Dear all, I just put up a PR to update Django in Rawhide to 4.2.3: https://src.fedoraproject.org/rpms/python-django/pull-request/33 Also - Fedora 37 and 38 are on Django 4.0.x, which is no longer supported - should we just update them to 4.2.x as well? Any version before 4.1.10 and 4.2.3 are affected by this CVE: https://bugzilla.redhat.com/show_bug.cgi?id=2219383 https://nvd.nist.gov/vuln/detail/CVE-2023-36053 NIST NVD gave it a base score of 7.5; and once we switch series anyway, maybe we might as well jump to 4.2 which is an LTS, while 4.1 reaches end of extended support in Dec 2023 (when Fedora 38 will still be supported) https://www.djangoproject.com/download/ To update to 4.2, asgiref needs to be updated as well, but that seems to be the only dependency that is too old. If we decide against bumping Django on stable releases, we can see if the CVE fix can be easily backported to 4.0 or not. Best regards, -- Michel Alexandre Salim identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
