Update to 4.2.15 for fix CVE-2024-41989,CVE-2024-41990,CVE-2024-41991 and CVE-2024-42005

(cherry picked from commit 2b335764a62585dcfb77c3fdf6110c7cb3b69b11)
2024-08-08 11:33:05 +08:00 · 2024-08-08 11:33:05 +08:00 · f15296ef33
commit f15296ef33
parent 5b51e71d77
2 changed files with 9 additions and 1 deletions
--- a/Django-4.2.15.tar.gz
+++ b/Django-4.2.15.tar.gz
--- a/python-django.spec
+++ b/python-django.spec
@ -1,6 +1,6 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
-Version:	4.2.14
+Version:	4.2.15
 Release:	1
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
@ -72,6 +72,14 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Thu Aug 08 2024 yaoxin <yao_xin001@hoperun.com> - 4.2.15-1
+- Update to 4.2.15
+  * CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+  * CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+  * CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
+  * CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+  * Fixed a regression in Django 4.2.14 that caused a crash in ``LocaleMiddleware`` when processing a language code over 500 characters
+
 * Fri Jul 12 2024 yaoxin <yao_xin001@hoperun.com> - 4.2.14-1
 - Update to 4.2.14
  * CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize()