On Fri, Jul 21, 2023 at 4:31 PM Michel Alexandre Salim <salimma@xxxxxxxxxxxxxxxxx> wrote: > > Dear all, > > I just put up a PR to update Django in Rawhide to 4.2.3: > > https://src.fedoraproject.org/rpms/python-django/pull-request/33 > > Also - Fedora 37 and 38 are on Django 4.0.x, which is no longer supported - > should we just update them to 4.2.x as well? > > Any version before 4.1.10 and 4.2.3 are affected by this CVE: > https://bugzilla.redhat.com/show_bug.cgi?id=2219383 > https://nvd.nist.gov/vuln/detail/CVE-2023-36053 > > NIST NVD gave it a base score of 7.5; and once we switch series anyway, > maybe we might as well jump to 4.2 which is an LTS, while 4.1 reaches > end of extended support in Dec 2023 (when Fedora 38 will still be > supported) > > https://www.djangoproject.com/download/ > > To update to 4.2, asgiref needs to be updated as well, but that seems to > be the only dependency that is too old. > > If we decide against bumping Django on stable releases, we can see if > the CVE fix can be easily backported to 4.0 or not. > Is there any reason why 4.2 would be incompatible with anything using 4.0? If not, then I'd lean toward upgrading things unless upgrading asgiref would be too painful. A quick query shows the following packages require asgiref: ngompa@fedora ~> dnf -q repoquery --whatrequires "python3.11dist(asgiref)" python3-daphne-0:3.0.2-4.fc38.noarch python3-django-0:4.0.10-1.fc38.noarch python3-django-0:4.0.2-6.fc37.noarch python3-django3-0:3.2.18-1.fc38.noarch python3-django3-0:3.2.19-1.fc38.noarch python3-opentelemetry-instrumentation-asgi+instruments-1:0.38~b0-10.fc38.noarch python3-opentelemetry-instrumentation-asgi+instruments-1:0.39~b0-12.fc38.noarch python3-opentelemetry-instrumentation-asgi-1:0.38~b0-10.fc38.noarch python3-opentelemetry-instrumentation-asgi-1:0.39~b0-12.fc38.noarch python3-opentelemetry-test-utils-0:0.38~b0-1.fc38.noarch python3-opentelemetry-test-utils-0:0.39~b0-1.fc38.noarch python3-uvicorn-0:0.15.0-5.fc38.noarch This might be fine or a bit much depending on how strict the dependencies are. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
