diff --git a/CVE-2024-45230.patch b/CVE-2024-45230.patch
deleted file mode 100644
index 6c04676ce1af1876a9b4e4f84b58034812dee5c8..0000000000000000000000000000000000000000
--- a/CVE-2024-45230.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From 022ab0a75c76ab2ea31dfcc5f2cf5501e378d397 Mon Sep 17 00:00:00 2001
-From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
-Date: Mon, 12 Aug 2024 15:17:57 +0200
-Subject: [PATCH] [5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in
- urlize and urlizetrunc template filters.
-
-Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
----
- django/utils/html.py | 17 ++++++++------
- docs/ref/templates/builtins.txt | 11 +++++++++
- docs/releases/4.2.16.txt | 14 +++++++++++
- docs/releases/5.0.9.txt | 14 +++++++++++
- docs/releases/5.1.1.txt | 13 +++++++++++
- .../filter_tests/test_urlize.py | 23 +++++++++++++++++++
- tests/utils_tests/test_html.py | 1 +
- 7 files changed, 86 insertions(+), 7 deletions(-)
- create mode 100644 docs/releases/4.2.16.txt
- create mode 100644 docs/releases/5.0.9.txt
- create mode 100644 docs/releases/5.1.1.txt
-
-diff --git a/django/utils/html.py b/django/utils/html.py
-index 154c820..0719347 100644
---- a/django/utils/html.py
-+++ b/django/utils/html.py
-@@ -427,14 +427,17 @@ class Urlizer:
- potential_entity = middle[amp:]
- escaped = html.unescape(potential_entity)
- if escaped == potential_entity or escaped.endswith(";"):
-- rstripped = middle.rstrip(";")
-- amount_stripped = len(middle) - len(rstripped)
-- if amp > -1 and amount_stripped > 1:
-- # Leave a trailing semicolon as might be an entity.
-- trail = middle[len(rstripped) + 1 :] + trail
-- middle = rstripped + ";"
-+ rstripped = middle.rstrip(self.trailing_punctuation_chars)
-+ trail_start = len(rstripped)
-+ amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
-+ if amp > -1 and amount_trailing_semicolons > 1:
-+ # Leave up to most recent semicolon as might be an entity.
-+ recent_semicolon = middle[trail_start:].index(";")
-+ middle_semicolon_index = recent_semicolon + trail_start + 1
-+ trail = middle[middle_semicolon_index:] + trail
-+ middle = rstripped + middle[trail_start:middle_semicolon_index]
- else:
-- trail = middle[len(rstripped) :] + trail
-+ trail = middle[trail_start:] + trail
- middle = rstripped
- trimmed_something = True
-
-diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
-index 3e2d638..86841b3 100644
---- a/docs/ref/templates/builtins.txt
-+++ b/docs/ref/templates/builtins.txt
-@@ -2932,6 +2932,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
- email addresses that contain single quotes (``'``), things won't work as
- expected. Apply this filter only to plain text.
-
-+.. warning::
-+
-+ Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
-+ can become severe when applied to user controlled values such as content
-+ stored in a :class:`~django.db.models.TextField`. You can use
-+ :tfilter:`truncatechars` to add a limit to such inputs:
-+
-+ .. code-block:: html+django
-+
-+ {{ value|truncatechars:500|urlize }}
-+
- .. templatefilter:: urlizetrunc
-
- ``urlizetrunc``
-diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt
-new file mode 100644
-index 0000000..b624d5c
---- /dev/null
-+++ b/docs/releases/4.2.16.txt
-@@ -0,0 +1,14 @@
-+===========================
-+Django 4.2.16 release notes
-+===========================
-+*September 3, 2024*
-+Django 4.2.16 fixes one security issue with severity "moderate" and one
-+security issue with severity "low" in 4.2.15.
-+
-+...
-+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
-+===========================================================================================
-+
-+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
-+denial-of-service attack via very large inputs with a specific sequence of
-+characters.
-diff --git a/docs/releases/5.0.9.txt b/docs/releases/5.0.9.txt
-new file mode 100644
-index 0000000..3b372df
---- /dev/null
-+++ b/docs/releases/5.0.9.txt
-@@ -0,0 +1,14 @@
-+===========================
-+Django 5.0.9 release notes
-+===========================
-+*September 3, 2024*
-+Django 5.0.9 fixes one security issue with severity "moderate" and one security
-+issue with severity "low" in 5.0.8.
