrpIzRsFAmXle9IbHGZlbGlzaWFr
 Lm1hcml1c3pAZ21haWwuY29tAAoJEC71Y3K6SM0bYRAP/RaamVJZrHq8H1vXx0IF
 +H99BDF282S6rEjajxe4vhEz8JnWFUkALlvh9MQQ2GOH7M66EfYP5K0BBWZHJTki
 Sf8zFRSaOYkblFaKvKMKC8m4nQ4XI2S2y3Nvx7KaaJSBsanahgDFFFcEdx8LnZdY
 2Vj9S2hnm9eT/0GSbTO2nn1lWcrShoYm2ZVHgmrH1qkX24uBO7VXD3x6j2pzdplg
 mW7rW03seWUtf/FQCGVnbTblxX7N0E+5BeeqwJvom8ijFEpcoFHY6EDLooXoq0MQ
 aDKOU5xns4k6YnPIDWSlZKa/RhxLUhkAyyiMrS1ADZF8Ee7Xk+M8cAt6okv6EBul
 gEWVtVKGYV9DKlKBqTkWcgiFH4nKSl+ckVrTK8OTss3zIUxkXQr34Ee5rJ6ciC+8
 2FHq3S55ylBvXDW1U+tfknyi78GLywjySxhdSOnZIEAaWDnFpW3X+838FKRUXMlC
 rMvQJswtpPPx76E1RyzwSuBdpVkzHoC49GGeZfyPynlupZJ9Vcue7w2q8WvQ0GrX
 /qhPFU21AEvf2siOlFwSr9TopjIMFckHMuLrSrVyoYoDZq1DXyprEpkasPXOq9zM
 FTqWPscC7M2BI0mAAMcJTWPBlqmfwF0W7Jiqo7cZutmdSVhOxDrySr3zWYXBzfht
 ERfQPBvTEYmsXtBC+H3mk040
 =I96k
 -----END PGP SIGNATURE-----
--- a/Django-4.2.11.tar.gz
+++ b/Django-4.2.11.tar.gz
--- a/Django-4.2.6.checksum.txt
+++ b/Django-4.2.6.checksum.txt
@ -1,67 +0,0 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 This file contains MD5, SHA1, and SHA256 checksums for the source-code
 tarball and wheel files of Django 4.2.6, released October 4, 2023.
 To use this file, you will need a working install of PGP or other
 compatible public-key encryption software. You will also need to have
 the Django release manager's public key in your keyring. This key has
 the ID ``2EE82A8D9470983E`` and can be imported from the MIT
 keyserver, for example, if using the open-source GNU Privacy Guard
 implementation of PGP:
    gpg --keyserver pgp.mit.edu --recv-key 2EE82A8D9470983E
 or via the GitHub API:
    curl https://github.com/nessita.gpg | gpg --import -
 Once the key is imported, verify this file:
    gpg --verify Django-4.2.6.checksum.txt
 Once you have verified this file, you can use normal MD5, SHA1, or SHA256
 checksumming applications to generate the checksums of the Django
 package and compare them to the checksums listed below.
 Release packages
 ================
 https://www.djangoproject.com/m/releases/4.2/Django-4.2.6-py3-none-any.whl
 https://www.djangoproject.com/m/releases/4.2/Django-4.2.6.tar.gz
 MD5 checksums
 =============
 db83d48600d6afff838e53f42f9ebebb  Django-4.2.6-py3-none-any.whl
 ad84c2b9bbebaa26427a2a656fe5ceea  Django-4.2.6.tar.gz
 SHA1 checksums
 ==============
 36650eb323bd34afbe47936bd3e7bf62ed4d929c  Django-4.2.6-py3-none-any.whl
 6e912eeabd1df0b652e0da44cd3a556a496a1811  Django-4.2.6.tar.gz
 SHA256 checksums
 ================
 a64d2487cdb00ad7461434320ccc38e60af9c404773a2f95ab0093b4453a3215  Django-4.2.6-py3-none-any.whl
 08f41f468b63335aea0d904c5729e0250300f6a1907bf293a65499496cdbc68f  Django-4.2.6.tar.gz
 -----BEGIN PGP SIGNATURE-----
 iQJcBAEBCABGFiEEW1sboQ2FrHxcduOPLugqjZRwmD4FAmUdYL4oHDEyNDMwNCtu
 ZXNzaXRhQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbQAKCRAu6CqNlHCYPsQzEACE
 1e0nWDjh2RkV0nLraeEOd8DkyeCAMhFsiWGVkNY7chpeoXnF0YksHg9z2MiTDDJ9
 12EyYLFZPMCzqt3gO1/4iWYu/zx7Pb8gPTeg5NTLUnezZt4QT6FSv3fY7ByubqXQ
 lUp0jJJd8B3uc5zdZNLyg9OGBOHG7lqv7Eg7H3YUwXFo7VOkerLLgASTScE22Guo
 jyQYlnnLtse70l/MTTdmJYwJxbNM7LP4RXSovHV34nL2HCI5vDWyNlOgVeU+MT9F
 AQCW8Lb0H+GvrhL6Hc1D8xQl7OOvpo/5/53J1i/M2Ml60qeYbjWkqEByPI5d/9oS
 oHMzZcbnhlWcePy7zEYfyzQ0qFv3m/qIIf2rcd3mnrusMScWGsCFSSjqWLdoT2eO
 Cvz5Q+FGH8g2ce+DyfEDjDTzceReNL81lArmSPqntByYfp8COUuqBwe5PZ7T0yx7
 w2LWWICVmCfjKgQ12Rk7ElxcliIILFgETJVuPtjx6SrkDEzNDpiTVQH2E9LXZYsV
 5Qd7QEfTh0oEBBTPxHtSskTnfP/mJWAk62uLWYEcbmHTTcw4wQdnncwJS01tG+BD
 sd4iY0UeL4cof3sxkwGkvC6Sr0H5fgYCJs4AgAmcWBCzwFvtUp/J3+/WEr9wExBH
 /Fveza/vFJifyN1FwiemueuOqG/tvy1XJL6jCRH3gQ==
 =cttz
 -----END PGP SIGNATURE-----
--- a/Django-4.2.6.tar.gz
+++ b/Django-4.2.6.tar.gz
--- a/dirty-hack-remove-assert.patch
+++ b/dirty-hack-remove-assert.patch
@ -0,0 +1,25 @@
 From 36736edaf595d2bbf1fe881609b2a4c8e3bac68a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Thu, 29 Jun 2023 12:29:21 +0200
 Subject: [PATCH] Dirty hack: Remove a failing assert, failure does not seem
 critical
 ---
 tests/settings_tests/tests.py | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/tests/settings_tests/tests.py b/tests/settings_tests/tests.py
 index 62cbffb..b7432d3 100644
 --- a/tests/settings_tests/tests.py
 +++ b/tests/settings_tests/tests.py
@@ -397,7 +397,6 @@ class TestComplexSettingOverride(SimpleTestCase):
         with self.assertWarnsMessage(UserWarning, msg) as cm:
             with override_settings(TEST_WARN="override"):
                 self.assertEqual(settings.TEST_WARN, "override")
 -        self.assertEqual(cm.filename, __file__)
 class SecureProxySslHeaderTest(SimpleTestCase):
 -- 
 2.40.1
--- a/fix-safemimetext-set_payload.patch
+++ b/fix-safemimetext-set_payload.patch
@ -0,0 +1,14 @@
 Index: Django-4.2.11/django/core/mail/message.py
 ===================================================================
 --- Django-4.2.11.orig/django/core/mail/message.py
 +++ Django-4.2.11/django/core/mail/message.py
@@ -168,7 +168,8 @@ class SafeMIMEText(MIMEMixin, MIMEText):
     def set_payload(self, payload, charset=None):
         if charset == "utf-8" and not isinstance(charset, Charset.Charset):
             has_long_lines = any(
 -                len(line.encode()) > RFC5322_EMAIL_LINE_LENGTH_LIMIT
 +                len(line.encode(errors="surrogateescape"))
 +                > RFC5322_EMAIL_LINE_LENGTH_LIMIT
                 for line in payload.splitlines()
             )
             # Quoted-Printable encoding has the side effect of shortening long
--- a/python-Django.changes
+++ b/python-Django.changes
@ -1,5 +1,33 @@
 -------------------------------------------------------------------
-Fri Jul 12 13:41:03 UTC 2024 - Nico Krapp <nico.krapp@suse.com>
+Wed Jan 15 08:19:57 UTC 2025 - Markéta Machová <mmachova@suse.com>
 - Add security patch CVE-2024-56374.patch (bsc#1235856)
 -------------------------------------------------------------------
 Mon Dec  9 09:49:50 UTC 2024 - Markéta Machová <mmachova@suse.com>
 - Add security patches:
  * CVE-2024-53907.patch (bsc#1234232)
  * CVE-2024-53908.patch (bsc#1234231)
 -------------------------------------------------------------------
 Mon Sep  2 12:48:52 UTC 2024 - Markéta Machová <mmachova@suse.com>
 - Add more security patches:
  * CVE-2024-45230.patch (bsc#1229823)
  * CVE-2024-45231.patch (bsc#1229824)
 -------------------------------------------------------------------
 Thu Aug  1 09:37:57 UTC 2024 - Markéta Machová <mmachova@suse.com>
 - Add bunch of security patches:
  * CVE-2024-42005.patch (bsc#1228629)
  * CVE-2024-41989.patch (bsc#1228630)
  * CVE-2024-41990.patch (bsc#1228631)
  * CVE-2024-41991.patch (bsc#1228632)
 -------------------------------------------------------------------
 Fri Jul 12 12:40:47 UTC 2024 - Nico Krapp <nico.krapp@suse.com>
 - Add CVE-2024-38875.patch (bsc#1227590)
  * CVE-2024-38875: Potential denial-of-service attack via 
@ -12,12 +40,85 @@ Fri Jul 12 13:41:03 UTC 2024 - Nico Krapp <nico.krapp@suse.com>
    django.core.files.storage.Storage.save()
 - Add CVE-2024-39614.patch (bsc#1227595)
  * CVE-2024-39614: Potential denial-of-service through
-    django.utils.translation.get_supported_language_variant()
+    django.utils.translation.get_supported_language_variant() 
 -------------------------------------------------------------------
-Thu Feb 29 13:19:00 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
+Thu Apr 18 06:39:36 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Add CVE-2024-27351.patch patch (CVE-2024-27351, bsc#1220358)
+- Add fix-safemimetext-set_payload.patch, to support python 3.11.9+
  (gh#django/django@b231bcd19e57, bsc#1222880)
 -------------------------------------------------------------------
 Mon Mar  4 14:05:28 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
 -  Update to 4.2.11 (CVE-2024-27351, bsc#1220358)
  * CVE-2024-27351: Potential regular expression denial-of-service in
    django.utils.text.Truncator.words()
  * Fixed a regression in Django 4.2.10 where intcomma template filter
    could return a leading comma for string representation of floats
 - Remove python3122.patch, already upstream
 -------------------------------------------------------------------
 Fri Feb  9 10:18:37 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 - Add python3122.patch to fix tests with python 3.12.2
  gh#django/django#17843
 - Update to 4.2.10 (bsc#1219683, CVE-2024-24680):
  - Django 4.2.10 fixes a security issue with severity "moderate" in
    4.2.9.
    CVE-2024-24680: Potential denial-of-service in intcomma template
    filter The intcomma template filter was subject to a potential
    denial-of-service attack when used with very long strings.
 -------------------------------------------------------------------
 Thu Jan  4 09:27:51 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
 - Update to 4.2.9:
  * Fixed a regression in Django 4.2.8 where admin fields on the same
    line could overflow the page and become non-interactive
 -------------------------------------------------------------------
 Mon Dec  4 10:21:00 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
 - Update to 4.2.8
  * Fixed a regression in Django 4.2 that caused makemigrations
    --check to stop displaying pending migrations
  * Fixed a regression in Django 4.2 that caused a crash of
    QuerySet.aggregate() with aggregates referencing other aggregates
    or window functions through conditional expressions
  * Fixed a regression in Django 4.2 that caused a crash when
    annotating a QuerySet with a Window expressions composed of a
    partition_by clause mixing field types and aggregation expressions
  * Fixed a regression in Django 4.2 where the admin’s change list
    page had misaligned pagination links and inputs when using
    list_editable
  * Fixed a regression in Django 4.2 where checkboxes in the admin
    would be centered on narrower screen widths
  * Fixed a regression in Django 4.2 that caused a crash of querysets
    with aggregations on MariaDB when the ONLY_FULL_GROUP_BY SQL mode
    was enabled
  * Fixed a regression in Django 4.2 where the admin’s read-only
    password widget and some help texts were incorrectly aligned at
    tablet widths
  * Fixed a regression in Django 4.2 that caused a migration crash on
    SQLite when altering unsupported Meta.db_table_comment
 -------------------------------------------------------------------
 Mon Nov 27 12:20:48 UTC 2023 - Dirk Müller <dmueller@suse.com>
 - add dirty-hack-remove-assert.patch from fedora to fix
  minor test failure with python 3.12
 -------------------------------------------------------------------
 Wed Nov  1 08:12:59 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
 - Update to 4.2.7
  * Fixed a regression in Django 4.2 that caused a crash of
    QuerySet.aggregate() with aggregates referencing expressions
    containing subqueries
  * Restored, following a regression in Django 4.2, creating
    varchar/text_pattern_ops indexes on CharField and TextField with
    deterministic collations on PostgreSQL
 -------------------------------------------------------------------
 Mon Oct 16 08:33:05 UTC 2023 - Daniel Garcia Moreno <daniel.garcia@suse.com>
@ -42,7 +143,7 @@ Mon Oct 16 08:33:05 UTC 2023 - Daniel Garcia Moreno <daniel.garcia@suse.com>
 -------------------------------------------------------------------
 Mon Sep  4 12:10:50 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to 4.2.5 (CVE-2023-41164) 
+- Update to 4.2.5 (CVE-2023-41164)
  + Bugfixes
    * Fixed a regression in Django 4.2 that caused an incorrect
      validation of CheckConstraints on __isnull lookups against
@ -133,7 +234,8 @@ Tue Jun  6 06:35:28 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
 Thu May  4 07:02:58 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
 - Update to 4.2.1
-  + CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
+  + CVE-2023-31047: Potential bypass of validation when uploading
    multiple files using one form field (bsc#1210866)
  + Bugfixes
    * Fixed a regression in Django 4.2 that caused a crash of
      QuerySet.defer() when deferring fields by attribute names
@ -173,7 +275,7 @@ Thu May  4 07:02:58 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
 -------------------------------------------------------------------
 Thu Apr  6 06:38:13 UTC 2023 - David Anes <david.anes@suse.com>
- Update minimal dependency versions. 
+- Update minimal dependency versions.
 -------------------------------------------------------------------
 Tue Apr  4 07:19:56 UTC 2023 - David Anes <david.anes@suse.com>
@ -213,7 +315,7 @@ Wed Feb  1 12:48:49 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
 Mon Jan  2 19:07:30 UTC 2023 - David Anes <david.anes@suse.com>
 - Update to 4.1.5:
-  + Fixed a long standing bug in the __len lookup for ArrayField 
+  + Fixed a long standing bug in the __len lookup for ArrayField
    that caused a crash of model validation on Meta.constraints.
