CVE-2025-57833

- Add upstream test_strip_tags.patch to fix test errors with
  at-this-point future python interpreters

OBS-URL: https://build.opensuse.org/request/show/1294515
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Django?expand=0&rev=134

CVE-2025-57833.patch

@@ -0,0 +1,82 @@
+From 4c044fcc866ec226f612c475950b690b0139d243 Mon Sep 17 00:00:00 2001
+From: Jake Howard <git@theorangeone.net>
+Date: Wed, 13 Aug 2025 14:13:42 +0200
+Subject: [PATCH] [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation
+ against SQL injection in column aliases.
+
+Thanks Eyal Gabay (EyalSec) for the report.
+
+Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
+---
+ django/db/models/sql/query.py |  1 +
+ docs/releases/4.2.24.txt      |  7 +++++++
+ docs/releases/5.1.12.txt      |  7 +++++++
+ docs/releases/5.2.6.txt       |  7 +++++++
+ tests/annotations/tests.py    | 24 ++++++++++++++++++++++++
+ 5 files changed, 46 insertions(+)
+
+diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
+index 9b44d017ffe3..5247616086aa 100644
+--- a/django/db/models/sql/query.py
++++ b/django/db/models/sql/query.py
+@@ -1696,6 +1696,7 @@ def _add_q(
+         return target_clause, needed_inner
+ 
+     def add_filtered_relation(self, filtered_relation, alias):
++        self.check_alias(alias)
+         filtered_relation.alias = alias
+         relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
+             filtered_relation.relation_name
+diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
+index 6c0d7b668c33..060d6324c74c 100644
+--- a/tests/annotations/tests.py
++++ b/tests/annotations/tests.py
+@@ -14,6 +14,7 @@
+     Exists,
+     ExpressionWrapper,
+     F,
++    FilteredRelation,
+     FloatField,
+     Func,
+     IntegerField,
+@@ -1164,6 +1165,15 @@ def test_alias_sql_injection(self):
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.annotate(**{crafted_alias: Value(1)})
+ 
++    def test_alias_filtered_relation_sql_injection(self):
++        crafted_alias = """injected_name" from "annotations_book"; --"""
++        msg = (
++            "Column aliases cannot contain whitespace characters, quotation marks, "
++            "semicolons, or SQL comments."
++        )
++        with self.assertRaisesMessage(ValueError, msg):
++            Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
++
+     def test_alias_forbidden_chars(self):
+         tests = [
+             'al"ias',
+@@ -1189,6 +1199,11 @@ def test_alias_forbidden_chars(self):
+                 with self.assertRaisesMessage(ValueError, msg):
+                     Book.objects.annotate(**{crafted_alias: Value(1)})
+ 
++                with self.assertRaisesMessage(ValueError, msg):
++                    Book.objects.annotate(
++                        **{crafted_alias: FilteredRelation("authors")}
++                    )
++
+     @skipUnless(connection.vendor == "postgresql", "PostgreSQL tests")
+     @skipUnlessDBFeature("supports_json_field")
+     def test_set_returning_functions(self):
+@@ -1482,3 +1497,12 @@ def test_alias_sql_injection(self):
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.alias(**{crafted_alias: Value(1)})
++
++    def test_alias_filtered_relation_sql_injection(self):
++        crafted_alias = """injected_name" from "annotations_book"; --"""
++        msg = (
++            "Column aliases cannot contain whitespace characters, quotation marks, "
++            "semicolons, or SQL comments."
++        )
++        with self.assertRaisesMessage(ValueError, msg):
++            Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})