-+
-+...
-+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
-+===========================================================================================
-+
-+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
-+denial-of-service attack via very large inputs with a specific sequence of
-+characters.
-diff --git a/docs/releases/5.1.1.txt b/docs/releases/5.1.1.txt
-new file mode 100644
-index 0000000..6a2827c
---- /dev/null
-+++ b/docs/releases/5.1.1.txt
-@@ -0,0 +1,13 @@
-+==========================
-+Django 5.1.1 release notes
-+==========================
-+*September 3, 2024*
-+Django 5.1.1 fixes one security issue with severity "moderate", one security
-+issue with severity "low", and several bugs in 5.1.
-+
-+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
-+===========================================================================================
-+
-+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
-+denial-of-service attack via very large inputs with a specific sequence of
-+characters.
-diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
-index 8f84e62..14908cb 100644
---- a/tests/template_tests/filter_tests/test_urlize.py
-+++ b/tests/template_tests/filter_tests/test_urlize.py
-@@ -305,6 +305,29 @@ class FunctionTests(SimpleTestCase):
- "http://testing.com/example</a>.,:;)"!",
- )
-
-+ def test_trailing_semicolon(self):
-+ self.assertEqual(
-+ urlize("http://example.com?x=&", autoescape=False),
-+ '<a href="http://example.com?x=" rel="nofollow">'
-+ "http://example.com?x=&</a>",
-+ )
-+ self.assertEqual(
-+ urlize("http://example.com?x=&;", autoescape=False),
-+ '<a href="http://example.com?x=" rel="nofollow">'
-+ "http://example.com?x=&</a>;",
-+ )
-+ self.assertEqual(
-+ urlize("http://example.com?x=&;;", autoescape=False),
-+ '<a href="http://example.com?x=" rel="nofollow">'
-+ "http://example.com?x=&</a>;;",
-+ )
-+
-+ self.assertEqual(
-+ urlize("http://example.com?x=&.;...;", autoescape=False),
-+ '<a href="http://example.com?x=" rel="nofollow">'
-+ "http://example.com?x=&</a>.;...;",
-+ )
-+
- def test_brackets(self):
- """
- #19070 - Check urlize handles brackets properly
-diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
-index 82dbd58..035585e 100644
---- a/tests/utils_tests/test_html.py
-+++ b/tests/utils_tests/test_html.py
-@@ -374,6 +374,7 @@ class TestUtilsHtml(SimpleTestCase):
- "&:" + ";" * 100_000,
- "&.;" * 100_000,
- ".;" * 100_000,
-+ "&" + ";:" * 100_000,
- )
- for value in tests:
- with self.subTest(value=value):
---
-2.43.0
-
diff --git a/CVE-2024-45231.patch b/CVE-2024-45231.patch
deleted file mode 100644
index d46667dbb84287f5d6e3932099db0342fae2440d..0000000000000000000000000000000000000000
--- a/CVE-2024-45231.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From 3c733c78d6f8e50296d6e248968b6516c92a53ca Mon Sep 17 00:00:00 2001
-From: Natalia <124304+nessita@users.noreply.github.com>
-Date: Mon, 19 Aug 2024 14:47:38 -0300
-Subject: [PATCH] [5.1.x] Fixed CVE-2024-45231 -- Avoided server error on
- password reset when email sending fails.
-
-On successful submission of a password reset request, an email is sent
-to the accounts known to the system. If sending this email fails (due to
-email backend misconfiguration, service provider outage, network issues,
-etc.), an attacker might exploit this by detecting which password reset
-requests succeed and which ones generate a 500 error response.
-
-Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
-Johnson, and Sarah Boyce for the reviews.