 - Update keyring file.
@ -476,14 +578,14 @@ Tue Dec  7 14:09:24 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
    deprecated and will be removed in Django 5.0.
  - The new *expressions positional argument of
    UniqueConstraint() enables creating functional unique
-    constraints on expressions and database functions. 
+    constraints on expressions and database functions.
  - The new scrypt password hasher is more secure and recommended
    over PBKDF2. However, it’s not the default as it requires
    OpenSSL 1.1+ and more memory.
  - Redis cache backend
  - Template based form rendering. Forms, Formsets, and ErrorList
    are now rendered using the template engine to enhance
-    customization. 
+    customization.
 -------------------------------------------------------------------
 Tue Nov  2 12:45:45 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
@ -592,7 +694,7 @@ Thu May  6 08:54:41 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
 Wed May  5 17:25:18 UTC 2021 - Ben Greiner <code@bnavigator.de>
 - Keep rpm runtime requirements in sync. Downstream packages often
-  read the egg-info and fail if they are not fulfilled. 
+  read the egg-info and fail if they are not fulfilled.
 -------------------------------------------------------------------
 Wed May  5 08:44:30 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
@ -650,7 +752,7 @@ Tue Apr  6 09:27:50 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
  + Customizing type of auto-created primary keys
  + Functional indexes
  + pymemcache support
-  + New decorators for the admin site  
+  + New decorators for the admin site
  + For a complete description of new features check:
    https://github.com/django/django/blob/main/docs/releases/3.2.txt
 - Update PYTHOPATH to include the local tests
@ -729,13 +831,13 @@ Wed Sep  9 14:14:08 UTC 2020 - Marketa Calabkova <mcalabkova@suse.com>
 - Update to 3.1.1
  * CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
-  * CVE-2020-24584: Permission escalation in intermediate-level directories of the file 
+  * CVE-2020-24584: Permission escalation in intermediate-level directories of the file
    system cache on Python 3.7+
-  * Fixed a data loss possibility in the select_for_update(). When using related fields 
+  * Fixed a data loss possibility in the select_for_update(). When using related fields
    pointing to a proxy model in the of argument, the corresponding model was not locked
  * Fixed a regression in Django 3.1 that caused a crash when decoding an invalid session data
  * Fixed __in lookup on key transforms for JSONField with MariaDB, MySQL, Oracle, and SQLite
-  * Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator 
+  * Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator
    and settings.py
 -------------------------------------------------------------------
@ -774,7 +876,7 @@ Wed Jul  8 11:52:27 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
    a filterable attribute to be used as the right-hand side in queryset filters
 * Fixed a regression in Django 3.0.2 that caused a migration crash
    on PostgreSQL when adding a foreign key to a model with a namespaced db_table
- * Added compatibility for cx_Oracle 8 
+ * Added compatibility for cx_Oracle 8
 -------------------------------------------------------------------
 Thu Jun  4 14:35:25 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
@ -785,7 +887,7 @@ Thu Jun  4 14:35:25 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
      memcached keys
 * boo#1172167 -  CVE-2020-13596: Possible XSS via admin
      ForeignKeyRawIdWidget
- * many other bugfixes 
+ * many other bugfixes
 -------------------------------------------------------------------
 Thu Apr 30 05:14:28 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
@ -796,7 +898,7 @@ Thu Apr 30 05:14:28 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
 -------------------------------------------------------------------
 Thu Apr 23 16:58:12 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- Update to 3.0.5 
+- Update to 3.0.5
  https://docs.djangoproject.com/en/3.0/releases/3.0.5/
  https://docs.djangoproject.com/en/3.0/releases/3.0.4/
  https://docs.djangoproject.com/en/3.0/releases/3.0.3/
@ -1041,14 +1143,14 @@ Mon Dec 10 11:52:42 UTC 2018 - Ondřej Súkup <mimi.vx@gmail.com>
 * Fixed admin view-only change form crash when using ModelAdmin.prepopulated_fields
 * Fixed “Please correct the errors below” error message when editing an object
     in the admin if the user only has the “view” permission on inlines
- * Fixed a regression in Django 2.0 where combining Q objects with __in lookups 
+ * Fixed a regression in Django 2.0 where combining Q objects with __in lookups
     and lists crashed
 * Fixed a regression in Django 2.0 where test databases aren’t reused
     with manage.py test --keepdb on MySQL
 * Fixed a regression where cached foreign keys that use to_field were
     incorrectly cleared in Model.save()
 * Fixed a regression in Django 2.0 where FileSystemStorage crashes
-     with FileExistsError if concurrent saves try to create the same directory 
+     with FileExistsError if concurrent saves try to create the same directory
 -------------------------------------------------------------------
 Thu Oct  4 13:13:00 UTC 2018 - Alberto Planas Dominguez <aplanas@suse.com>
@ -1324,7 +1426,7 @@ Tue Dec 12 21:12:18 UTC 2017 - mimi.vx@gmail.com
  * Removed support for bytestrings in some places
  * Dropped support for Oracle 11.2
 - Please read Release Notes - https://docs.djangoproject.com/en/2.0/releases/2.0/
- 
+
 -------------------------------------------------------------------
 Tue Dec 12 05:16:57 UTC 2017 - tbechtold@suse.com
@ -1698,8 +1800,8 @@ Tue Apr  4 14:38:13 UTC 2017 - appleonkel@opensuse.org
 - Update to 1.10.7
  Bugfixes
-  * Made admin’s RelatedFieldWidgetWrapper use the wrapped widget’s 
+  * Made admin’s RelatedFieldWidgetWrapper use the wrapped widget’s
-    value_omitted_from_data() method (#27905) 
+    value_omitted_from_data() method (#27905)
  * Fixed model form default fallback for SelectMultiple (#27993)
 -------------------------------------------------------------------
@ -1707,15 +1809,15 @@ Wed Mar  1 14:24:17 UTC 2017 - appleonkel@opensuse.org
 - Update to 1.10.6
  Bugfixes
-  * Fixed ClearableFileInput’s “Clear” checkbox on model form fields where the 
+  * Fixed ClearableFileInput’s “Clear” checkbox on model form fields where the
-    model field has a default  
+    model field has a default
-  * Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than 
+  * Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than
    generating a bad request response
-  * Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or 
+  * Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
-    IntegerField from DateField 
+    IntegerField from DateField
-  * Fixed query expression date subtraction accuracy on PostgreSQL for differences 
+  * Fixed query expression date subtraction accuracy on PostgreSQL for differences
    large an a month
-  * Fixed a GDALException raised by GDALClose on GDAL >= 2.0 
+  * Fixed a GDALException raised by GDALClose on GDAL >= 2.0
 -------------------------------------------------------------------
 Tue Jan 31 14:00:11 UTC 2017 - michal@cihar.com
@ -1731,8 +1833,8 @@ Fri Dec  2 10:17:25 UTC 2016 - appleonkel@opensuse.org
 - Update to 1.9.12
  Bugfixes
-  * Quoted the Oracle test user’s password in queries to fix the “ORA-00922: missing 
+  * Quoted the Oracle test user’s password in queries to fix the “ORA-00922: missing
-    or invalid option” error when the password starts with a number or 
+    or invalid option” error when the password starts with a number or
    special character (#27420)
  * DNS rebinding vulnerability when DEBUG=True
  * CSRF protection bypass on a site with Google Analytics
@ -1741,7 +1843,7 @@ Fri Dec  2 10:17:25 UTC 2016 - appleonkel@opensuse.org
 Sat Sep 24 16:42:55 UTC 2016 - sbahling@suse.com
 - Change Requires: python-Pillow to python-imaging for compatibility
-  with SLE-12 which provides PIL instead of Pillow. 