Django-5.1.1.checksum.txt

@@ -1,67 +0,0 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
-
-This file contains MD5, SHA1, and SHA256 checksums for the source-code
-tarball and wheel files of Django 5.1.1, released September 3, 2024.
-
-To use this file, you will need a working install of PGP or other
-compatible public-key encryption software. You will also need to have
-the Django release manager's public key in your keyring. This key has
-the ID ``2EE82A8D9470983E`` and can be imported from the MIT
-keyserver, for example, if using the open-source GNU Privacy Guard
-implementation of PGP:
-
-    gpg --keyserver pgp.mit.edu --recv-key 2EE82A8D9470983E
-
-or via the GitHub API:
-
-    curl https://github.com/nessita.gpg | gpg --import -
-
-Once the key is imported, verify this file:
-
-    gpg --verify Django-5.1.1.checksum.txt
-
-Once you have verified this file, you can use normal MD5, SHA1, or SHA256
-checksumming applications to generate the checksums of the Django
-package and compare them to the checksums listed below.
-
-Release packages
-================
-
-https://www.djangoproject.com/m/releases/5.1/Django-5.1.1.tar.gz
-https://www.djangoproject.com/m/releases/5.1/Django-5.1.1-py3-none-any.whl
-
-MD5 checksums
-=============
-
-8024c23d7efe9e7acb04496ae22739c7  Django-5.1.1.tar.gz
-7782d604d5b7cbb56e6b7da90595b6fa  Django-5.1.1-py3-none-any.whl
-
-SHA1 checksums
-==============
-
-8dedfc247c7bf010c93c5e5e30bca2012704a7ce  Django-5.1.1.tar.gz
-a038998584b227243ae6c1d29b3e7c2a166db918  Django-5.1.1-py3-none-any.whl
-
-SHA256 checksums
-================
-
-021ffb7fdab3d2d388bc8c7c2434eb9c1f6f4d09e6119010bbb1694dda286bc2  Django-5.1.1.tar.gz
-71603f27dac22a6533fb38d83072eea9ddb4017fead6f67f2562a40402d61c3f  Django-5.1.1-py3-none-any.whl
------BEGIN PGP SIGNATURE-----
-
-iQJcBAEBCABGFiEEW1sboQ2FrHxcduOPLugqjZRwmD4FAmbXARwoHDEyNDMwNCtu
-ZXNzaXRhQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbQAKCRAu6CqNlHCYPmSPEACs
-vwz2HvzWF+YpeXx1jLQJ6/JdQjmRPT/6pp+r0GW6KG6UqmawMsvRSX/k4zdvceYx
-c7SVAIJwWNwZsPHbrjetGAI1NbAoWYxl8soCTIMR9A0mSlZebBSHb0+oUMQcwiZ5
-E4OMBv7QYYo8QVGs1KH1dMx4Unn+5VlAlaxo9BOa94PtCzUWxsIuji+yv1uKDVVa
-BQivwy0ZuzBPMkHHaTAb5byWtsbLFhHeXkWirEzivecIVxvd88mO1GXh5zY3wjRW
-UKLHQCNT6e3s7UB/ZS7IsQp7bPCmFfLsVp8+8pbABXqYHn6rM4/VCLhN06s/xVID
-DSPkqNQz39gRbn5UNVSTLVNv/yoQ6crIHw9AiRECrJ3UaRzeDcQStnmxJx92duDr
-bDLnmTI0Sx7+hqQjNOrGCFg6vO8ZVosxOgM/FgbXDKyA+FqtfbdR+/tW9KKtunPy
-AHs87A6VqYMRzyTvRChzVpKKYrdMckjRUuyrogQJEuE5VJ0o5579FxBy9OekA3km
-FTscEn8GiC4EZTR48IWSsNOCYn7VjihHvZGo4eO0uZRYFChTKc6Sah7p+i41XV1W
-FLhOqCqF/4Kl6u3dWkWPAnm8mmWDsARpGbAoxCkd8AJtlR0nScdYuwOshlpixIVa
-XgUJwJ3rzCSTd35tq+sF7y3WT3bPyUl/DwkuJVHhFA==
-=i1OF
------END PGP SIGNATURE-----

Django-5.1.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:021ffb7fdab3d2d388bc8c7c2434eb9c1f6f4d09e6119010bbb1694dda286bc2
-size 10675933

