Your message dated Sat, 31 Jan 2026 19:32:22 +0000
with message-id <[email protected]>
and subject line Bug#1121788: fixed in python-django 3:4.2.27-0+deb13u1
has caused the Debian Bug report #1121788,
regarding python-django: CVE-2025-13372 CVE-2025-64460
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121788: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 3:3.2.19-1+deb12u1
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django.
- CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
column aliases when using PostgreSQL. FilteredRelation was subject to SQL
injection in column aliases via a suitably crafted dictionary as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias().
- CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
XML serializer text extraction. An algorithmic complexity issue in
django.core.serializers.xml_serializer.getInnerText() allowed a remote
attacker to cause a potential denial-of-service triggering CPU and memory
exhaustion via a specially crafted XML input submitted to a service that
invokes XML Deserializer. The vulnerability resulted from repeated string
concatenation while recursively collecting text nodes, which produced
superlinear computation.
<https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:4.2.27-0+deb13u1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 23 Jan 2026 10:43:29 -0800
Source: python-django
Architecture: source
Version: 3:4.2.27-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1113865 1121788
Changes:
python-django (3:4.2.27-0+deb13u1) trixie-security; urgency=high
.
* New upstream security release:
.
- CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
column aliases when using PostgreSQL. FilteredRelation was subject to SQL
injection in column aliases via a suitably crafted dictionary as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias().
.
- CVE-2025-57833: Potential SQL injection in FilteredRelation column
aliases. The FilteredRelation feature in Django was subject to a
potential SQL injection vulnerability in column aliases that was
exploitable via suitably crafted dictionary with dictionary expansion as
the **kwargs passed QuerySet.annotate() or QuerySet.alias(). This CVE
was fixed in Django 4.2.24. (Closes: #1113865)
.
- CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
subject to SQL injection in column aliases, using a suitably crafted
dictionary with dictionary expansion as the **kwargs passed to these
methods on MySQL and MariaDB. This CVE was fixed in Django 4.2.25.
.
- CVE-2025-59682: Potential partial directory-traversal via
archive.extract(). The django.utils.archive.extract() function, used by
startapp --template and startproject --template allowed partial
directory-traversal via an archive with file paths sharing a common
prefix with the target directory. This CVE was fixed in Django 4.2.25.
.
- CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
argument in QuerySet/Q objects. The methods QuerySet.filter(),
QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
SQL injection when using a suitably crafted dictionary (with dictionary
expansion) as the _connector argument. This CVE was fixed in Django
4.2.26.
.
- CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
XML serializer text extraction. An algorithmic complexity issue in
django.core.serializers.xml_serializer.getInnerText() allowed a remote
attacker to cause a potential denial-of-service triggering CPU and memory
exhaustion via a specially crafted XML input submitted to a service that
invokes XML Deserializer. The vulnerability resulted from repeated string
concatenation while recursively collecting text nodes, which produced
superlinear computation. (Closes: #1121788)
.
<https://docs.djangoproject.com/en/4.2/releases/4.2.27/>
Checksums-Sha1:
d7cd44c3435586ed234c7bdc2de401e7f16fab57 2820
python-django_4.2.27-0+deb13u1.dsc
5c2da0b170d051f5e29bffd29e02a36e13068e22 10432781
python-django_4.2.27.orig.tar.gz
016b80631e29a449d340c9a1272b92498f5f8003 34568
python-django_4.2.27-0+deb13u1.debian.tar.xz
5a0cf54854a252acab00d29580fa4213f67db3fe 6650
python-django_4.2.27-0+deb13u1_source.buildinfo
Checksums-Sha256:
ab6201bad936a3b80d918af888f61d753ea92f45b006a301b3e7e0c7d599799d 2820
python-django_4.2.27-0+deb13u1.dsc
b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92 10432781
python-django_4.2.27.orig.tar.gz
838781ea900d83036923b905c8b7635fbbb00393d2490d4893c1dea6f19d7da8 34568
python-django_4.2.27-0+deb13u1.debian.tar.xz
5fa47de9981ed7b3b0421e42fbcd4f9288f0422f409b214112a00737947db3e2 6650
python-django_4.2.27-0+deb13u1_source.buildinfo
Files:
63dcf66da338e3c05dbc37d1bb280619 2820 python optional
python-django_4.2.27-0+deb13u1.dsc
45431b7954d12014c88cd9f66cfefb2c 10432781 python optional
python-django_4.2.27.orig.tar.gz
1cf33ec9777a550acf2b190d112ade7e 34568 python optional
python-django_4.2.27-0+deb13u1.debian.tar.xz
1ff6eb62da6275d66762685d608c47f3 6650 python optional
python-django_4.2.27-0+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAml6akgACgkQHpU+J9Qx
Hli60g/4sgxg04GnK3ohvKZzl0F9qjvvMpGSfFKzJeY/S30sc/aSGpw9nP/n0FUd
ZTz2YtTc/9IXumVOKQvQfxmk72bS8lnDOkJF7luQvFIfjjuP4ucqbxLTzSVTuZIi
rFavmQs6TqI1y6LROoz9SFZl5v1jqUd4UrCnzphsk1MAvA7+FxH6ed11VBFPJb+o
QWcoj1NrON/qc0jjEoFC65ZDJWJsMp1npHZKq2DQCjcGzqvhfHJ1B52OqVf6roFu
xKqdSuk55/+2r3ECTbXSUFRAOCSd1jjaQb5ofTpddokzToxSo3jDL2E8LpVN4caz
ECed+4GSIbafxvZjAX1sjwWIwJyz36YONigWizRzGdTpKKCBcN+/J5DEpKHvkk5e
HMbUStYqCF6e+u2hp5s9OCkVBlZZe0vPn7D4Nq56HDhp0QEiMxrzxlHT3m4k124J
g/bANVXP99VV0YL/NHKjiJe/qgrBY3hGxzKUsLh3LdChPfdjhAGnEQsyMLHSvwbb
V7cjjdcijFXBb6M+uT+4DZCKjt0aD2WRJ0rlH59bimtFPHWgWRJbMfBXpE/comm0
iCaMTz5i8c2cz3D6Yq6MZzEEWmhzE91FnOjDObsYhOiL2yVKhp+wxCs2wwwVdD2s
C1zz+FEmucPyn16aeG8DXiQb9PmYo1MBM3QeAx/jMVsKRK+LSg==
=4CMr
-----END PGP SIGNATURE-----
pgpm_RQi4xnUq.pgp
Description: PGP signature
--- End Message ---