+  with SLE-12 which provides PIL instead of Pillow.
 -------------------------------------------------------------------
 Tue Aug  9 09:11:24 UTC 2016 - aplanas@suse.com
@ -1791,7 +1893,7 @@ Tue May  3 08:23:48 UTC 2016 - aplanas@suse.com
  Bugfixes
  * Added support for relative path redirects to the test client and
    to SimpleTestCase.assertRedirects() because Django 1.9 no longer
-    converts redirects to absolute URIs (#26428). 
+    converts redirects to absolute URIs (#26428).
  * Fixed TimeField microseconds round-tripping on MySQL and SQLite
    (#26498).
  * Prevented makemigrations from generating infinite migrations for a
@ -1804,7 +1906,7 @@ Tue May  3 08:23:48 UTC 2016 - aplanas@suse.com
    of GenericIPAddressField on SQLite and MySQL (#26557).
  * Fixed a makemessages regression where temporary .py extensions
    were leaked in source file paths (#26341).
- 
+
 -------------------------------------------------------------------
 Sun May  1 12:29:52 UTC 2016 - michael@stroeder.com
@ -1901,12 +2003,12 @@ Wed Jan 27 15:25:25 UTC 2016 - aplanas@suse.com
    (#25894).
  * ...
  * https://docs.djangoproject.com/en/1.9/releases/1.9.1/
-  
+
 -------------------------------------------------------------------
 Wed Dec  2 15:14:05 UTC 2015 - aplanas@suse.com
 - update to 1.9 (CVE-2016-7401, CVE-2015-8213)
-  * https://docs.djangoproject.com/en/1.9/releases/1.9/ 
+  * https://docs.djangoproject.com/en/1.9/releases/1.9/
  * Performing actions after a transaction commit
  * Password validation
  * Permission mixins for class-based views
@ -2061,12 +2163,12 @@ Wed Jan 14 07:57:46 UTC 2015 - mcihar@suse.cz
    affect users who have subclassed
    django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default
    value.
-  * Fixed a crash in the CSRF middleware when handling non-ASCII referer 
+  * Fixed a crash in the CSRF middleware when handling non-ASCII referer
    header (#23815).
-  * Fixed a crash in the django.contrib.auth.redirect_to_login view when 
+  * Fixed a crash in the django.contrib.auth.redirect_to_login view when
    passing a reverse_lazy() result on Python 3 (#24097).
  * Added correct formats for Greek (el) (#23967).
-  * Fixed a migration crash when unapplying a migration where multiple 
+  * Fixed a migration crash when unapplying a migration where multiple
    operations interact with the same model (#24110).
 -------------------------------------------------------------------
--- a/python-Django.keyring
+++ b/python-Django.keyring
@ -1,90 +1,121 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-mQGiBErcoVkRBACt1HBsLQQ9HeRHrqMbYfWEW3d0KoWzjKU9ZW59oq8ceVCYfhyT
+mQINBFYVPG8BEACy8Ck2PGx9zC3tDe5rOflqzSGvTVXGLJosJpxBq+5vZv3FCsHk
-ZKxyLobyed+NhL3SJCE5e4hs5UfyBdS4c8I97MFDKCA5TBu3pMnYGxWje3fSwP6o
+r1ynG0osFpFFdo51lb92sPiF7DooCW2VGCpnrC7IxpNCmDgavDk3GnWpLbEkKNxc
-RGcP8Ji4/tISclyGrkMruDNzpT93R8H/SixPGFcH7kCp4xQxPBc0esdU4wCg1azF
+DtRoGoJqJLVwM3ITfIKn1QGqIKx6zDwDj3W6ECozpQ20wNeM2so12Nqkt4O2GNAt
-kUuFijNryusT+i58hVE3dMkD/iAfCh4bcLyZ8aygLZxg3bn3YauJASEjuqVXUgTB
+B5WfRZVfA9aNXvEp0j79es6dhgnL7qG5jZtO1TfmJdkEPDoPMg19YkQDbOU559Sj
-diBdhXnldq0xs2IwQJY1paAajXf5FsjlTVQrQWMtTQ5qWKpQr0lAanufnEDNu6GW
+gniHDn2TLLwtne1CHMznawZ9Vf/gLcE9HSTzqX1XwNFJ1pNDAEfzQ01PCbpWKxI2
-orWBzLaSWQWEkcRALmZS6MBkmVCx/JiIvt0sUxrG4boQ6qYlQYZsaHaAMUZT997v
+8IaJkDmmI79TGz1TN/CnttKZ0fTnS4nYDe73ZodIu66V5Tu8J5P15DJGY2l05BdG
-1ktqA/4kPUfV2gqJuVzWwbhrKhAyhSivmhhe+1lUFa7phRmoMNw7/jXi9OV1lmL2
+zFt986AhOqQkl4sPKNvbxekPMU8bnWBy5iev0rwJOIST2MOM11dGVODlTnoN6pOc
-ty+0LkeCXUChrXarey4AnPI58aR0xshiAxGEI2jPi+vWkgGblOG3TBoZBH5jV+d2
+sO7nNgYnK3Kmqd2YmOXvRHHwePidUREzt4mPgQliUEJUkLxFHp7iuiInA5s6/7mu
-/5mmlCs/KkJkdsN+LXR3m5o/oFs7MgGD8pxa1jwK9xcu1xKIqrQyTmF0YWxpYSBC
+1pZ9N7q2/P6YKfg7QhbqOiTMw/jjz8ol/DJ+90r9suL0cZoSGOFBg5PATuIbsg/6
-aWRhcnQgKG5lc3NpdGEpIDxuYXRhbGlhYmlkYXJ0QGdtYWlsLmNvbT6IYgQTEQIA