Django-5.2.4.checksum.txt

@@ -0,0 +1,68 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+This file contains MD5, SHA1, and SHA256 checksums for the
+source-code tarball and wheel files of Django 5.2.4, released July 2, 2025.
+
+To use this file, you will need a working install of PGP or other
+compatible public-key encryption software. You will also need to have
+the Django release manager's public key in your keyring. This key has
+the ID ``2EE82A8D9470983E`` and can be imported from the MIT
+keyserver, for example, if using the open-source GNU Privacy Guard
+implementation of PGP:
+
+    gpg --keyserver pgp.mit.edu --recv-key 2EE82A8D9470983E
+
+or via the GitHub API:
+
+    curl https://github.com/nessita.gpg | gpg --import -
+
+Once the key is imported, verify this file:
+
+    gpg --verify Django-5.2.4.checksum.txt
+
+Once you have verified this file, you can use normal MD5, SHA1, or SHA256
+checksumming applications to generate the checksums of the Django
+package and compare them to the checksums listed below.
+
+Release packages
+================
+
+https://www.djangoproject.com/download/5.2.4/tarball/
+https://www.djangoproject.com/download/5.2.4/wheel/
+
+MD5 checksums
+=============
+
+6ecc4875e8cdc08706faea1cc4740fdf  django-5.2.4.tar.gz
+fee657f7686462d388f274c5f92b634a  django-5.2.4-py3-none-any.whl
+
+SHA1 checksums
+==============
+
+de45d44e1bb2ceb1c08b8fd0846de920874f71a1  django-5.2.4.tar.gz
+a6a7904e3749a0e8937a50643293889929b4b6f7  django-5.2.4-py3-none-any.whl
+
+SHA256 checksums
+================
+
+a1228c384f8fa13eebc015196db7b3e08722c5058d4758d20cb287503a540d8f  django-5.2.4.tar.gz
+60c35bd96201b10c6e7a78121bd0da51084733efa303cc19ead021ab179cef5e  django-5.2.4-py3-none-any.whl
+
+-----BEGIN PGP SIGNATURE-----
+
+iQJcBAEBCABGFiEEW1sboQ2FrHxcduOPLugqjZRwmD4FAmhlfcIoHDEyNDMwNCtu
+ZXNzaXRhQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbQAKCRAu6CqNlHCYPj5DD/94
+KOuOZ5JHtZWknqi1JeV1akzB/RpY7lhL9SbJbVXhdAxOY9Cn4eUG7NsPWa9JnhX1
+F/2geBE5mjOZen4ARtGHWxa5vqidqUbscrU9AkqPLn6aecEKi2jXXNkYmmWw/37K
+wb92BQtuWkaXyiZ4E6Sledx9yFhcqMDFg27CdNYfAqUWofI6zzSmLIzOlOSVR9Sc
+uDrfRqQ4GXlRGT5pIkcIxE0ZKToUYrKgn99PZOmBcLfJgQ4VBt62J6SzZAhhElb3
+DUMcVhG2XNIhg7v7DwlVodowDYQdRi2H/ahAa7/m1+uugRbysoGSLLwP+50tDjlj
+07zxoJsrL5R9zaMp4pcXQN4bUy3rDz94DkjlXO51f8LwDdStvk4VOYan1W5S9BhP
+R0conCFfcg4+iK0pV5e/GeeTwBRHQw8p5RuWfrEpKFi/XQtT0u01hqUGppeuZ9wI
+f+Ud9RA8Nrw0ouli4WvfH0RVFuMgUFqScwO88oatuUH5CDPjlV+5usNb7FrmZXv6
+AWRopONOcYGF07+FYh0nsoE8enWyxE+JWTJzxT5PGZ3buUO0hlnJ+auoJv8yOVii
+ELCSUyi93glWonCBrS41XrNO6+6K/8V9V6iv9/PdGwF1GszbX5Rx4e2lDMA7crYh
+1qKGaV3+iAO+Y+vXt6VTy6h5GLg9hun+RQ8TU3Guyg==
+=d9C5
+-----END PGP SIGNATURE-----

