From 9356993ff3b606a203e8bcc5ec0130b79ef4e52b16056fc935f9c1be8244896c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mark=C3=A9ta=20Machov=C3=A1?= Date: Wed, 4 Feb 2026 09:39:42 +0000 Subject: [PATCH] Accepting request 1330888 from home:mcalabkova:branches:devel:languages:python:django - Update to 6.0.2 * CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler (bsc#1257401) * CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI (bsc#1257403) * CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS (bsc#1257405) * CVE-2026-1285: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods (bsc#1257406) * CVE-2026-1287: Potential SQL injection in column aliases via control characters (bsc#1257407) * CVE-2026-1312: Potential SQL injection via QuerySet.order_by and FilteredRelation (bsc#1257408) * Fixed a visual regression in Django 6.0 that caused the admin filter sidebar to wrap below the changelist when filter elements contained long text * Fixed a visual regression in Django 6.0 for admin form fields grouped under a
aligned horizontally * Fixed a regression in Django 6.0 where auto_now_add field values were not populated during INSERT operations, due to incorrect parameters passed to field.pre_save() OBS-URL: https://build.opensuse.org/request/show/1330888 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django6?expand=0&rev=8 --- Django-6.0.1.checksum.txt | 67 --------------------------------------- Django-6.0.2.checksum.txt | 67 +++++++++++++++++++++++++++++++++++++++ django-6.0.1.tar.gz | 3 -- django-6.0.2.tar.gz | 3 ++ python-Django6.changes | 25 +++++++++++++++ python-Django6.spec | 2 +- 6 files changed, 96 insertions(+), 71 deletions(-) delete mode 100644 Django-6.0.1.checksum.txt create mode 100644 Django-6.0.2.checksum.txt delete mode 100644 django-6.0.1.tar.gz create mode 100644 django-6.0.2.tar.gz diff --git a/Django-6.0.1.checksum.txt b/Django-6.0.1.checksum.txt deleted file mode 100644 index 7a92575..0000000 --- a/Django-6.0.1.checksum.txt +++ /dev/null @@ -1,67 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA256 - -This file contains MD5, SHA1, and SHA256 checksums for the -source-code tarball and wheel files of Django 6.0.1, released January 6, 2026. - -To use this file, you will need a working install of PGP or other -compatible public-key encryption software. You will also need to have -the Django release manager's public key in your keyring. This key has -the ID ``131403F4D16D8DC7`` and can be imported from the MIT -keyserver, for example, if using the open-source GNU Privacy Guard -implementation of PGP: - - gpg --keyserver pgp.mit.edu --recv-key 131403F4D16D8DC7 - -or via the GitHub API: - - curl https://github.com/jacobtylerwalls.gpg | gpg --import - - -Once the key is imported, verify this file: - - gpg --verify Django-6.0.1.checksum.txt - -Once you have verified this file, you can use normal MD5, SHA1, or SHA256 -checksumming applications to generate the checksums of the Django -package and compare them to the checksums listed below. - -Release packages -================ - -https://www.djangoproject.com/download/6.0.1/tarball/ -https://www.djangoproject.com/download/6.0.1/wheel/ - -MD5 checksums -============= - -08fe66b67df5e0c958acdfdb2177f81d django-6.0.1.tar.gz -e0d69597f37472a27ce895460db01580 django-6.0.1-py3-none-any.whl - -SHA1 checksums -============== - -72575360c0eae95e2d780009e400c8f17d23cd2a django-6.0.1.tar.gz -116bdcf93d6a463012c24461608fab05c310085f django-6.0.1-py3-none-any.whl - -SHA256 checksums -================ - -ed76a7af4da21551573b3d9dfc1f53e20dd2e6c7d70a3adc93eedb6338130a5f django-6.0.1.tar.gz -a92a4ff14f664a896f9849009cb8afaca7abe0d6fc53325f3d1895a15253433d django-6.0.1-py3-none-any.whl - ------BEGIN PGP SIGNATURE----- - -iQIzBAEBCAAdFiEEU9RpQuAGoqPu3IvIExQD9NFtjccFAmldWBQACgkQExQD9NFt -jce4rw/+NzNKpgdWfztlhoyUu16vGifGblxJyXxP4mziSFqTRw9+VWn2EQgCF+6w -yFWt3Uc9uSk/qu6IHETnzenSKJVfWz/Np7emGxRD1V4+WE82iJLVFSMkNHPyoadf -FjqX/5OD0kJXqvbIpNAdg24OpjQqnm/JT8QP2+Jy+xct3Oycvm2wm7HyM88ifLwQ -E26g4UW66rkG1Q3/7bJWwIWQWjTieCwwlZq3qakOpOkv6Bl8BNAQrcyblnwUbxec -rl9QMv1ynQpHSEHKIrIeRoHczDT8rSiy4NoAIDTztLQEFFU7JNT46jX1+zcoPPSt -ayyScSb6qXvV7Cg1vwOdkDClCqtL4Q+B1boHj1IJFOiV+A33uPPh919kPyzmbfwa -9LcVYdmNBaoXkX2oTApSJpGW47w2ypCH8tcroVFvbkq+/Yhwv6bOuPHtb3hkpvnO -s+2GUkYrtRZB6/r3+KLlNdRa0yAbZSyTpA1TxQDzEx1U+piAslpNB0vd4sivoJ1Q -WwtTbirGjIGKAX3Cd9yOAXivFEhPj4+2HoLQys3KOUCzbC+GEgq8SICm2sU/tM11 -O0cmHV2MGbGRUldZ9K4+XWbwVa1UFecIwvu7mlfYz0Ql1AAoEj4nDcwkGXCzsS6t -R7iIBjGQJjljVKun85YN5D+9sNPdQlvCoHLIXHUA45bhj5kc1G0= -=clZC ------END PGP SIGNATURE----- diff --git a/Django-6.0.2.checksum.txt b/Django-6.0.2.checksum.txt new file mode 100644 index 0000000..d40562d --- /dev/null +++ b/Django-6.0.2.checksum.txt @@ -0,0 +1,67 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +This file contains MD5, SHA1, and SHA256 checksums for the +source-code tarball and wheel files of Django 6.0.2, released February 3, 2026. + +To use this file, you will need a working install of PGP or other +compatible public-key encryption software. You will also need to have +the Django release manager's public key in your keyring. This key has +the ID ``131403F4D16D8DC7`` and can be imported from the MIT +keyserver, for example, if using the open-source GNU Privacy Guard +implementation of PGP: + + gpg --keyserver pgp.mit.edu --recv-key 131403F4D16D8DC7 + +or via the GitHub API: + + curl https://github.com/jacobtylerwalls.gpg | gpg --import - + +Once the key is imported, verify this file: + + gpg --verify Django-6.0.2.checksum.txt + +Once you have verified this file, you can use normal MD5, SHA1, or SHA256 +checksumming applications to generate the checksums of the Django +package and compare them to the checksums listed below. + +Release packages +================ + +https://www.djangoproject.com/download/6.0.2/tarball/ +https://www.djangoproject.com/download/6.0.2/wheel/ + +MD5 checksums +============= + +0836ceb8f1f4694f87f0a698c64bd00e django-6.0.2.tar.gz +5e170a7a20b0edbb794228a20895cf17 django-6.0.2-py3-none-any.whl + +SHA1 checksums +============== + +350bfde2ee630b03dde6daf87ad06fac7a8a5642 django-6.0.2.tar.gz +70f23a750efce9d525a94dc2d4a15ce016a1e42b django-6.0.2-py3-none-any.whl + +SHA256 checksums +================ + +3046a53b0e40d4b676c3b774c73411d7184ae2745fe8ce5e45c0f33d3ddb71a7 django-6.0.2.tar.gz +610dd3b13d15ec3f1e1d257caedd751db8033c5ad8ea0e2d1219a8acf446ecc6 