Accepting request 1324665 from devel:languages:python:django

OBS-URL: https://build.opensuse.org/request/show/1324665
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Django?expand=0&rev=142

Django-5.2.8.checksum.txt

@@ -1,68 +0,0 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
-
-This file contains MD5, SHA1, and SHA256 checksums for the
-source-code tarball and wheel files of Django 5.2.8, released November 5, 2025.
-
-To use this file, you will need a working install of PGP or other
-compatible public-key encryption software. You will also need to have
-the Django release manager's public key in your keyring. This key has
-the ID ``2EE82A8D9470983E`` and can be imported from the MIT
-keyserver, for example, if using the open-source GNU Privacy Guard
-implementation of PGP:
-
-    gpg --keyserver pgp.mit.edu --recv-key 2EE82A8D9470983E
-
-or via the GitHub API:
-
-    curl https://github.com/nessita.gpg | gpg --import -
-
-Once the key is imported, verify this file:
-
-    gpg --verify Django-5.2.8.checksum.txt
-
-Once you have verified this file, you can use normal MD5, SHA1, or SHA256
-checksumming applications to generate the checksums of the Django
-package and compare them to the checksums listed below.
-
-Release packages
-================
-
-https://www.djangoproject.com/download/5.2.8/tarball/
-https://www.djangoproject.com/download/5.2.8/wheel/
-
-MD5 checksums
-=============
-
-0268c52cb99bb764490fdd90502def32  django-5.2.8.tar.gz
-60ed4555e2f91cc881b2293ad78bf423  django-5.2.8-py3-none-any.whl
-
-SHA1 checksums
-==============
-
-41d50f7b49e3c60ad0e3e873c1474f883640d179  django-5.2.8.tar.gz
-50d9ad23cef8ebe6cc7d17004e65ae6b5dbabc37  django-5.2.8-py3-none-any.whl
-
-SHA256 checksums
-================
-
-23254866a5bb9a2cfa6004e8b809ec6246eba4b58a7589bc2772f1bcc8456c7f  django-5.2.8.tar.gz
-37e687f7bd73ddf043e2b6b97cfe02fcbb11f2dbb3adccc6a2b18c6daa054d7f  django-5.2.8-py3-none-any.whl
-
------BEGIN PGP SIGNATURE-----
-
-iQJcBAEBCABGFiEEW1sboQ2FrHxcduOPLugqjZRwmD4FAmkLRQooHDEyNDMwNCtu
-ZXNzaXRhQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbQAKCRAu6CqNlHCYPsFxD/4h
-zgUToQHe7WgIhVOHKe2ARgXDhA/4yooteYTLoFl6vFzt4r+h+7/3LH8/XucJwYWa
-O9SimNT0MhtcWKM0l3jczGMhr3pH7zeBUExtzyPVyycTyQ5KgbDVEgf+w4ua+Jo3
-BzQBnUkJN9Ofc/uQqIAj0X3zjp9NE7uNZpOLzpRUwulrUQ7ieFAAhs3JrCM2mmTF
-KnudQkY50zIHy9OX8mSvF8OslFQ9Z84ZPlHfqaQzN6uDNIRujMu9sSbvbiWgpQ9h
-Tp/MVRppmlKXcZjM5M+vT0sqT4Ac/OepkSSVMSKAKHNPOpsG3wC/ouclkgG6Wv2Z
-6r6Ea2LND8HoMHUhScir558g3pF6p9NW5vrK3Qd7cS4G6idv2eVzzHqYH8WORG9s
-5HnldOGhRF6ONAwSveEbViQ6/fzWYsROrCa5+IOfELtg7Uc+ji3eQSqFvyR7rPxt
-Ux+LVvgWfODNEjTlrqZQDaPDU4P7gy6So5vzXe+eciyyNxgftmlpWSHMliXcYjxo
-gxUh6EPjklxFQ8fmFecCz57CJ0oXT2qB3iNDyTft3qqetgWeJ72d9rVMLLXmHLOe
-oRKFS3QXXBr+sIdxWB2Fgu2g8X5ky3O9wIgN7OzQ2p4pCja+NSmxlhJxJwUomgjA
-UHvOPP6hwSp1TQdcoauXD72A+t0TkYLuZ03Dfzkh1Q==
-=ci0h
------END PGP SIGNATURE-----