django-5.2.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a1228c384f8fa13eebc015196db7b3e08722c5058d4758d20cb287503a540d8f
+size 10831909

python-Django.changes

@@ -1,3 +1,167 @@
+-------------------------------------------------------------------
+Thu Sep  4 13:14:40 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Add security patch CVE-2025-57833.patch (bsc#1248810)
+
+-------------------------------------------------------------------
+Sat Jul 19 06:51:37 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Add upstream test_strip_tags.patch to fix test errors with
+  at-this-point future python interpreters
+
+-------------------------------------------------------------------
+Thu Jul  3 12:47:34 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.2.4
+  * Fixed a log injection possibility by migrating remaining response logging
+    to django.utils.log.log_response(), which safely escapes arguments
+    such as the request path to prevent unsafe log output (CVE 2025-48432).
+  * Fixed a regression in Django 5.2 that caused QuerySet.bulk_update() to
+    incorrectly convert None to JSON null instead of SQL NULL for JSONField
+  * Fixed a regression in Django 5.2.2 where the q parameter was removed from
+    the internal django.http.MediaType.params property
+  * Fixed a regression in Django 5.2.2 where HttpRequest.get_preferred_type()
+    incorrectly preferred more specific media types with a lower quality
+  * Fixed a crash in Django 5.2 when performing an __in lookup involving a
+    composite primary key and a subquery on certain backends
+
+-------------------------------------------------------------------
+Thu Jun  5 11:53:48 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.2.2 (bsc#1244095)
+  * CVE-2025-48432: Potential log injection via unescaped request path
+  * Fixed a crash when using select_related against a ForeignObject
+    originating from a model with a CompositePrimaryKey
+  * Fixed a regression in Django 5.2 that caused a crash when no
+    arguments were passed into QuerySet.union().
+  * Fixed a regression in Django 5.2 that caused a crash when using OuterRef
+    in PostgreSQL aggregate functions ArrayAgg, StringAgg, and JSONBAgg.
+  * Fixed a bug in Django 5.2 where HttpRequest.get_preferred_type() did not
+    account for media type parameters in Accept headers, reducing specificity
+    in content negotiation.
+
+-------------------------------------------------------------------
+Mon May 12 08:20:40 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.2.1 (bsc#1242210)
+  * This release was built using an upgraded setuptools, producing
+    filenames compliant with PEP 491 and PEP 625 and thus addressing
+    a PyPI warning about non-compliant distribution filenames. This
+    change only affects the Django packaging process and does not
+    impact Django’s behavior.
+  * CVE-2025-32873: Denial-of-service possibility in strip_tags()
+  * Fixed a data corruption possibility in file_move_safe() when
+    allow_overwrite=True
+  * Fixed a regression introduced when fixing CVE 2025-26699, where
+    the wordwrap template filter did not preserve empty lines between
+    paragraphs after wrapping text
+  * Fixed many bugs and regressions in Django 5.2, see upstream changelog
+
+-------------------------------------------------------------------
+Tue Apr 22 15:46:20 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Add missing runtime dependency on tzdata
+
+-------------------------------------------------------------------
+Mon Apr  7 15:02:18 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.2
+  * Django 5.2 is designated as a long-term support release. It will receive 
+    security updates for at least three years after its release.
+  * Django 5.2 supports Python 3.10, 3.11, 3.12, and 3.13.
+  ** What’s new in Django 5.2 **
+  * Automatic models import in the shell
+  * Composite Primary Keys
+  * Simplified override of BoundField
+  * ... and many more smaller features
+  ** Backwards incompatible changes in 5.2 **
+  * Database backend API changes
+  * Dropped support for PostgreSQL 13
+  * Changed MySQL connection character set default
+  * ... and more, see upstream changelog
+  ** Features deprecated in 5.2 **
+  * The all argument for the django.contrib.staticfiles.finders.find()
+    function is deprecated in favor of the find_all argument.
+  * The ordering keyword argument of the PostgreSQL specific aggregation
+    functions is deprecated in favor of the order_by argument.
+
+-------------------------------------------------------------------
+Mon Apr  7 14:19:10 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.1.8
+  * CVE-2025-27556: Potential denial-of-service vulnerability in 
+    LoginView, LogoutView, and set_language() on Windows
+  * Fixed a regression in Django 5.1.7 where the removal of the single_object 
+    parameter unintentionally altered the signature and return type of 
+    LogEntryManager.log_actions()
+
+-------------------------------------------------------------------
+Sun Mar 30 08:28:57 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update filelist to be compatible with newer setuptools 
+
+-------------------------------------------------------------------
+Tue Mar 18 13:01:55 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.1.7 (bsc#1239052)
+  * CVE-2025-26699: Potential denial-of-service vulnerability in
+    django.utils.text.wrap()
+  * Fixed a bug in Django 5.1 where the {% querystring %} template tag 
+    returned an empty string rather than "?"
+  * Fixed a bug in Django 5.1 where FileSystemStorage, with allow_overwrite 
+    set to True, did not truncate the overwritten file content
+  * Fixed a regression in Django 5.1 where the count and exists methods of 
+    ManyToManyField related managers would always return 0 and False when 
+    the intermediary model back references used to_field
+  * Fixed a regression in Django 5.1 where the pre_save and post_save signals 
+    for LogEntry were not sent when deleting a single object in the admin
+
+-------------------------------------------------------------------
+Tue Feb 11 12:52:16 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.1.6
+  * Fixed a regression in Django 5.1.5 that caused validate_ipv6_address()
+    and validate_ipv46_address() to crash when handling non-string values
+  * Fixed a regression in Django 5.1 where password fields, despite being
+    set to required=False, were still treated as required in forms derived
+    from BaseUserCreationForm
+
+-------------------------------------------------------------------
+Wed Jan 15 07:53:44 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.1.5 (bsc#1235856)
+  * CVE-2024-56374: Potential denial-of-service vulnerability in 
+    IPv6 validation
+  * Fixed a crash when applying migrations with references to the 
+    removed Meta.index_together option
+
+-------------------------------------------------------------------
+Mon Dec  9 09:13:02 UTC 2024 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.1.4 (bsc#1234231, CVE-2024-53908, bsc#1234232, CVE-2024-53907)
+  * CVE-2024-53907: Potential denial-of-service in django.utils.html.strip_tags()
+  * CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
+  * Fixed a crash in createsuperuser on Python 3.13+ caused by an unhandled OSError
+  * Fixed a regression in Django 5.1 where relational fields were not updated
+  * Fixed a bug in Django 5.1 where DomainNameValidator accepted any input value 
+    that contained a valid domain name, rather than only input values that were 
+    a valid domain name
+  * Fixed a regression in Django 5.1 that prevented the use of DB-IP databases with GeoIP2
+  * Fixed a regression in Django 5.1 where non-ASCII fieldset names were not displayed 
+    when rendering admin fieldsets
+
+-------------------------------------------------------------------
+Thu Oct 17 10:16:22 UTC 2024 - Markéta Machová <mmachova@suse.com>
+
+- Update to 5.1.2
+  * Fixed a regression in Django 5.1 that caused a crash when using 
+    the PostgreSQL lookup trigram_similar on output fields from Concat
+  * Fixed a regression in Django 5.1 that caused a crash of JSONObject() 
+    when using server-side binding with PostgreSQL 16+
+  * Fixed a regression in Django 5.1 that made selected items in 
+    multi-select widgets indistinguishable from non-selected items in 
+    the admin dark theme
+
 -------------------------------------------------------------------
 Wed Sep  4 07:21:54 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
 

