Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-Django4 for openSUSE:Factory checked in at 2026-07-09 22:20:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-Django4 (Old) and /work/SRC/openSUSE:Factory/.python-Django4.new.1991 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-Django4" Thu Jul 9 22:20:36 2026 rev:7 rq:1364676 version:4.2.30 Changes: -------- --- /work/SRC/openSUSE:Factory/python-Django4/python-Django4.changes 2026-06-09 14:33:15.104756627 +0200 +++ /work/SRC/openSUSE:Factory/.python-Django4.new.1991/python-Django4.changes 2026-07-09 22:21:36.046666006 +0200 @@ -1,0 +2,10 @@ +Thu Jul 9 07:43:29 UTC 2026 - Markéta Machová <[email protected]> + +- Add security patches: + * CVE-2026-48588: Potential exposure of private data via cached + Set-Cookie response (bsc#1271029) + * CVE-2026-48588.patch + * CVE-2026-53877: Heap buffer over-read in GDALRaster (bsc#1271030) + * CVE-2026-53877.patch + +------------------------------------------------------------------- New: ---- CVE-2026-48588.patch CVE-2026-53877.patch ----------(New B)---------- New: Set-Cookie response (bsc#1271029) * CVE-2026-48588.patch * CVE-2026-53877: Heap buffer over-read in GDALRaster (bsc#1271030) New: * CVE-2026-53877: Heap buffer over-read in GDALRaster (bsc#1271030) * CVE-2026-53877.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-Django4.spec ++++++ --- /var/tmp/diff_new_pack.bK7P3u/_old 2026-07-09 22:21:37.290708274 +0200 +++ /var/tmp/diff_new_pack.bK7P3u/_new 2026-07-09 22:21:37.290708274 +0200 @@ -75,6 +75,10 @@ Patch15: CVE-2026-35193.patch # PATCH-FIX-UPSTREAM CVE-2026-48587.patch bsc#1267577 Patch16: CVE-2026-48587.patch +# PATCH-FIX-UPSTREAM CVE-2026-48588.patch bsc#1271029 +Patch17: CVE-2026-48588.patch +# PATCH-FIX-UPSTREAM CVE-2026-48588.patch bsc#1271030 +Patch18: CVE-2026-53877.patch BuildRequires: %{python_module Jinja2 >= 2.9.2} BuildRequires: %{python_module Pillow >= 6.2.0} BuildRequires: %{python_module PyYAML} ++++++ CVE-2026-48588.patch ++++++ >From 721685aa7799cc9327bd202cd1f70bd012ca95a7 Mon Sep 17 00:00:00 2001 From: Natalia <[email protected]> Date: Thu, 11 Jun 2026 16:23:37 -0300 Subject: [PATCH] [5.2.x] Fixed CVE-2026-48588 -- Prevented caching of responses that set cookies and vary on Cookie. `UpdateCacheMiddleware` skipped caching `Set-Cookie` responses that vary on `Cookie` only when the request had no cookies at all. A request carrying an unrelated cookie bypassed the guard, allowing a newly-issued session cookie to be stored in Django's shared cache. The guard now applies whenever a response both sets a cookie and varies on Cookie, regardless of what cookies the incoming request carried. Thanks Chris Whyland for the report, Jake Howard for initial triage, and Jacob Walls for reviews. Backport of 6e365f8d01f2ba0bbd90968d76a42600fb8bc4b1 from main. --- django/middleware/cache.py | 8 ++------ docs/releases/5.2.16.txt | 14 ++++++++++++++ tests/cache/tests.py | 38 +++++++++++++++++++++++++++++++------- 3 files changed, 47 insertions(+), 13 deletions(-) diff --git a/django/middleware/cache.py b/django/middleware/cache.py index c6c7416fdeb6..fe60509cb8f7 100644 --- a/django/middleware/cache.py +++ b/django/middleware/cache.py @@ -95,12 +95,8 @@ def process_response(self, request, response): return response # Don't cache responses that set a user-specific (and maybe security - # sensitive) cookie in response to a cookie-less request. - if ( - not request.COOKIES - and response.cookies - and has_vary_header(response, "Cookie") - ): + # sensitive) cookie while varying on Cookie. + if response.cookies and has_vary_header(response, "Cookie"): return response # Don't cache responses when the Cache-Control header is set to diff --git a/tests/cache/tests.py b/tests/cache/tests.py index 5b16735d27b8..2fd9bc7137da 100644 --- a/tests/cache/tests.py +++ b/tests/cache/tests.py @@ -2824,18 +2824,42 @@ def test_authorization_header_exceptions(self): def test_sensitive_cookie_not_cached(self): """ - Django must prevent caching of responses that set a user-specific (and - maybe security