+mM6uERHiaVT/5lgYIFAC//8gYkUe5d8DGk7/PXRNO7hlHQhHNoxvypDghCs53Zbx
-IgUCTG1snwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQrlwdYDo57Zf7
+7b+xEwaqm/RtzNhe7HHaiVTeh4ZC9aLrYgFsifvTOmExG08sha0slrOK3QARAQAB
-lQCeIHmWQQek0zboTqMuy60phrUIzowAn0ONlnzzL0oWiNUpbY8nDsernILWiGAE
+tDZNYXJpdXN6IEZlbGlzaWFrIChmZWxpeHgpIDxmZWxpc2lhay5tYXJpdXN6QGdt
-ExECACAFAkrcoVkCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCuXB1gOjnt
+YWlsLmNvbT6JAjgEEwECACIFAlYVPG8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
-l5FdAKCSLwUJNZXs3WXqKabi2adRcdqZ8gCeLgbbqJ2Dqqaeb3tXK6zWC7ZO9CK0
+AheAAAoJEC71Y3K6SM0bPZgP/0ahFBKHx1+HpC5n77+cnmgMw4FZlCZHDDc7YBj5
-NE5hdGFsaWEgQmlkYXJ0IChuZXNzaXRhKSA8bmF0YWxpYS5iaWRhcnRAdWJ1bnR1
+fx/qZ4CWHQydJI7hDhhRriCnZG1juM6ncpNt3zP3sqpTgkKwHOxJtIR9oukPrgTc
-LmNvbT6IZQQTEQIAJQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAk8oONcC
+ZZve9nuM/XG6gnEknUvrKbMcKtna8uckxRNRI+zj/GbYNpHGT8c+dlS9ycNmBE4e
-GQEACgkQrlwdYDo57ZejrgCdFyBg4VipDYmoQ5eOpXe4Vegiwl4AoK00YytEeMvO
+2/ywa0hkFOMYA3UU7p23PigAP3W7Q2tFJaqpSFTIvvc/fba9nnESNRYTOCuwUl/4
-EFqZY+qVvqaV3It6iGIEExECACIFAkvrLFwCGwMGCwkIBwMCBhUIAgkKCwQWAgMB
+H35Mq2UksGoSq307ZbF8/0cKGf98FOtFSOPUbspdTPouDcuJbaYGacdVJB+FrVuD
-Ah4BAheAAAoJEK5cHWA6Oe2XD+QAoK02osWaLzROXg54drLpJMNLs/DGAJ9XlSak
+kzcWS79pM5gczdBlg/tsBPpsoRVImlOHubikqzuUX5F7iN3DUUi4bgVj9OJGrA8X
-dQv6uX5QFT1QZCp/WwozIrQzTmF0YWxpYSBCaWRhcnQgKG5lc3NpdGEpIDxuYXRh
+30FJPzdNkD+4UWAJr35g2S58Bp1UPfFlfw3zSaNBqVMKkU9UhWG9bxtuHKixzYAW
-bGlhLmJpZGFydEBnbWFpbC5jb20+iGIEExECACIFAkvrLBMCGwMGCwkIBwMCBhUI
+/vUF/2wtphyJ173kXhBder/j4qjIG4gQuLM4ke/ClkJ+UTeqJPi2W//xBmOIvIxj
-AgkKCwQWAgMBAh4BAheAAAoJEK5cHWA6Oe2XrQoAoIpzDPsuwhwuVcelVh3F8q3w
+ciGtj2CUfN1+jMJ2HTYEPST5fgneczAc4W4v73lsUtxVIwJDPCain6vo2xnLYPb2
-qhk2AKCj6rF6x+kzUwtT6lM8wkUj4x+CgLQ3TmF0YWxpYSBCaWRhcnQgKG5lc3Np
+r+Z7MyCnZn+tGw/NkbxFtzW3eXGhsbn8BeFIVueVK9nJ0AFT56utw5j1mwb8DdY1
-dGEpIDxuYXRhbGlhLmJpZGFydEBjYW5vbmljYWwuY29tPohgBBMRAgAgBQJK3gu6
+X5JeyHWuRYKE8v6q8phMLEUxXwbmXW/hWH9ylE+2HTQCu4tGmFJ2bilGFrCcLB/t
-AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQrlwdYDo57ZfaNgCfXhjx28H4
+CpeaiQI3BBMBCAAhFiEEV4bRm8gAXOV0Ugpjr+edaNQcfjkFAlyvKmIDBQE8AAoJ
-WQ8CjWsdyJU2Kmh44qoAn0zp3TeEFuSPCEBZ0jAR4dwuSrpguQINBErcoVkQCACX
+EK/nnWjUHH45+X0P/itgdeQeEG/pO53YCDJF0qT92TsTes5BnV0hPbjILQMEtf10
-mxZ+acE5irfOe09OclJ+vKxqrnaEpveyLJZzKiWz5GlZLV3gPEMs3Pu0tGtTjadG
+VdBTbsn2SMmead6TJ0p/7ZP3ZiT8kyvVD6bKyxrDPC77Fc7nnsSL7FHqbaqF3vrQ
-CRck2xIYArDz1aPwvM4dHswIy3TyzoSTgW1ybz5TXzkxWDcdwukYm1gKlWMb8JQW
+j4b8UUjUiQuaJz+1DfjZNWIkIGEqGV7Hoeyno+CT1OKe74SK/5XfBwCVd2n++r4p
-v76KtoiNuY/EIUAaO9M7ZyUPSWunh5CK+ttYKs+KrD8wt8Te7PdsrstUMP2uplOt
+TnOuEFoGq9hI2V2BD0JKSxQQfWkRC6MnvNP1VHxOYXLKfNYyJek+qyc3Nf6Pov6E
-I0zKK8P+gcCNZQTZh71Z8WAhZF/tn9LpkE9p0Au3pVEVk7Z8492TO4DySFhBNVEM
+Z7ps4hFxzL2YyLuPwGca61hQbd9iLtK9Twg3ALhJNQvPzyj2ShtwqXzugRyCFfH/
-IY9KVNiZoEMAaiRUFgG3gPj3MD4wDyaiWp+5b8XQylXcfWsPx3nujLJNUiaJlV4u
+yJ8jDyLINqqBP7ynpGy2gubdU7dTbcu1siSk9RZ5FJ/Z9Ni0xeY3QNs1WF3MSGb2
-Wjv0ZgwMHHLgORAlOJ2rAAMFB/94QWkhOmIzzx0iCob4fILZ2lqTt1fAAbaQxyq/
+lwv+jQfOpkryyhPvUx9pljF0gpldOltiI4/mK0ldkuZ2egWZS9REAzlhYwHmgTQx
-LIaI6iSHqebEVVR9OUVTzqNtc0yDifxsbDZXEHmU2qx+aARoYmonxNmNoUS/U6Io
+oyF07HXIs1oK4H8tMJpmDsRmkEPgCbs3STtk8nb1hMLBI6pknvBKxVpshfC58U7D
-2iPgP1Jwt13dbd284xlgDTx8QO/TjX9lFyvt7AEHIrcHaomwVS0Il7wIfzG24kqX
+hvFw4V7+hVeip3TtnGS/7+FfUzaPnkDKKQwV0Ke2WxjbtLCobFzl0OOS2H7m6iiR
-j17VhD2j/2V6uA7ADAh8u0WFO93i30qNSCaCRphCU4K7gLdHLIp8TsGLdx/gf2mB
+D/POcyhFS24PZukg55NHeBudxykk719EFWCz8RByT4DKa3JJZs44+4xpBD7Wl4rn
-5SyhNOkHwEx80kSiFt+H5fER7XQep/w51XybqAt7SsWaIjYLsyMYXyiVdQChwzBd
+OFxFS/iUA0tSiQUqBvCSSpTf7y4sVHqdioEsqgtuS+4ocpsEXQFewO9vIKEkiQIz
-vusRKv9qjg9eiyHI6aOw6foOUFlpfMx1oeknFDJrjJ3PKUPyiEkEGBECAAkFAkrc
+BBMBCgAdFiEEjTJbnIaSeahK3eBOQvMGoc9yjnEFAlyvS1EACgkQQvMGoc9yjnEw
-oVkCGwwACgkQrlwdYDo57ZffZACfS9pUk1P5poP86jh8K2K6jpjU0y0AoNQ4ejtn
+UxAAhFtWkV8Rpd4nUggcsJhlGM2RdfgC1tMcKnWiUIrNN+SADKmK0aBdiXX1Q70K
-mpJC4x7FruZyi1wVdkMxmQINBGQu6XIBEADAnmu8HNENZh7UTuu5GfTeFhpmyj5K
+vdDf+kv690tEvtdmVyLrYtd1FdtdmEgEC7PYfKagwVCelZ/myqEDecrhYP961HDj
-yz//txfrm0/b6uTW5TXPgLjuvMzGG8PtaZHRIgZ0gzA+x7T5zKMTaoKs3EvgR5D3
+XoRfsVqYScyhspBOen0cJXtT6nvr2HVTkBReAC01htXHinu7zN/Kd94Y67QlVmc1
-Y9NjteUWpf8FjvPhN01HZfaZ7yChwHwKobW0JYinNpBh0Cz51unGdLIDtELMaEFO
+142j+6feRpgudrWOtnjrW0gkumLAyUDA6jDTdy2FRvmEi7a9lNr3YcfOLJQB4AqO
-D8qdcpe63qG111S4G+4hcJUkXt4ALBpSnY9GOhlYQDn+ZDRGk1M9rjeMo+QsIJns
+fJHZMMTFRBze2jUVoYi6OFE0zo7cRazwmmf45FH6Y1+tyLBLEXllz+e5rXrnc98V
-UZRlvBroJyg0toUXclw5QXFGp1+mrjOzKqdD0DmSN7LWlU0yCJB8H5bWZTiPAPOE
+fe87ok0uOEb2+ywWgpaWNbOIbHow8BLfek79eLbqQWsaCvGk8PoWXWWLsqlpvUBI
-SW1Kb3kEW+Qy8YkcH7SkQ7N72wsuIwKJNiddMLZnXeR0Lcvt0t7ftUfs44VEZSwm
+qbku1SrM1kUC0sN5IxO3ImudADIXCLbFS1OgRAuXo6M3r2FcWK78WdXP3QmrY14s
-V0I7lyZZWr+Pei8nGaLxxCI4OtASXcQ+VVKF/HoR/necD1QmqmuCeiMLmYT5jEPZ
+J0kpCRnMVbpQJ0cnSqJ98DUrMFkmjbbuk7qZ6PwsjlYG1m7XLkVS0Y4ChL5Hkusi
-oovOri5onkWIQfjfWeUVErxNi9Uz18mi9P7PfAWOzNCmdkuVqsPtpymyDcKYYh9u
+afAvjE8+aX9Vx7/5XpHJadum9ELDaKeHsPQ+oWuCx3EZJcZylHTWPSkrJ1ICXAwd
-D/CTH9w1B69CRjld6NOfal05fIrfKuVgPvmQnPeCn+KgTBwv8T+mgGVjkBlDGpYy
+zGuC8sxXHIbPM21OnG0EF6Pn202PW1XJPKW5WGie1BpJz2e+2M9L4byzcasC4kwh
-6Y24s13R6WoawJnjIEjA/Q5QOSDXYtpgF8D3cMW+LUlD9lu2A6OO64H33rInIaut
+EbuhxntNR//ppdvHUkcSGd6k/Dcd8SBt+eTGUCjlX0aElVaJAjMEEAEIAB0WIQSR
-8IFgKcTf3pXbzh1J6Zs+fcjOryitM7t4Fo1ClJ+DSn4yoUHxP2UEZL6LL0DF6LrE
+MWkkpGxXCwd9jNHscSXJNIg75QUCXLB7zwAKCRDscSXJNIg75Vb6D/9GzQHhu8XD
-kJjKxwRp20lPwwARAQABtDFOYXRhbGlhIDwxMjQzMDQrbmVzc2l0YUB1c2Vycy5u
+ypmU98kCx6FISSDGJ+AE78EYPe4qtUplcCKA3zrHLbugsX1SO7Ty2UnAk7lyEN8p
-b3JlcGx5LmdpdGh1Yi5jb20+iQJOBBMBCAA4FiEEW1sboQ2FrHxcduOPLugqjZRw
+YJcfnXo/9zx9T+xgz2sLnOU9JgaHUs/xfE8oyoBNG+MUcKiuuZn9vv5MrWxv/EVh
-mD4FAmQu6XICGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQLugqjZRwmD56
+Y1uCnmN1o+NxCTcxN4ozUnw1m2kHyei5dfsHxnqOnhqgflyxcoNLFS9HwDrcD99T
-rQ//UvzX9/4Eo3HPBMDEIwExjmYGyTqiQQm2KW9Z4U0zQVdeLVF8ZOdaIKn1RBUw
+M+IRUKF+2yV1qsFoY+XldyHfsj0EmluXsv6z9Oq24hmdfQynRodqwyJfi4Xg0cx5
-M02RJWI2HjovdLN3LbXpTtQtamSvvU6fv7vy5zLBJdVL9eKXXG+3MPCWDHOqwp/u
+y/JSTBYyrmKU96aHnP9bdvx15fcSFt5qIfIn55BdgPKGeEG9AyI3CSs3LY7DEmB1
-L/4lq0pUy5ejb4AnIQw1RIQiz6/pprDzgF0celWLhL3krxEqts76X1Jv9wCIYMXV
+rWq63FcttNAqIGbIPh/gwbFOz2nebIwTdme65TIbhaPCvxRAvTKS/3Xn1vKHKfwr
-3reCBqpcfIqWQETLP/NdPVcOIRv0al1qcBw2hUOvEyx72n+17Hb30rFQp+35BaZZ
+4LbWYx4bDtrHgQj9JnMmv22ZOaCQR5av6AFA9g755H40dl+U3ExrZYfc9EKyQ/b
-IjnL3H6pATgjk52EiDdRkyWL9CFrbJ/wkbAvEO29GcUPg1+bT6UZq8LKXyDs/WSL
+RAQWAhJRE10pOLD/xfg7L/cHwNjTkGpPcbojcANH5geJb2SHsQCXT+Pys5TjfTOL
-UkxQ/6w8DzicBiFj/oT7GSMr8KfO4YUMzh/kAFA4v8Q+a53Dq1Icbk9LqkWpu1pA
+UJSw6DNGywd+YBRe3yRpO+erdXMpA2Ujd8/jHnyE/SOnhcKxN7Gi3JMasguCF8IK
-Hopw3lpGdADuC0z/iYO/U04uUSN5YGyUUOgk5w+CkV8NuL/g2yniNf9AXrbt4ByI
+K+FNTOonhZqnS+1LmRCvvSmN1se5RLDMKl9x1Z311Vjvat9vVN1VLRavZJmuleL6
-V7cqBt9qdS6z6leuW1M8yrPhX1IcKKqj25sPKAgzp3A6Bt7orr1NZGOVJ4alR4ff
+Osu0EuFc/VCcrF12PAeGzwJuP2Srz9EW9YkCMwQQAQgAHRYhBP5ftjh2odcYqMZ1
-pYvq+wfmIPKf0AbzHGOkYjF4BMvkLRchhi28q+qX5cCuMr+aoqKUtJ2IFiXsvbFN
+VuF99cgrT50ABQJcsIknAAoJEOF99cgrT50AqEQP/1KzovwE3PzzMrgRsJSI+xNo
-k0aYWUr5y5qSJoAVf0GMkByQW6+F6bXRRdCpS/JX5JA8qrYp+oV8VhveOOslHVqj
+xO3jqOGUVlKlh0dk2cDhBQ3lzErw2ws5xkYK/N8M4IdTFT/nuSyjIaNKCHBmP9ab
-ILAlkMMXoTx6G79DdvQ87fdb4+aIQ96U4T8B6zMxazvmU1i5Ag0EZC7pcgEQAL9n
+S2Tjqo78JCIzE0CbpQ8dRCVYwYfFqVtfGhBtKKTinGKSqN7EakRIm7CzXTs2iY5M
-X/eaWY+v4GgeGjRIWmmrjMBYyeeyJIyL9Mk3iyH/gIOnTDmlX+njjyvyWKfMYIl1
+402OYb/JgcJjGVGcMaMG36Z6lt6vMX5xEoaYBvX24ejjgodZNoTwoDVsX3VdzeAO
-HmMtzlF3OgsuLeekwbDrXA8xvslp1xmiKLOamPvXwPG/XqkJrYtzVUDEFCtRpEJ0
+ZD4bJg3V7hc7Ulb6m08cTsH4lo0Y39rHKjh0qGR21tdTJH6mRi9sv6xbdPoE/8FJ
-c38d+P8WEMjbviyIwJ9PxLllamEK61dRtj1NCMc/Ix4+b54UHxi44Jz1bqQxfgjj
+mHXdzlGeK5TAens/oVF1UMDcRki6YTAjtBIXZufgJsY4LD9qEYz66zQ2jr3DBisc
-u2o8sPnyZio+DRFWVE3Eocp0rdZ3rlKjUsBXKEElTuIScoKjGwKwaMfxoBgwRhzx
+vRlkENwOOueFVAHS6g2/hR6YlAhdDIfI2nsIZzuGtpsESOy8L74SRvap/1sO12xo