python-Django.keyring

@@ -87,4 +87,46 @@ mF4yM4XSBBno1mWgaSb42LInsYv/ti1VrOrBVzmAYAoUTZL0tfEXeyzHEmWGWVHe
 SQMBvCqUmh/EcQDzPtkqjQQ1LyE5s2fyt5u+jE9JdK/61yKzbKI2UbpPtAaKSlDv
 eAgTzM5bOOqtGR7VR2hlCM4I4k2D0Y/snh2HzA==
 =ul9f
------END PGP PUBLIC KEY BLOCK-----
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGYTwrUBDADP52ov7O0jqH+QWStcbCwwedsV2syCQXxfhnydhkNvdCILBJ0k
+cQdc4E7Q8wGmch9a3bCLR4HIUlv1MMWk+Ty0YY71wczqIPedgM1dBZEtSH6fDOwW
+qFcYieCcmsP+FwBk8WWOKnMydEXoXCp6djSru6YOuQH2CZ+EerKjnDaXAj35dloR
+vbJ14k7Ghn9UCLDXiNOjn2N8eLe6aeoEQt7iiqStdeFuUGR/pLHHEX4sch4y9uBa
+bhC/Ce93VWK8nVna7qWX/cIjZNG6rTo79W7+IiOC5+6r7bLff5qw4BgUX2JPm5Sz
+mhPUlsJZGGXPPaTo+WZQOe5P3Fw7RpuURa+MVoih2H/i2Ur51pDEngB64YwBU1mB
+a+xwm6GHgD28JUwllHJbUl9/UJTbntS7k/k2uuMkok8jHfYb+rqkfCWqOlmuYTG3
+okseReh2TSkGpWyyaSbCihgm80RE5O6jrEDXJiZOsLIuOlVoErfxEZHpOqw43axl
+EXX0VkjFz2IBNPMAEQEAAbROU2FyYWggQm95Y2UgKEdQRyBEamFuZ28gRmVsbG93
+KSA8NDIyOTY1NjYrc2FyYWhib3ljZUB1c2Vycy5ub3JlcGx5LmdpdGh1Yi5jb20+
+iQHOBBMBCAA4FiEE6xs4DYrFLQArrNMyOVWxmFHqlu8FAmYTwrUCGwMFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQOVWxmFHqlu8t+wv9HitJmG5iPs45Qo0nGwGm
+j1X6rP6SQENl+jqtjZU6YaxvNqWculCFl0Wa/xODhxM9HNMs3qREc+R4SqPx4epu
+NaUERN91gZoO4Ms80uqllPzdCsX5hrFblg+LqqznZWAYi94NMTm3Ft4/+I7780ev
+BhxHFBTlqwxZ0eeyaB/qAyb6K9X0cUUFExjYrP3+HAgmrOHK9PUb7vNNKUYMerOK
+waFrpPP5oDBn0p2ZunYAcJt7o2DjBOwy5iw5I2Qs50ZLt9EU0DY8Rf5nF2mKNki1
+CAD8ksNo/ohrNuGyi0r2cvVfx52izPd6PxlKf7xfL2lW16nflK/lNbZtCioDA1FC
+1dCPGD5rvOUXFASc+FZY4tJ6LbIpzg9llgcb6fSi2joT2bm9BbGrHybrIWd3BF/5
+AnrlsSwDCWtYXkdNr/eNEHNgG+aOAH2vSzue3NbCJsXkK69SzlKKOiD2ZUjJ6tKi
+IwcTkotyBaX/FLGhTKLEQE7aztsOpnfJlLU9Zx5IPxJAuQGNBGYTwrUBDACp1f7H
+MpzHvAAy7dD1Ow0pgT3NBFFiEk4jKccz9sAHPT7QQbMeIdL5uQ80lNp6Sw+IyptW
+4cytl6ovRdRyv3XetSp+KJeaqvWvGkz3L+GUoE8ezxgQXLlVcw7IzkhBNMGi+K3C
+aK6ZlZZQG8587dLF9Gbz3Vioc9hyQ/4BOr8pPaAWlSfWQVEGHPSVLh7LToGjrLlS
+h1AzVABNXtJbAt/+O7H5mkMopoPKrqgHTzOLGCd0/Tq3z5d+wqVl7JKk6yHxRr5i
+SXDqPQPmObUhPH1addNzIe+GRVW1ZbbT6l9VDiC4Lj+BJsLafubMB3rlI2T2mQCU
+PTQO0fz5y6oW0HxRtTidoxhvmC72YDFBwvsUTPQ5nt8bcSQprJMLLNL1C5M2LjPu
+tf/Csl02Fcwe/RnW2yjeb6qNCDcLpM9wpMMOdZQCRdRIkWQTcLZPQ2+SR3Ih8rAb
+pzATjFvif/4zpFlDZ9KFevCqf1M2v32sr/dDgcA3nWJ4CFrBQMhBVTcr7rcAEQEA
+AYkBtgQYAQgAIBYhBOsbOA2KxS0AK6zTMjlVsZhR6pbvBQJmE8K1AhsMAAoJEDlV
+sZhR6pbvizgL/34++v0b080pCr/0rWspcuTtD91GwQPs0HgrrfMOV2BXoXucTXj7
+G4xFq9yYO8QALrrtz40S/NeGz09hhFHo08phLAYjLZt8xD7i0uXuV8ZouDUHT0bk
+334RlKHu9kq3si0lyzu1dkGZgIBXsAURrMOyVKVySZGzsa/dpy/EDardWkTKHedf
+07K+KQgomMpVGk4EtKHpfqU9VNN8fdYD4UYtwuegz1nsg28Fa8xkK2ammWncgpVj
++4cJwzFPg11AhhTWs/Ec068ojj70cLD2CodJVAch9RTIOcQ5yKGc483u3bagNqTK
+qZYoLWI6NjxrNZQpwha3pO2ueBDOo/fZXUMgPPqyfdmBZvz6DQM85JfULALxKbkL
+5dQguy8K8SBcrCnv6iT0FjaWlrqnU0IJDZfi2r6eDlXhYjLSwGq8RHkAYXvsCNm8
+BzeRu0mAvjLkLNegQIvfdVXfYIcwUQQB8OAzoz3qzi8vji82MBQO+gkYrlteivoF
+z+gZLcBuv/NdNg==
+=B8gH
+-----END PGP PUBLIC KEY BLOCK-----