sensitive) cookie in response to a cookie-less request. + Responses that set a new cookie not present in the request are not + cached, regardless of whether the request already had other cookies. """ - request = self.factory.get("/view/") - csrf_middleware = CsrfViewMiddleware(csrf_view) - csrf_middleware.process_view(request, csrf_view, (), {}) - cache_middleware = CacheMiddleware(csrf_middleware) + for headers in ({}, {"HTTP_COOKIE": "unrelated=value"}): + with self.subTest(headers=headers): + request = self.factory.get("/view/", **headers) + csrf_middleware = CsrfViewMiddleware(csrf_view) + csrf_middleware.process_view(request, csrf_view, (), {}) + cache_middleware = CacheMiddleware(csrf_middleware) + + self.assertIsNone(cache_middleware.process_request(request)) + cache_middleware(request) + + # Inserting a CSRF cookie prevented caching. + self.assertIsNone(cache_middleware.process_request(request)) + + def test_refreshed_cookie_not_cached(self): + """ + A response that updates the value of a cookie already present in the + request is not cached. Caching it would allow a stale cookie value to + be served to a different client via a Vary: Cookie cache hit. + """ + + def refreshing_cookie_view(request): + response = HttpResponse("content") + response.set_cookie("session", "new_value") + patch_vary_headers(response, ("Cookie",)) + return response + + request = self.factory.get("/view/", HTTP_COOKIE="session=old_value") + cache_middleware = CacheMiddleware(refreshing_cookie_view) self.assertIsNone(cache_middleware.process_request(request)) cache_middleware(request) - # Inserting a CSRF cookie in a cookie-less request prevented caching. + # The response refreshed an existing cookie so it must not be cached. self.assertIsNone(cache_middleware.process_request(request)) def test_304_response_has_http_caching_headers_but_not_cached(self): ++++++ CVE-2026-53877.patch ++++++ >From 6c66eb8cec52b303af85c2c6e4dd00aa37654dbc Mon Sep 17 00:00:00 2001 From: Jacob Walls <[email protected]> Date: Tue, 16 Jun 2026 15:53:48 -0400 Subject: [PATCH] [5.2.x] Fixed CVE-2026-53877 -- Prevented heap buffer over-read when creating GDALRaster from bytes. Previously, `sys.getsizeof()` included the size of the `PyBytesObject` wrapper which is bigger. `len(bytes_object)` is the accurate size. Thanks Bence Nagy for the report, and Simon Charette for reviews. Backport of 6ca2bbe2efce21010eff48f1f36a3f621d698ed8 from main. --- django/contrib/gis/gdal/raster/source.py | 3 +-- docs/releases/5.2.16.txt | 14 ++++++++++++++ tests/gis_tests/gdal_tests/test_raster.py | 6 ++++++ 3 files changed, 21 insertions(+), 2 deletions(-) Index: django-4.2.30/django/contrib/gis/gdal/raster/source.py =================================================================== --- django-4.2.30.orig/django/contrib/gis/gdal/raster/source.py +++ django-4.2.30/django/contrib/gis/gdal/raster/source.py @@ -1,6 +1,5 @@ import json import os -import sys import uuid from ctypes import ( addressof, @@ -103,7 +102,7 @@ class GDALRaster(GDALRasterBase): # Create a new raster in write mode. self._write = 1 # Get size of buffer. - size = sys.getsizeof(ds_input) + size = len(ds_input) # Pass data to ctypes, keeping a reference to the ctypes object so # that the vsimem file remains available until the GDALRaster is # deleted. Index: django-4.2.30/tests/gis_tests/gdal_tests/test_raster.py =================================================================== --- django-4.2.30.orig/tests/gis_tests/gdal_tests/test_raster.py +++ django-4.2.30/tests/gis_tests/gdal_tests/test_raster.py @@ -263,6 +263,12 @@ class GDALRasterTests(SimpleTestCase): # The vsi buffer is None for rasters that are not vsi based. self.assertIsNone(self.rs.vsi_buffer) + def test_vsi_buffer_length(self): + with open(self.rs_path, "rb") as rst_file: + rst_bytes = rst_file.read() + vsimem = GDALRaster(rst_bytes) + self.assertEqual(len(vsimem.vsi_buffer), len(rst_bytes)) + def test_vsi_vsizip_filesystem(self): rst_zipfile = tempfile.NamedTemporaryFile(suffix=".zip") with zipfile.ZipFile(rst_zipfile, mode="w") as zf:
