Your message dated Tue, 07 Jul 2026 16:50:15 +0000
with message-id <[email protected]>
and subject line Bug#1141629: fixed in python-django 3:5.2.16-1
has caused the Debian Bug report #1141629,
regarding python-django: CVE-2026-48588 CVE-2026-53877 CVE-2026-53878
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141629: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141629
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u12
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for python-django.

   https://www.djangoproject.com/weblog/2026/jul/07/security-releases/

CVE-2026-48588[0]:
| An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before
| 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator
| cache responses that vary on cookies when the incoming request
| carries unrelated cookies, which allows remote attackers to read
| private data from the shared cache. Earlier, unsupported Django
| series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may
| also be affected. Django would like to thank Chris Whyland for
| reporting this issue.


CVE-2026-53877[1]:
| An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before
| 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-
| memory buffer when constructed from a bytes object, which can
| disclose adjacent memory or cause service degradation via a
| potential segmentation fault when the `vsi_buffer` property is
| accessed. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,
| and 3.2.x) were not evaluated and may also be affected. Django would
| like to thank Bence Nagy for reporting this issue.


CVE-2026-53878[2]:
| An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before
| 5.2.16. `DomainNameValidator` does not prohibit newlines in domain
| names (unless used via a form field, since `CharField` strips
| newlines). If an application uses values with newlines in an HTTP
| response, header injection can occur. Django itself is unaffected
| because `HttpResponse` prohibits newlines in HTTP headers. Earlier,
| unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not
| evaluated and may also be affected. Django would like to thank Bence
| Nagy for reporting this issue.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48588
    https://www.cve.org/CVERecord?id=CVE-2026-48588
[1] https://security-tracker.debian.org/tracker/CVE-2026-53877
    https://www.cve.org/CVERecord?id=CVE-2026-53877
[2] https://security-tracker.debian.org/tracker/CVE-2026-53878
    https://www.cve.org/CVERecord?id=CVE-2026-53878


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [email protected] / chris-lamb.co.uk
       `-

--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:5.2.16-1
Done: Chris Lamb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Jul 2026 09:28:48 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:5.2.16-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1141629
Changes:
 python-django (3:5.2.16-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2026-48588: UpdateCacheMiddleware and the @cache_page decorator
       cached responses that vary on cookies when the incoming request carried
       unrelated cookies, which allowed remote attackers to read private data
       from the shared cache.
 .
     - CVE-2026-53877: django.contrib.gis.gdal.GDALRaster over-read its
       in-memory buffer when constructed from a bytes object, which could
       disclose adjacent memory or cause service degradation via a potential
       segmentation fault when the vsi_buffer property is accessed.
 .
     - CVE-2026-53878: DomainNameValidator did not prohibit newlines in domain
       names (unless used via a form field, since CharField strips newlines). If
       an application used values with newlines in an HTTP response, header
       injection could occur. Django itself is unaffected because HttpResponse
       prohibits newlines in HTTP headers.
 .
     <https://www.djangoproject.com/weblog/2026/jul/07/security-releases/>
 .
     (Closes: #1141629)
 .
   * Bump debhelper compatibility level to 14.
Checksums-Sha1:
 9ed6650d9acf36f06192f34bea63000d51395720 2790 python-django_5.2.16-1.dsc
 eaffb4974373d59955293e9e87a4052b7e14f55d 10890894 
python-django_5.2.16.orig.tar.gz
 30fc77580dd492c2e0b48a5ebcde6e642c2cb0c1 38772 
python-django_5.2.16-1.debian.tar.xz
 7e21db20b0463a7fd49f796e32c01180b81d806f 8199 
python-django_5.2.16-1_amd64.buildinfo
Checksums-Sha256:
 ded9b174fad36f42a7075238849467304b3a3fe56e0d1cfd9949cc67558aa13f 2790 
python-django_5.2.16-1.dsc
 59ea02020c3136fce14bef0bbece21a10a4febef5eed1c51c22ae468efa22200 10890894 
python-django_5.2.16.orig.tar.gz
 534b99d5c8f7f7938dc8bbf820fd06b7582d130854e23a46800a4a6f155e560d 38772 
python-django_5.2.16-1.debian.tar.xz
 bab292db20602a87d0b264ebefdced56fbd65d5a0621f41c876dd910c0df6e36 8199 
python-django_5.2.16-1_amd64.buildinfo
Files:
 44db6d509bb10bf1bddbb2784575f010 2790 python optional 
python-django_5.2.16-1.dsc
 0fa6df374d72417d9f44f324c35ad4df 10890894 python optional 
python-django_5.2.16.orig.tar.gz
 2c3e548b61019789e7671fdb0edbd3a9 38772 python optional 
python-django_5.2.16-1.debian.tar.xz
 dd6182edbd93edcc62da1bde0dee4be5 8199 python optional 
python-django_5.2.16-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmpNLC0ACgkQHpU+J9Qx
HlhjaBAAt/CU31T/pGLMatl4VvzRqJJSJ6LZHx4C1cUG+0lFF4iUykWwSIGWxUu7
xQyBXcyV7il0dmgQ+oh554G2+Uhwvcn4ZzWHgWSuOF+J+/9PJlLtT1xniPbIm7Db
TCPKPlch73Ci27EJRiP9E7/BRRhJ64cds8t0hE/mtF4oK6dgkZ71vsy7alvxXKV0
6fcjEf94MZ13JSmumNXTD1lbxhw821eOLMQhQKO28ySeICtZyZ5XdaAWaGrcj+E0
xCPsYhimZH0ZDDcsWWU6MDrN3hovaRQoayIgchrVnVPBU0xCmnKgQ//C3eztVbmz
n6vuokfr0f1CCzgG4hN6ugQIwk9Fs7QU0DFHDpqQSGAweqBRepmmWNu3iby6F1W6
FbIZDbMuQhEJle3uDDILS6Dhu5WvFYJJZUmBDG/N+OqBYKO0PEwo1BnUi/G1Xr4f
GwdifhyZ7IJpi3aViommSXewHLcyeAM7aG5EPgpQQKVRu7YyXfF0cTm9s1D5OImL
zN/rxpfqAg+wtZKzFNCEIAlMTbYN2VR+OjMqW6MvKESMW6Aw3bo6MPYvojbb3jT2
06cdcTEzaoeWwOEmwskzpzeQ10PRbW76y548uSZlFs5PgFC4mBI7jUlS1BpVlF0y
GToGVPbBJ3EQzdFbGEOi4rWWKnIDi1g6rgZ4lgd64HVS8AVikT8=
=0Tg7
-----END PGP SIGNATURE-----

Attachment: pgpAxizvVKCiH.pgp
Description: PGP signature


--- End Message ---

Reply via email to