----
- django/contrib/auth/forms.py | 9 ++++++++-
- docs/ref/logging.txt | 12 ++++++++++++
- docs/releases/4.2.16.txt | 11 +++++++++++
- docs/releases/5.0.9.txt | 11 +++++++++++
- docs/releases/5.1.1.txt | 11 +++++++++++
- docs/topics/auth/default.txt | 4 +++-
- tests/auth_tests/test_forms.py | 21 +++++++++++++++++++++
- tests/mail/custombackend.py | 6 ++++++
- 8 files changed, 83 insertions(+), 2 deletions(-)
-
-diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
-index 31e96ff..689014b 100644
---- a/django/contrib/auth/forms.py
-+++ b/django/contrib/auth/forms.py
-@@ -1,3 +1,4 @@
-+import logging
- import unicodedata
-
- from django import forms
-@@ -16,6 +17,7 @@ from django.utils.translation import gettext
- from django.utils.translation import gettext_lazy as _
-
- UserModel = get_user_model()
-+logger = logging.getLogger("django.contrib.auth")
-
-
- def _unicode_ci_compare(s1, s2):
-@@ -393,7 +395,12 @@ class PasswordResetForm(forms.Form):
- html_email = loader.render_to_string(html_email_template_name, context)
- email_message.attach_alternative(html_email, "text/html")
-
-- email_message.send()
-+ try:
-+ email_message.send()
-+ except Exception:
-+ logger.exception(
-+ "Failed to send password reset email to %s", context["user"].pk
-+ )
-
- def get_users(self, email):
- """Given an email, return matching user(s) who should receive a reset.
-diff --git a/docs/ref/logging.txt b/docs/ref/logging.txt
-index 8a7e589..24ab5d9 100644
---- a/docs/ref/logging.txt
-+++ b/docs/ref/logging.txt
-@@ -209,6 +209,18 @@ Django development server. This logger generates an ``INFO`` message upon
- detecting a modification in a source code file and may produce ``WARNING``
- messages during filesystem inspection and event subscription processes.
-
-+.. _django-contrib-auth-logger:
-+
-+``django.contrib.auth``
-+~~~~~~~~~~~~~~~~~~~~~~~
-+
-+.. versionadded:: 4.2.16
-+
-+Log messages related to :doc:`contrib/auth`, particularly ``ERROR`` messages
-+are generated when a :class:`~django.contrib.auth.forms.PasswordResetForm` is
-+successfully submitted but the password reset email cannot be delivered due to
-+a mail sending exception.
-+
- .. _django-contrib-gis-logger:
-
- ``django.contrib.gis``
-diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt
-index b624d5c..f0f82ba 100644
---- a/docs/releases/4.2.16.txt
-+++ b/docs/releases/4.2.16.txt
-@@ -12,3 +12,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html
- :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
- denial-of-service attack via very large inputs with a specific sequence of
- characters.
-+
-+CVE-2024-45231: Potential user email enumeration via response status on password reset
-+======================================================================================
-+
-+Due to unhandled email sending failures, the
-+:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
-+attackers to enumerate user emails by issuing password reset requests and
-+observing the outcomes.
-+
-+To mitigate this risk, exceptions occurring during password reset email sending
-+are now handled and logged using the :ref:`django-contrib-auth-logger` logger.
-diff --git a/docs/releases/5.0.9.txt b/docs/releases/5.0.9.txt
-index 3b372df..3faa716 100644
---- a/docs/releases/5.0.9.txt
-+++ b/docs/releases/5.0.9.txt
-@@ -12,3 +12,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html
- :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
- denial-of-service attack via very large inputs with a specific sequence of
- characters.
-+
-+CVE-2024-45231: Potential user email enumeration via response status on password reset
-+======================================================================================
-+
-+Due to unhandled email sending failures, the
-+:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
-+attackers to enumerate user emails by issuing password reset requests and
-+observing the outcomes.
-+
-+To mitigate this risk, exceptions occurring during password reset email sending
-+are now handled and logged using the :ref:`django-contrib-auth-logger` logger.
-diff --git a/docs/releases/5.1.1.txt b/docs/releases/5.1.1.txt
-index 6a2827c..d79a961 100644
---- a/docs/releases/5.1.1.txt
-+++ b/docs/releases/5.1.1.txt
-@@ -11,3 +11,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html
- :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
- denial-of-service attack via very large inputs with a specific sequence of
- characters.
-+
-+CVE-2024-45231: Potential user email enumeration via response status on password reset
-+======================================================================================
-+
-+Due to unhandled email sending failures, the
-+:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
-+attackers to enumerate user emails by issuing password reset requests and
-+observing the outcomes.
-+
-+To mitigate this risk, exceptions occurring during password reset email sending
-+are now handled and logged using the :ref:`django-contrib-auth-logger` logger.
-diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
-index 1d2ea81..7278dca 100644
---- a/docs/topics/auth/default.txt
-+++ b/docs/topics/auth/default.txt
-@@ -1723,7 +1723,9 @@ provides several built-in forms located in :mod:`django.contrib.auth.forms`:
- .. method:: send_mail(subject_template_name, email_template_name, context, from_email, to_email, html_email_template_name=None)
-
- Uses the arguments to send an ``EmailMultiAlternatives``.
-- Can be overridden to customize how the email is sent to the user.
-+ Can be overridden to customize how the email is sent to the user. If
-+ you choose to override this method, be mindful of handling potential
-+ exceptions raised due to email sending failures.
-
- :param subject_template_name: the template for the subject.
- :param email_template_name: the template for the email body.
-diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
-index 3dd9324..f1e8fb9 100644
---- a/tests/auth_tests/test_forms.py
-+++ b/tests/auth_tests/test_forms.py
-@@ -1369,6 +1369,27 @@ class PasswordResetFormTest(TestDataMixin, TestCase):
- )
- )
-
-+ @override_settings(EMAIL_BACKEND="mail.custombackend.FailingEmailBackend")
-+ def test_save_send_email_exceptions_are_catched_and_logged(self):
-+ (user, username, email) = self.create_dummy_user()
-+ form = PasswordResetForm({"email": email})
-+ self.assertTrue(form.is_valid())
-+
-+ with self.assertLogs("django.contrib.auth", level=0) as cm:
-+ form.save()
-+
-+ self.assertEqual(len(mail.outbox), 0)
-+ self.assertEqual(len(cm.output), 1)
-+ errors = cm.output[0].split("\n")
-+ pk = user.pk
-+ self.assertEqual(
-+ errors[0],
-+ f"ERROR:django.contrib.auth:Failed to send password reset email to {pk}",
-+ )
-+ self.assertEqual(
-+ errors[-1], "ValueError: FailingEmailBackend is doomed to fail."
-+ )
-+
- @override_settings(AUTH_USER_MODEL="auth_tests.CustomEmailField")
- def test_custom_email_field(self):
- email = "test@mail.com"
-diff --git a/tests/mail/custombackend.py b/tests/mail/custombackend.py
-index 14e7f07..c63f1c0 100644
---- a/tests/mail/custombackend.py
-+++ b/tests/mail/custombackend.py
-@@ -12,3 +12,9 @@ class EmailBackend(BaseEmailBackend):
- # Messages are stored in an instance variable for testing.
- self.test_outbox.extend(email_messages)
- return len(email_messages)
-+
-+
-+class FailingEmailBackend(BaseEmailBackend):
-+
-+ def send_messages(self, email_messages):
-+ raise ValueError("FailingEmailBackend is doomed to fail.")
---
-2.43.0
-
diff --git a/Django-5.1.tar.gz b/Django-5.1.4.tar.gz
similarity index 56%
rename from Django-5.1.tar.gz
rename to Django-5.1.4.tar.gz
index f4fdcd055546c887df016f44802b201fa2c710a1..9696413f8344601cc7e251fd1e68a695e0217513 100644
Binary files a/Django-5.1.tar.gz and b/Django-5.1.4.tar.gz differ
diff --git a/python-django.spec b/python-django.spec
index 5981b901471bce891672176a3010e4958bdffab9..f4d29c3c6a11bebe3e553b1e31c1ef3ee1511cd6 100644
--- a/python-django.spec
+++ b/python-django.spec
@@ -1,13 +1,11 @@
%global _empty_manifest_terminate_build 0
Name: python-django
-Version: 5.1
-Release: 2
+Version: 5.1.4
+Release: 1
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
License: Apache-2.0 and Python-2.0 and BSD-3-Clause
URL: https://www.djangoproject.com/
Source0: https://files.pythonhosted.org/packages/source/d/Django/Django-%{version}.tar.gz
-Patch0: CVE-2024-45230.patch
-Patch1: CVE-2024-45231.patch
BuildArch: noarch
%description
@@ -74,6 +72,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/*
%changelog
+* Fri Dec 6 2024 zhangxianjun <zhangxianjun@kylinos.cn> - 5.1.4-1
+- Fix CVE-2024-53907 CVE-2024-53908 CVE-2024-45230 CVE-2024-45231
+
* Thu Oct 10 2024 zhangxianting <zhangxianting@uniontech.com> - 5.1-2
- Fix CVE-2024-45230 CVE-2024-45231