Django-5.2.9.checksum.txt

@@ -0,0 +1,67 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+This file contains MD5, SHA1, and SHA256 checksums for the
+source-code tarball and wheel files of Django 5.2.9, released December 2, 2025.
+
+To use this file, you will need a working install of PGP or other
+compatible public-key encryption software. You will also need to have
+the Django release manager's public key in your keyring. This key has
+the ID ``2EE82A8D9470983E`` and can be imported from the MIT
+keyserver, for example, if using the open-source GNU Privacy Guard
+implementation of PGP:
+
+    gpg --keyserver pgp.mit.edu --recv-key 2EE82A8D9470983E
+
+or via the GitHub API:
+
+    curl https://github.com/nessita.gpg | gpg --import -
+
+Once the key is imported, verify this file:
+
+    gpg --verify Django-5.2.9.checksum.txt
+
+Once you have verified this file, you can use normal MD5, SHA1, or SHA256
+checksumming applications to generate the checksums of the Django
+package and compare them to the checksums listed below.
+
+Release packages
+================
+
+https://www.djangoproject.com/download/5.2.9/tarball/
+https://www.djangoproject.com/download/5.2.9/wheel/
+
+MD5 checksums
+=============
+
+e7d89ddfdca79542039dbab31e4bede8  django-5.2.9.tar.gz
+42dd57f28b8dd5750ef76b64277d3e9e  django-5.2.9-py3-none-any.whl
+
+SHA1 checksums
+==============
+
+7a086625e45275159590da36818923da76beeb8d  django-5.2.9.tar.gz
+c0808a610ea903a17736634e9c21556ea9d675e4  django-5.2.9-py3-none-any.whl
+
+SHA256 checksums
+================
+
+16b5ccfc5e8c27e6c0561af551d2ea32852d7352c67d452ae3e76b4f6b2ca495  django-5.2.9.tar.gz
+3a4ea88a70370557ab1930b332fd2887a9f48654261cdffda663fef5976bb00a  django-5.2.9-py3-none-any.whl
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEW1sboQ2FrHxcduOPLugqjZRwmD4FAmku3VwACgkQLugqjZRw
+mD5F3g//dIdnKXZmSm2DAUNOKK97RSceCWzcbL9GAEclVz2F1Nnj8ZkXM+T060Lk
+yYZnWVpfwyux/ak1tjWWKfI28jrZ8TQBq5l/MHELYL4s2exel9oQXFqkfyqUlwga
+S/OdhXZavabW+aAdVe/OMC7AnFbCRo5dbM1XF9U5KOtEG2FsU0RkqOyIpXZvZ/Tk
+jQD7DzGco7lWEbtiZSe9sAPzImW3hRWKHkxo+IRiAPqNNRjIlK9o/voiqWzEYco6
+A3wWLSmAgUDTXfkcSbkVsETev7dpzhlBQZN1CDTMR3fzsLevdvqxMZYaENwg+K/x
+ARtUaMBsVhbB/Z4NO0OYrHe4aQbDxS/e2RjBWQG5hIXWwhbNNtrfZ9kxnJRcRgur
+xyl3GBuN9vLC0BgGpdmg0FTBwpervJiHYcmcxY93IxcM7/WMb3qFEN7XZxJIrwW/
+5qBa3+q1sjoqI1RF7MIhCUAhDO56MRFx1dn1iF8iokXjrKpOmf4pKr/1qujaC8rs
+KN+Fs99PHGmbXgpb/AfP9nVDPTZFFO2iLbpwICOqTmT9yiFI7lYRt2N4ozb0hcI4
+o/1LkjE9JDpYKa1DeoIwlMnC18EJJfI3NMDIHzUFzS0jLGtIoM5A7xf4fK0+t26U
+AMZIegmynfVhyfMHUaVwPL9LFtiFqdUX7fPTrFlO2pmtCAFMgy8=
+=kZfB
+-----END PGP SIGNATURE-----

django-5.2.8.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:23254866a5bb9a2cfa6004e8b809ec6246eba4b58a7589bc2772f1bcc8456c7f
-size 10849032

django-5.2.9.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:16b5ccfc5e8c27e6c0561af551d2ea32852d7352c67d452ae3e76b4f6b2ca495
+size 10848762