python-Django.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-Django
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,22 +16,24 @@
 #
 
 
-%define skip_python2 1
-%define skip_python36 1
 # Selenium and memcached are not operational
 %bcond_with selenium
 %bcond_with memcached
 %{?sle15_python_module_pythons}
 Name:           python-Django
-Version:        5.1.1
+Version:        5.2.4
 Release:        0
 Summary:        A high-level Python Web framework
 License:        BSD-3-Clause
 URL:            https://www.djangoproject.com
-Source:         https://www.djangoproject.com/m/releases/5.1/Django-%{version}.tar.gz
+Source:         https://www.djangoproject.com/m/releases/5.2/django-%{version}.tar.gz
-Source1:        https://media.djangoproject.com/pgp/Django-%{version}.checksum.txt
+Source1:        https://www.djangoproject.com/m/pgp/Django-%{version}.checksum.txt
 Source2:        %{name}.keyring
 Source99:       python-Django-rpmlintrc
+# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19639 Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior.
+Patch0:         test_strip_tags.patch
+# PATCH-FIX-UPSTREAM CVE-2025-57833.patch bsc#1248810
+Patch1:         CVE-2025-57833.patch
 BuildRequires:  %{python_module Jinja2 >= 2.9.2}
 BuildRequires:  %{python_module Pillow >= 6.2.0}
 BuildRequires:  %{python_module PyYAML}
@@ -53,13 +55,13 @@ BuildRequires:  fdupes
 BuildRequires:  gpg2
 BuildRequires:  python-rpm-macros
 Requires:       python
-Requires:       python-Pillow >= 6.2.0
 Requires:       python-asgiref >= 3.7.0
 Requires:       python-sqlparse >= 0.3.1
 Requires:       python-tzdata
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
 Recommends:     python-Jinja2 >= 2.9.2
+Recommends:     python-Pillow >= 6.2.0
 Recommends:     python-PyYAML
 Recommends:     python-argon2-cffi >= 19.1.0
 Recommends:     python-bcrypt
@@ -96,11 +98,11 @@ gpg --import %{SOURCE2}
 gpg --verify %{SOURCE1}
 #
 # Verify hashes in that file against source tarball.
-echo "`grep -e '^[0-9a-f]\{32\}  Django-%{version}.tar.gz' %{SOURCE1} | cut -c1-32`  %{SOURCE0}" | md5sum -c
+echo "`grep -e '^[0-9a-f]\{32\}  django-%{version}.tar.gz' %{SOURCE1} | cut -c1-32`  %{SOURCE0}" | md5sum -c
-echo "`grep -e '^[0-9a-f]\{40\}  Django-%{version}.tar.gz' %{SOURCE1} | cut -c1-40`  %{SOURCE0}" | sha1sum -c
+echo "`grep -e '^[0-9a-f]\{40\}  django-%{version}.tar.gz' %{SOURCE1} | cut -c1-40`  %{SOURCE0}" | sha1sum -c
-echo "`grep -e '^[0-9a-f]\{64\}  Django-%{version}.tar.gz' %{SOURCE1} | cut -c1-64`  %{SOURCE0}" | sha256sum -c
+echo "`grep -e '^[0-9a-f]\{64\}  django-%{version}.tar.gz' %{SOURCE1} | cut -c1-64`  %{SOURCE0}" | sha256sum -c
 