django-6.0.2-py3-none-any.whl + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCAAdFiEEU9RpQuAGoqPu3IvIExQD9NFtjccFAmmB894ACgkQExQD9NFt +jcdrdxAAitAeW6C9Glt4TzkgDakqiXaqsYsBNZxLMVsIDytjy8x8hrXZ0VqvM3Oa +wtr3EHjazgfVxBiXH8/BIneT6RyInMGlLPdXijJfNDSYUs+nRDavVYIvwt0jJOJy +oyaH0yQv1dxVibo94sXlMvshfCGpmF1V+963P/t+EciHjuyrxpvEQCXTPFU16exz +TQFt7Jr2f5VYo4LUl4D24CDGwS1F3PUDkjvbm+ZVT6o8x9Sm1del7fpYBA/iP6g5 +UrnIWlvz1cOXIrijJixcGT93q6Zvr3XEIENDs5eIzDlyzi2sL3ZRG/4Aq0ipCiLo +WfjTkMwWlQyyLod6rpNKtlYyMz8hVRLEDHZkYl0jo5sSWYn3uHn8mxAPcz7PYM2l +n6J5e55ISWYmIvH1jbFplv4pa/EmHOyM+VW/fwVvpuboBi9tKFqM+shMSctpDkeO +bXcK0y+1tVoOBsjnkM82PdTcF9KFUajje0xQ+Bs+n5rLDqV0hJ15qCqd78V/1s+U +RxTbnypFcNifwkFoM0kGIJfaJ9jVDAzSoSJUg4tGwbmf2Nvgw2MT4clz8ZccEfJv +KQbHKwMKEzCF2pvjB3codgbpPSZZEHMRcYfV6tgUrPwJRVqWgoqGcePCXDvd/6S6 +dUo/CwINTBY8yxJELuHEn0wr5I69SD7yzUCpIa3HPYR4jl8/mYk= +=Trbt +-----END PGP SIGNATURE----- diff --git a/django-6.0.1.tar.gz b/django-6.0.1.tar.gz deleted file mode 100644 index 67843aa..0000000 --- a/django-6.0.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ed76a7af4da21551573b3d9dfc1f53e20dd2e6c7d70a3adc93eedb6338130a5f -size 11069565 diff --git a/django-6.0.2.tar.gz b/django-6.0.2.tar.gz new file mode 100644 index 0000000..cd3fb8b --- /dev/null +++ b/django-6.0.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3046a53b0e40d4b676c3b774c73411d7184ae2745fe8ce5e45c0f33d3ddb71a7 +size 10886874 diff --git a/python-Django6.changes b/python-Django6.changes index d93db25..74dbcab 100644 --- a/python-Django6.changes +++ b/python-Django6.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Wed Feb 4 09:14:47 UTC 2026 - Markéta Machová + +- Update to 6.0.2 + * CVE-2025-13473: Username enumeration through timing difference + in mod_wsgi authentication handler (bsc#1257401) + * CVE-2025-14550: Potential denial-of-service vulnerability via + repeated headers when using ASGI (bsc#1257403) + * CVE-2026-1207: Potential SQL injection via raster lookups on + PostGIS (bsc#1257405) + * CVE-2026-1285: Potential denial-of-service vulnerability in + django.utils.text.Truncator HTML methods (bsc#1257406) + * CVE-2026-1287: Potential SQL injection in column aliases via + control characters (bsc#1257407) + * CVE-2026-1312: Potential SQL injection via QuerySet.order_by + and FilteredRelation (bsc#1257408) + * Fixed a visual regression in Django 6.0 that caused the admin + filter sidebar to wrap below the changelist when filter elements + contained long text + * Fixed a visual regression in Django 6.0 for admin form fields + grouped under a
aligned horizontally + * Fixed a regression in Django 6.0 where auto_now_add field values + were not populated during INSERT operations, due to incorrect + parameters passed to field.pre_save() + ------------------------------------------------------------------- Fri Jan 9 10:21:45 UTC 2026 - Markéta Machová diff --git a/python-Django6.spec b/python-Django6.spec index e6b6fdb..579a0a3 100644 --- a/python-Django6.spec +++ b/python-Django6.spec @@ -27,7 +27,7 @@ %endif %define skip_python311 1 Name: python-Django6 -Version: 6.0.1 +Version: 6.0.2 Release: 0 Summary: A high-level Python Web framework License: BSD-3-Clause