From e9bd99c1ffc58fe8aa1fb2d79a3ba25e6cec536e Mon Sep 17 00:00:00 2001
From: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
Date: Thu, 12 Oct 2023 14:00:32 -0400
Subject: [PATCH] Fix CVE-2023-43665 (#14561)

---
 requirements/README.md        | 13 -------------
 requirements/requirements.in  |  2 +-
 requirements/requirements.txt |  2 +-
 3 files changed, 2 insertions(+), 15 deletions(-)

diff --git a/requirements/README.md b/requirements/README.md
index f23e62458c..62ad87fd20 100644
--- a/requirements/README.md
+++ b/requirements/README.md
@@ -49,19 +49,6 @@ Make sure to delete the old tarball if it is an upgrade.
 Anything pinned in `*.in` files involves additional manual work in
 order to upgrade. Some information related to that work is outlined here.
 
-### Django
-
-For any upgrade of Django, it must be confirmed that
-we don't regress on FIPS support before merging.
-
-See internal integration test knowledge base article `how_to_test_FIPS`
-for instructions.
-
-If operating in a FIPS environment, `hashlib.md5()` will raise a `ValueError`,
-but will support the `usedforsecurity` keyword on RHEL and Centos systems.
-This used to be a problem with `names_digest` function in Django, but
-was fixed upstream in Django 4.1.
-
 ### django-split-settings
 
 When we attemed to upgrade past 1.0.0 the build process in GitHub failed on the docker build step with the following error:
diff --git a/requirements/requirements.in b/requirements/requirements.in
index b04c5fa1a7..2d742d007d 100644
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@@ -12,7 +12,7 @@ cryptography>=41.0.2  # CVE-2023-38325
 Cython<3 # Since the bump to PyYAML 5.4.1 this is now a mandatory dep
 daphne
 distro
-django==4.2.5  # see UPGRADE BLOCKERs, CVE-2023-41164
+django==4.2.6  # CVE-2023-43665
 django-auth-ldap
 django-cors-headers
 django-crum
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 5e6b1b5f5a..0c831bd919 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -101,7 +101,7 @@ deprecated==1.2.13
     # via jwcrypto
 distro==1.8.0
     # via -r /awx_devel/requirements/requirements.in
-django==4.2.5
+django==4.2.6
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   channels