From 8c101717509c4b63123a109565a126973062b43d Mon Sep 17 00:00:00 2001 From: Luke Zhang Date: Mon, 17 Nov 2025 18:33:54 -0800 Subject: [PATCH 1/2] Upgrade Django to version 5.1.14 to address the SQL injection vulnerability CVE-2025-64459. ADOT Python reported a critical CVE two weeks ago: https://github.com/aws-observability/aws-otel-python-instrumentation/security/dependabot/35 https://nvd.nist.gov/vuln/detail/CVE-2025-64459 This PR addresses the vulnerability. Tests Performed tox -e lint tox -e spellcheck tox -e 3.9-test-aws-opentelemetry-distro tox -e 3.10-test-aws-opentelemetry-distro tox -e 3.11-test-aws-opentelemetry-distro tox -e 3.12-test-aws-opentelemetry-distro tox -e 3.13-test-aws-opentelemetry-distro From aws-otel-python-instrumentation dir, execute: ./scripts/build_and_install_distro.sh ./scripts/set-up-contract-tests.sh pytest contract-tests/tests --- contract-tests/images/applications/django/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contract-tests/images/applications/django/requirements.txt b/contract-tests/images/applications/django/requirements.txt index cbfc3a83e..a8ff28ca1 100644 --- a/contract-tests/images/applications/django/requirements.txt +++ b/contract-tests/images/applications/django/requirements.txt @@ -1,2 +1,2 @@ typing-extensions==4.15.0 -django==5.0.11 +django==5.1.14 From 3b5760f9c886d438a66aa5247e99cc40681fae47 Mon Sep 17 00:00:00 2001 From: Luke Zhang Date: Mon, 17 Nov 2025 18:50:43 -0800 Subject: [PATCH 2/2] add change log. --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dbd6b6da8..ee7cd08ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,4 +27,5 @@ If your change does not need a CHANGELOG entry, add the "skip changelog" label t ([#524](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/524)) - Support credentials provider name for BedrockAgentCore Identity ([#534](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/534)) - +- Upgrade Django to version 5.1.14 to address the SQL injection vulnerability CVE-2025-64459 + ([#539](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/539))