mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-04-19 07:46:27 +00:00
151e634ed2
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64459 https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html Upstream-patch:72d2c874314624ed769cSigned-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
17 lines
505 B
BlitzBasic
17 lines
505 B
BlitzBasic
require python-django.inc
|
|
inherit setuptools3
|
|
|
|
# Windows-specific DoS via NFKC normalization, not applicable to Linux
|
|
CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows"
|
|
|
|
SRC_URI += "file://CVE-2025-64460.patch \
|
|
file://CVE-2025-64459-1.patch \
|
|
file://CVE-2025-64459-2.patch \
|
|
"
|
|
SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11"
|
|
|
|
RDEPENDS:${PN} += "\
|
|
python3-sqlparse \
|
|
python3-asgiref \
|
|
"
|