-%autosetup -p1 -n Django-%{version}
+%autosetup -p1 -n django-%{version}
 
 %build
 %pyproject_wheel
@@ -143,6 +145,6 @@ export PATH=%{_libdir}/chromium:$PATH
 %python_alternative %{_bindir}/django-admin
 %{_datadir}/bash-completion/completions/django_bash_completion-%{python_bin_suffix}.sh
 %{python_sitelib}/django
-%{python_sitelib}/Django-%{version}*-info
+%{python_sitelib}/[Dd]jango-%{version}*-info
 
 %changelog

test_strip_tags.patch

@@ -0,0 +1,46 @@
+From 578ef30376fd279865d1719fcad064a00c625a6b Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Mon, 14 Jul 2025 14:45:03 -0300
+Subject: [PATCH] Fixed #36499 -- Adjusted
+ utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's
+ HTMLParser new behavior.
+
+---
+ tests/test_utils/tests.py      | 4 ++--
+ tests/utils_tests/test_html.py | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tests/test_utils/tests.py b/tests/test_utils/tests.py
+index 494a0ea8d384..0de19eae9072 100644
+--- a/tests/test_utils/tests.py
++++ b/tests/test_utils/tests.py
+@@ -959,10 +959,10 @@ def test_parsing_errors(self):
+             self.assertHTMLEqual("", "<p>")
+         error_msg = (
+             "First argument is not valid HTML:\n"
+-            "('Unexpected end tag `div` (Line 1, Column 6)', (1, 6))"
++            "('Unexpected end tag `div` (Line 1, Column 0)', (1, 0))"
+         )
+         with self.assertRaisesMessage(AssertionError, error_msg):
+-            self.assertHTMLEqual("< div></ div>", "<div></div>")
++            self.assertHTMLEqual("</div>", "<div></div>")
+         with self.assertRaises(HTMLParseError):
+             parse_html("</p>")
+ 
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 4ce552e79a0d..205eaeca1668 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -142,10 +142,10 @@ def test_strip_tags(self):
+             ("&gotcha&#;<>", "&gotcha&#;<>"),
+             ("<sc<!-- -->ript>test<<!-- -->/script>", "ript>test"),
+             ("<script>alert()</script>&h", "alert()h"),
+-            ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
++            ("><!" + ("&" * 16000) + "D", ">"),
+             ("X<<<<br>br>br>br>X", "XX"),
+             ("<" * 50 + "a>" * 50, ""),
+-            (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
++            (">" + "<a" * 500 + "a", ">"),
+             ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
+             ("<" + "a" * 1_002, "<" + "a" * 1_002),
+         )