Dear all,
I just put up a PR to update Django in Rawhide to 4.2.3:
https://src.fedoraproject.org/rpms/python-django/pull-request/33
Also - Fedora 37 and 38 are on Django 4.0.x, which is no longer supported - should we just update them to 4.2.x as well?
Any version before 4.1.10 and 4.2.3 are affected by this CVE: https://bugzilla.redhat.com/show_bug.cgi?id=2219383 https://nvd.nist.gov/vuln/detail/CVE-2023-36053
NIST NVD gave it a base score of 7.5; and once we switch series anyway, maybe we might as well jump to 4.2 which is an LTS, while 4.1 reaches end of extended support in Dec 2023 (when Fedora 38 will still be supported)
https://www.djangoproject.com/download/
To update to 4.2, asgiref needs to be updated as well, but that seems to be the only dependency that is too old.
If we decide against bumping Django on stable releases, we can see if the CVE fix can be easily backported to 4.0 or not.
Best regards,
On Fri, Jul 21, 2023 at 4:31 PM Michel Alexandre Salim salimma@fedoraproject.org wrote:
Dear all,
I just put up a PR to update Django in Rawhide to 4.2.3:
https://src.fedoraproject.org/rpms/python-django/pull-request/33
Also - Fedora 37 and 38 are on Django 4.0.x, which is no longer supported - should we just update them to 4.2.x as well?
Any version before 4.1.10 and 4.2.3 are affected by this CVE: https://bugzilla.redhat.com/show_bug.cgi?id=2219383 https://nvd.nist.gov/vuln/detail/CVE-2023-36053
NIST NVD gave it a base score of 7.5; and once we switch series anyway, maybe we might as well jump to 4.2 which is an LTS, while 4.1 reaches end of extended support in Dec 2023 (when Fedora 38 will still be supported)
https://www.djangoproject.com/download/
To update to 4.2, asgiref needs to be updated as well, but that seems to be the only dependency that is too old.
If we decide against bumping Django on stable releases, we can see if the CVE fix can be easily backported to 4.0 or not.
Is there any reason why 4.2 would be incompatible with anything using 4.0? If not, then I'd lean toward upgrading things unless upgrading asgiref would be too painful.
A quick query shows the following packages require asgiref:
ngompa@fedora ~> dnf -q repoquery --whatrequires "python3.11dist(asgiref)" python3-daphne-0:3.0.2-4.fc38.noarch python3-django-0:4.0.10-1.fc38.noarch python3-django-0:4.0.2-6.fc37.noarch python3-django3-0:3.2.18-1.fc38.noarch python3-django3-0:3.2.19-1.fc38.noarch python3-opentelemetry-instrumentation-asgi+instruments-1:0.38~b0-10.fc38.noarch python3-opentelemetry-instrumentation-asgi+instruments-1:0.39~b0-12.fc38.noarch python3-opentelemetry-instrumentation-asgi-1:0.38~b0-10.fc38.noarch python3-opentelemetry-instrumentation-asgi-1:0.39~b0-12.fc38.noarch python3-opentelemetry-test-utils-0:0.38~b0-1.fc38.noarch python3-opentelemetry-test-utils-0:0.39~b0-1.fc38.noarch python3-uvicorn-0:0.15.0-5.fc38.noarch
This might be fine or a bit much depending on how strict the dependencies are.
-- 真実はいつも一つ!/ Always, there's only one truth!
python-devel@lists.fedoraproject.org