-oESwk8CqlH7WzNookx1M1/JjKYdrwln2aNuChtlKLRmUqT7qqTNtett2vy73VM3b
+kAN3Hyk818y9zRbAZORd1CFCNpgHtmizzOwaKAl621IbmJEqt2zYHUZpKMx+AkeL
-zfXdor94S3q+YtMEvNbo9QCzn6La7HOx+PMm8XM2d9aC7Hz4FBK0xIQB+HLZEIhP
+QS+AIvwSX0MvGIJBDHnmii6xgOfUACHMzyhd8exuQnH7nz6Nq1YvBWIeT9P1b26T
-7KQ7GJ2Xn3LStyoO5K64uqi2X2YjsYUcPzvI3uUK+gtH3H1SSIazh7UAUbcEuo7N
+b9wdU5elY5lZjLZ6wEtnpUhZJI2OdFhj6dCoT/2a4fJKczKS9S7ijGi7AbfAga51
-K8vF9Vtqp6S2qkjoeV6Dnvy+6735b1WIBZieAmbKaz74IW1IP0lZn3pXeRFo2Wjq
+5tnLJDrf7b4muRFQDfMAq8xuHsvXPVnu8Jp62KjT1gwJ3fu+gmy4ODtmBjxvq4ng
-Ojf8zkNacf61exysAkGU2fubsXSZxuxc8DVXKbkpK69tXDSOUmSKTBPVzzmIM79S
++hXrjEMRosU39tqUYvwuQINBFYVPG8BEACxDZjbsMvXrbKdApKltiXbnC43nfE2
-yYH1MMRZqQ52Y471qiEZxEPasJXIEVcWbdJxEC/eEiuptPAtojRQH6kJ/AF3Z9Xd
+hRw14xAdiuJmkZ4yYr/2u/mq91ThR/WRTROm4HTBLnVWaz9OSJBhiVU+awWxYKaR
-eBaxyuMQ249jqTYwjCehfumTbhP5VhO3QOxs31G/ABEBAAGJAjYEGAEIACAWIQRb
+xGG4dsKqsaHo/w2Uo5jDt1ryB1AVFR5Xhnav3LANNN9ti12fnIwqX7CJAN9Hvmtl
-WxuhDYWsfFx2448u6CqNlHCYPgUCZC7pcgIbDAAKCRAu6CqNlHCYPhz3EACx3Hqf
+myI3y0VcOoFGRh9UkbyC+MggukKlP/MAkVWaeuLKhF1cbDXf71cCom8jQnbEA93d
-KUMeqUTVOiDyHguBr1FrhMtU5m/nkjdbLWlBHOGHkM4RNDNQTPyQb/C8vcuHYv5l
+rT2PfsAd1C+eEyrgJsJftkjPu6w6t+BNKAlbx/2MyXEpp24eBVf4k+7z1CpbwQX5
-DPFrzOawdjTyFCuo6f0TMIx38Bbjxo9C8XTnvKbUpyTEQ3dJm67ppF4n6cui+0IC
+kYrDJwOwPdPQBFtuHKPVfMZmIszr/Vuv5cSWM1leTkXG/L4j1OfzOEkAHS5UtWec
-UefzPkkCbdIPzt2pYopMDB4Hv4Yv6hqeq987Iz1erh7dQe1TDTxIv9PXLYZT60Ro
+ozbBjcC3qnt+DMCrBmnExwtr+GgKYNJBCOja2SCSXC/pegHBpkyxgtp6x5ykk0Ll
-K0+g+caU9LwVjYiLoeCM1Zhndy6fDV5mu3ctEzcqr/YVH9kDZAuF0O1SX9y42neJ
+9l8dfxvX0prmN9yv0HjLDtflG0qHEFdrLyMTQY6Dy0nx+ffzs7sNfZG8kAySAMl/
-7hictnE0KrRymVL5d9pp2WKtPny+itSax/a///Q43m1gA9KFuKHtOuGUpYzf76FS
+E8RRlOnoHPXm3ALmYZTXFoY+K80oI+n4HCGQQcRDFYYf3xE+WZTzAlAT8S72/erU
-Ld0cC4xjDpPcVTGc8To4+CjNTIrjzbBYa3JU/3J2kwyEw/k1EucRb/RFPbklUSph
+nRbpAiCu8cIICfe4N8OCJxczlPtG9rlBgA24ZcXRlsz37D7HUwCLzEFDOLtxrk28
-Kmd2ewcDLUvcasTwoR/0uplA8gAuV1x7wPBgAW7kmpjiQevl1KLj08HA/jTdfrdx
+PAvY8+iKIb7hH60zs9v89bCltaPNVSQqfnCnsHXdi4xhZeAjQ/V9Fl3VR9hQBy/X
-Yd1GGiNjBmHGu9C8YZ/7fJU50dhv4jWF4dw8OyXtAI4wk5aoJHsJ5iGIMVOVzNLe
+o3A8T1+R0fRy+QARAQABiQIfBBgBAgAJBQJWFTxvAhsMAAoJEC71Y3K6SM0bbPQP
-mF4yM4XSBBno1mWgaSb42LInsYv/ti1VrOrBVzmAYAoUTZL0tfEXeyzHEmWGWVHe
+/3slD183zkxP9oKa5txv2uNXSFihJDwJW1GO75FiUxickE9kFPCS+X4uELJ5miZf
-SQMBvCqUmh/EcQDzPtkqjQQ1LyE5s2fyt5u+jE9JdK/61yKzbKI2UbpPtAaKSlDv
+hgWGbKParfQCkoTntC4UmavfFJHe9+yS1gggEcRGvWhsZPikYW/fOdILxJ4yN2Fr
-eAgTzM5bOOqtGR7VR2hlCM4I4k2D0Y/snh2HzA==
+7mBTZcsriRMaRJda6EkGQmxe/UeJwEp23kcmIW06criAsIAEG05z+I8Kng9JU70J
-=ul9f
+KLZOozWztzyeCmR5LqMoKPD4dN0DRlg+G8Z1qzvHW+5Ity+6+xg6WfyzhFklwCId
 4ZNxccR0SyvFIyseEqC3KxGIOyOyxuniXIPPK11FvfLm/qMoZR2miMibadqYTloD
 bKkDiQ1fFi6U5Rz0lgKViIdEEsjexKJKx9soU4rw3Wb61P+AU9zo84Y8LSqOErdC
 h/uIyvzjDXn5xU4JyHvmZou4Rvq1JUplLIPSLNFN817EvYjkY5N/mEiA7LIw7C/q
 kjbbPk3qvnoUyfUFcXu3OFigMqP1WWoBmZs2vl8jTWGCpAN/1hfv57e9sWtrolfI
 NU/VQJdTvHTi5pQi0W8bUnJWgYO4pQn9Nczdo1y1RhrRASEevCPuJ0QBiE3gzKy9
 KGqqXNSm0cTqS+hcG10Js8rYSzckKUeb1BmDUCwA+tCsFk5fOpV4cTcjf+bUkMfV
 z71t2P3xEUpwlsxcqYU8AFzZNDaaNyZJ4ppSR56+dL2uuQINBFxhlVgBEACzISQ+
 k+CxaIFVJL37UsUkq6DtE7N4qXMrq0eytc98ycspB+thR2FH+QciM/BSSGj6KalY
 wCyPfewcvZcHmmNo8wF756lbH8YwXED0Jc/8osXHYHtHlNVJcE+GnWRZQoUoRfkj
 Fy1LuusidqiTSrJBAi/kCULEPoVMxt7uDMGsLrpujA8ikciZ/9E/X3jALFmRXN/P
 bAlo6hh4fLsbbGh0UJnwynxoE5ooWGuICzJ6Aa7eYJS6RYOESxZcRFkWdZgxSfQ7
 ZfQgDrAU3xTz8TOQNHniKcwMXe7jYmIcIidzKXI3QUEwJC+e/q+DR9DQHcYSVfEZ
 0xf+EL9ka6PHdOQUBrCOKsKgTjs4U8ZBmwQS2701MN9W6PVPNdJ29bfhBosE58Hm
 g3YOPXK3X90A24YBssj5DACcHGFe5JWz3kSEPK325lAba/9Jk+Zc37WrwU5CXvgX
 wPtGGcYi2sg+XqhenrYgVThxS9BzyA1Yj3RFIoy0NOYwIkeVsZyyllG7kmgvdaCo
 25qqRCbqnSoBYi852cpDoDYPfzhBz/rGRYm031U1SqsBGVXqIMLaCOUx2Op1udy8
 t3OE3vXesOt17O2/pB1S7BeIkCPIPTWGb0JGcuZMor9axfkxypx5eOetlmqZR4E3
 L2/bkQ/5Tg9xdbyjbp8hPMnPIZ8unI9dh5CE3QARAQABiQI2BBgBCgAgFiEEq7LC
 qM0B8WE2GLcNLvVjcrpIzRsFAlxhlVgCGyAACgkQLvVjcrpIzRszYRAAo3k8TEYR
