Your message dated Tue, 16 Jun 2026 08:36:14 +0000
with message-id <[email protected]>
and subject line Bug#1139709: fixed in python-django-formtools 2.5.1-4
has caused the Debian Bug report #1139709,
regarding python-django-formtools: FTBFS with Django 5.2.15
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139709: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139709
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-django-formtools
Version: 2.5.1-3
Severity: serious
Tags: patch
Hi,
The fix for CVE-2026-6873 in Django now prevents certain kinds of manual
cookie comparison, which django-formtools performs in one of its tests:
61s ======================================================================
61s FAIL: test_reset_cookie
(tests.wizard.test_cookiestorage.TestCookieStorage.test_reset_cookie)
61s ----------------------------------------------------------------------
61s Traceback (most recent call last):
61s File
"/tmp/autopkgtest-lxc._ba8av8t/downtmp/build.9sR/src/tests/wizard/test_cookiestorage.py",
line 40, in test_reset_cookie
61s self.assertEqual(response.cookies[storage.prefix].value,
signed_cookie_data)
61s
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
61s AssertionError:
'{"key1":"value1"}:1wXUN8:wGU8PZi0VS8ZKun8bclQFzQcUCM7S-r7O0Hlcx73z-w' !=
'{"key1":"value1"}:1wXUN8:gUNArgDuXseaa0sqjhu6zALXybaEDQN-zOw8C8kPuD0'
61s - {"key1":"value1"}:1wXUN8:wGU8PZi0VS8ZKun8bclQFzQcUCM7S-r7O0Hlcx73z-w
61s + {"key1":"value1"}:1wXUN8:gUNArgDuXseaa0sqjhu6zALXybaEDQN-zOw8C8kPuD0
This has been reported upstream:
https://github.com/jazzband/django-formtools/issues/298
A patch is attached that detects the affected Django versions and will skip
this test, thus preventing an FTBFS (and autopkgtest failures when trying to
get 5.2.15 into testing).
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
diff --git tests/wizard/test_cookiestorage.py tests/wizard/test_cookiestorage.py
index aa6c7a8..ce76988 100644
--- tests/wizard/test_cookiestorage.py
+++ tests/wizard/test_cookiestorage.py
@@ -1,3 +1,7 @@
+import django
+
+from unittest import skipIf
+
from django.core import signing
from django.http import HttpResponse
from django.test import TestCase
@@ -26,6 +30,7 @@ class TestCookieStorage(TestStorage, TestCase):
storage.request.COOKIES[storage.prefix] = 'i_am_manipulated'
self.assertIsNone(storage.load_data())
+ @skipIf(django.VERSION >= (5, 2, 15), reason="Fix for CVE-2026-6873
prevents manual cookie comparison.")
def test_reset_cookie(self):
request = get_request()
storage = self.get_storage()('wizard1', request, None)
--- End Message ---
--- Begin Message ---
Source: python-django-formtools
Source-Version: 2.5.1-4
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django-formtools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-django-formtools
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Jun 2026 10:13:54 +0200
Source: python-django-formtools
Architecture: source
Version: 2.5.1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1139709
Changes:
python-django-formtools (2.5.1-4) unstable; urgency=medium
.
* Add skip-test-if-CVE-2026-6873-fix.patch (Closes: #1139709).
Checksums-Sha1:
5da5709f53b180fd3dc8b45edc99c79c2a8d9e1e 2453
python-django-formtools_2.5.1-4.dsc
492c761ee6a9fc7dcdb236db51fa91237cf54ac7 4536
python-django-formtools_2.5.1-4.debian.tar.xz
58055e239d721e0ba00169441f2b383ba16a2dda 8745
python-django-formtools_2.5.1-4_amd64.buildinfo
Checksums-Sha256:
b84ef4a32c4407ca9328f943e16f5116f45de5b72bdc5dbc2ad80f78db132a19 2453
python-django-formtools_2.5.1-4.dsc
ee16fcfc817ab9728165db4f039d844b8c94735dd45be277ca3bbeb847e59a20 4536
python-django-formtools_2.5.1-4.debian.tar.xz
4bd95ea1c1b83e32f8ccaf50fae9a14730af74dde67201d4b4cafdf6671f5802 8745
python-django-formtools_2.5.1-4_amd64.buildinfo
Files:
64e6fa7ac0ddde156a10ec8f3494c040 2453 python optional
python-django-formtools_2.5.1-4.dsc
7b78a87e84e4503d897a0d9bb17a79d0 4536 python optional
python-django-formtools_2.5.1-4.debian.tar.xz
4e638cd9b97a06574bee1cbba6c9c42f 8745 python optional
python-django-formtools_2.5.1-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoxBlQACgkQ1BatFaxr
Q/5vsg/5AXXf6e11Ke9WIQX3Xn7y8Lu5MShVrNsMfI7ywhHXsjwKpKaAN0BFxl+Q
2auYrLbfk9/oO3RfPHMYJ0x0OtLRS7PeewHPDYgICIre1Ccatmb+yl94AYqtcp6I
nvr1mfTlMmsEiKGOoMHI7ayNbWL+nXNrN7z3/7m9kTxDM/wHhRuACMJk+g91jIQb
kFG7C/sKQy0Z7nc+F02lXgjSbs3/rz1uNkeF/OUSDmwGqOzqbStsuDhZ3AgAW25Z
8wK9vBn9lvm4TbXooCFK6ISpIkgGcQWkbE2wIV5Dv2ntd/Bd4cczqzbu6Y/CGSqX
QAt08EVAJikEF77VzB/MaH+e5NrvvYiKZNiMlHBzCb+Uy+vTcc9QsEDL9KPg4MTz
bQvBEsMSKu29/TZfzKBD6WWcXjHwmR7Vdl9mZtMr919fm5RBKc7wVUPj5h63EsG6
uf4zplf6WFfVPPY8djUsjtCBXd3DdURneJJx1R4WC1+UJNU4Doxg4ze1B/hGVsix
QtNoGZ/eUdiupMwnswi6TadlXyAqxqcHK1xehgK1xmgTCX4YGHr5oiGUT4Y5O9KH
1K34vs69ySKmniHM5toBWI1uEFhWej3EL7cLQ3c25MdXafAv9gIFd82ylJkjQr4/
Sibing96PQG1zow1ofW/5/aHsZ09AZZqAr154SpJoAjiwstrBVc=
=SMuU
-----END PGP SIGNATURE-----
pgprsFFwVJu8b.pgp
Description: PGP signature
--- End Message ---