python-Django.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Dec 29 09:10:21 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Add test_strip_tags_incomplete.patch to fix behaviour with changes
+  in the Python interpreter
+- Rebase test_strip_tags.patch
+
+-------------------------------------------------------------------
+Mon Dec  8 11:54:46 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.2.9 (bsc#1254437)
+  * CVE-2025-13372: Potential SQL injection in FilteredRelation column
+    aliases on PostgreSQL
+  * CVE-2025-64460: Potential denial-of-service vulnerability in XML
+    Deserializer
+  * Fixed a crash on Python 3.14+ that prevented template tag functions
+    from being registered
+  * Fixed more bugs and regressions, see upstream release notes
+
 -------------------------------------------------------------------
 Thu Nov  6 07:20:08 UTC 2025 - Markéta Machová <mmachova@suse.com>
 

python-Django.spec

@@ -26,7 +26,7 @@
 %bcond_with libalternatives
 %endif
 Name:           python-Django
-Version:        5.2.8
+Version:        5.2.9
 Release:        0
 Summary:        A high-level Python Web framework
 License:        BSD-3-Clause
@@ -35,11 +35,13 @@ Source:         https://www.djangoproject.com/m/releases/5.2/django-%{version}.t
 Source1:        https://www.djangoproject.com/m/pgp/Django-%{version}.checksum.txt
 Source2:        %{name}.keyring
 Source99:       python-Django-rpmlintrc
-# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19639 Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior.
-# fixed and refined upstream, but some of our interpreters weren't updated to a new version yet and still only carry the patch, so providing the non-conditional version
-Patch0:         test_strip_tags.patch
 # PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19530 Fixed #36421 -- Made test_msgfmt_error_including_non_ascii compatible with with msgfmt 0.25.
 Patch1:         support-msgfmt-0.25.patch
+# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/20390 Refs #36499 -- Adjusted test_strip_tags following Python behavior change for incomplete entities.
+Patch2:         test_strip_tags_incomplete.patch
+# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19639 Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior.
+# fixed and refined upstream, but some of our interpreters weren't updated to a new version yet and still only carry the patch, so providing the non-conditional version
+Patch3:         test_strip_tags.patch
 BuildRequires:  %{python_module Jinja2 >= 2.9.2}
 BuildRequires:  %{python_module Pillow >= 6.2.0}
 BuildRequires:  %{python_module PyYAML}

test_strip_tags.patch

@@ -10,10 +10,10 @@ Subject: [PATCH] Fixed #36499 -- Adjusted
  tests/utils_tests/test_html.py | 4 ++--
  2 files changed, 4 insertions(+), 4 deletions(-)
 
-Index: django-5.2.6/tests/test_utils/tests.py
+Index: django-5.2.9/tests/test_utils/tests.py
 ===================================================================
---- django-5.2.6.orig/tests/test_utils/tests.py
-+++ django-5.2.6/tests/test_utils/tests.py
+--- django-5.2.9.orig/tests/test_utils/tests.py
++++ django-5.2.9/tests/test_utils/tests.py
 @@ -945,10 +945,10 @@ class HTMLEqualTests(SimpleTestCase):
              self.assertHTMLEqual("", "<p>")
          error_msg = (
@@ -27,22 +27,22 @@ Index: django-5.2.6/tests/test_utils/tests.py
          with self.assertRaises(HTMLParseError):
              parse_html("</p>")
  
-Index: django-5.2.6/tests/utils_tests/test_html.py
+Index: django-5.2.9/tests/utils_tests/test_html.py
 ===================================================================
---- django-5.2.6.orig/tests/utils_tests/test_html.py
-+++ django-5.2.6/tests/utils_tests/test_html.py
-@@ -162,13 +162,13 @@ class TestUtilsHtml(SimpleTestCase):
-             ("<script>alert()</script>&h", "alert()h"),
+--- django-5.2.9.orig/tests/utils_tests/test_html.py
++++ django-5.2.9/tests/utils_tests/test_html.py
+@@ -187,13 +187,13 @@ class TestUtilsHtml(SimpleTestCase):
+             ),
              (
                  "><!" + ("&" * 16000) + "D",
--                ">" if htmlparser_fixed else "><!" + ("&" * 16000) + "D",
+-                ">" if htmlparser_fixed_security else "><!" + ("&" * 16000) + "D",
 +                ">",
              ),
              ("X<<<<br>br>br>br>X", "XX"),
              ("<" * 50 + "a>" * 50, ""),
              (
                  ">" + "<a" * 500 + "a",
--                ">" if htmlparser_fixed else ">" + "<a" * 500 + "a",
+-                ">" if htmlparser_fixed_security else ">" + "<a" * 500 + "a",
 +                ">",
              ),
              ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),

test_strip_tags_incomplete.patch

@@ -0,0 +1,82 @@
+From 5ca0f62213911a77dd4a62e843db7e420cc98b78 Mon Sep 17 00:00:00 2001
+From: Jacob Walls <jacobtylerwalls@gmail.com>
+Date: Thu, 11 Dec 2025 08:44:19 -0500
+Subject: [PATCH] [5.2.x] Refs #36499 -- Adjusted test_strip_tags following
+ Python behavior change for incomplete entities.
+
+Backport of 7b80b2186300620931009fd62c2969f108fe7a62 from main.
+---
+ tests/utils_tests/test_html.py | 35 +++++++++++++++++++++++++++++-----
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 681071bf0313..89c97cee03a5 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -1,3 +1,4 @@
++import math
+ import os
+ import sys
+ from datetime import datetime
+@@ -124,7 +125,7 @@ def test_strip_tags(self):
+         # old and new results. The check below is temporary until all supported
+         # Python versions and CI workers include the fix. See:
+         # https://github.com/python/cpython/commit/6eb6c5db
+-        min_fixed = {
++        min_fixed_security = {
+             (3, 14): (3, 14),
+             (3, 13): (3, 13, 6),
+             (3, 12): (3, 12, 12),
+@@ -132,7 +133,28 @@ def test_strip_tags(self):
+             (3, 10): (3, 10, 19),
+             (3, 9): (3, 9, 24),
+         }
+-        htmlparser_fixed = sys.version_info >= min_fixed[sys.version_info[:2]]
++        htmlparser_fixed_security = (
++            sys.version_info >= min_fixed_security[sys.version_info[:2]]
++        )
++        # Similarly, there was a fix for terminating incomplete entities. See:
++        # https://github.com/python/cpython/commit/95296a9d
++        min_fixed_incomplete_entities = {
++            (3, 14): (3, 14, 1),
++            (3, 13): (3, 13, 10),
++            # Not fixed in the following versions.
++            (3, 12): (3, 12, math.inf),
++            (3, 11): (3, 11, math.inf),
++            (3, 10): (3, 10, math.inf),
++            (3, 9): (3, 9, math.inf),
++        }
++        major_version = sys.version_info[:2]
++        htmlparser_fixed_security = sys.version_info >= min_fixed_security.get(
++            major_version, major_version
++        )
++        htmlparser_fixed_incomplete_entities = (
++            sys.version_info
++            >= min_fixed_incomplete_entities.get(major_version, major_version)
++        )
+         items = (
+             (
+                 "<p>See: &#39;&eacute; is an apostrophe followed by e acute</p>",
+@@ -159,16 +181,19 @@ def test_strip_tags(self):
+             # https://bugs.python.org/issue20288
+             ("&gotcha&#;<>", "&gotcha&#;<>"),
+             ("<sc<!-- -->ript>test<<!-- -->/script>", "ript>test"),
+-            ("<script>alert()</script>&h", "alert()h"),
++            (
++                "<script>alert()</script>&h",
++                "alert()&h;" if htmlparser_fixed_incomplete_entities else "alert()h",
++            ),
+             (
+                 "><!" + ("&" * 16000) + "D",
+-                ">" if htmlparser_fixed else "><!" + ("&" * 16000) + "D",
++                ">" if htmlparser_fixed_security else "><!" + ("&" * 16000) + "D",
+             ),
+             ("X<<<<br>br>br>br>X", "XX"),
+             ("<" * 50 + "a>" * 50, ""),
+             (
+                 ">" + "<a" * 500 + "a",
+-                ">" if htmlparser_fixed else ">" + "<a" * 500 + "a",
++                ">" if htmlparser_fixed_security else ">" + "<a" * 500 + "a",
+             ),
+             ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
+             ("<" + "a" * 1_002, "<" + "a" * 1_002),