 M/UhFgUP9RGxAuzwN+WBe63rGKghx2bVn02HLuGL+UPqaZLN6kos/zTYCSiEWBQs
 t2kdKwBdFBCtGe8gbwBtgJI8tgi3ruaztYOw/bTI8DV97uXMViMD3aPPxrcIVi+Q
 aDMAfzowTv3O3S1r8LGxYYx23TUCMAVtdfO+2ZKDhfz+rCjF1wkjOrKngbt3qe+M
 TyDhPnYuk4dTgLog/DXwCM/0K8nf7kcfXKSZtYhfJAZP7QqN4z9TChVxE7viz0fL
 69owiTLgEAHHssDGCMPzBw+T+YZa88CUOhG7yPIKO+rv76gW7Z1f/T/Ai4+HTpPv
 5EP+yOGU0mnredl2Bk/Br9cSVxlzar4MSciufg5pBQ79qz6JBqawjYAmXiG2D50E
 9WhblqjjhQAqs/zKVQU2euIcxvB0Pv/5zxCW+/4D7klNFImh7YR/9t3bwnEjxMQR
 J7V8NZTNRfAHvZx1F2p5NtPyVZTxgzs9S43SaJGYWhkak4iB8FqvK9HHJK2Wp6o+
 2r85fOiIMHzg/jy7mFL7Q7gwTREz1H9xC9TgZXqUiuCZaLnkItSdYodaePLFZQkD
 IgC2cA3X5C4NHh448oBmszrxd6o2KPwpUOG/NJLfH3LjypytF+Qt/3NnwQHC/niS
 mSNZUt/duetfr8yS4yBrC5IMCo5nvfBpu8E=
 =DZRV
 -----END PGP PUBLIC KEY BLOCK-----
--- a/python-Django.spec
+++ b/python-Django.spec
@ -1,7 +1,7 @@
 #
 # spec file for package python-Django
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -24,7 +24,7 @@
 %{?sle15_python_module_pythons}
 Name:           python-Django
 # We want support LTS versions of Django -  numbered 2.2 -> 3.2 -> 4.2 etc
-Version:        4.2.6
+Version:        4.2.11
 Release:        0
 Summary:        A high-level Python Web framework
 License:        BSD-3-Clause
@ -34,17 +34,38 @@ Source1:        https://media.djangoproject.com/pgp/Django-%{version}.checksum.t
 Source2:        %{name}.keyring
 Source99:       python-Django-rpmlintrc
 # PATCH-FIX-UPSTREAM https://github.com/django/django/commit/da2f8e8257d1bea4215381684ca4abfcee333c43  Refs #34118 -- Improved sanitize_address() error message for tuple with empty strings.
-Patch:          sanitize_address.patch
+Patch0:         sanitize_address.patch
-# PATCH-FIX-UPSTREAM CVE-2024-27351.patch bsc#1220358
+# PATCH-FIX-OPENSUSE: ignore minor failure on Python 3.12
-Patch1:         CVE-2024-27351.patch
+Patch1:         dirty-hack-remove-assert.patch
 # PATCH-FIX-UPSTREAM: fix-safemimetext-set_payload.patch, gh#django/django@b231bcd19e57
 # Add support for python 3.11.9+
 Patch2:         fix-safemimetext-set_payload.patch
 # PATCH-FIX-UPSTREAM CVE-2024-38875.patch bsc#1227590
-Patch2:         CVE-2024-38875.patch
+Patch3:         CVE-2024-38875.patch
 # PATCH-FIX-UPSTREAM CVE-2024-39329.patch bsc#1227593
-Patch3:         CVE-2024-39329.patch
+Patch4:         CVE-2024-39329.patch
 # PATCH-FIX-UPSTREAM CVE-2024-39330.patch bsc#1227594
-Patch4:         CVE-2024-39330.patch
+Patch5:         CVE-2024-39330.patch
 # PATCH-FIX-UPSTREAM CVE-2024-39614.patch bsc#1227595
-Patch5:         CVE-2024-39614.patch
+Patch6:         CVE-2024-39614.patch
 # PATCH-FIX-UPSTREAM CVE-2024-41989.patch bsc#1228629
 Patch7:         CVE-2024-41989.patch
 # PATCH-FIX-UPSTREAM CVE-2024-41990.patch bsc#1228630
 Patch8:         CVE-2024-41990.patch
 # PATCH-FIX-UPSTREAM CVE-2024-41991.patch bsc#1228631
 Patch9:         CVE-2024-41991.patch
 # PATCH-FIX-UPSTREAM CVE-2024-42005.patch bsc#1228632
 Patch10:        CVE-2024-42005.patch
 # PATCH-FIX-UPSTREAM CVE-2024-45230.patch bsc#1229823
 Patch11:        CVE-2024-45230.patch
 # PATCH-FIX-UPSTREAM CVE-2024-45231.patch bsc#1229824
 Patch12:        CVE-2024-45231.patch
 # PATCH-FIX-UPSTREAM CVE-2024-53907.patch bsc#1234232
 Patch13:        CVE-2024-53907.patch
 # PATCH-FIX-UPSTREAM CVE-2024-53908.patch bsc#1234231
 Patch14:        CVE-2024-53908.patch
 # PATCH-FIX-UPSTREAM CVE-2024-56374.patch bsc#1235856
 Patch15:        CVE-2024-56374.patch
 BuildRequires:  %{python_module Jinja2 >= 2.9.2}
 BuildRequires:  %{python_module Pillow >= 6.2.0}
 BuildRequires:  %{python_module PyYAML}
@ -76,7 +97,7 @@ Requires:       python-pytz
 Requires:       python-setuptools
 Requires:       python-sqlparse >= 0.3.1
 Requires(post): update-alternatives
-Requires(postun):update-alternatives
+Requires(postun): update-alternatives
 Recommends:     python-Jinja2 >= 2.9.2
 Recommends:     python-PyYAML
 Recommends:     python-geoip2