Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1137724,
regarding stable-proposed-updates-pu: package python-django/3:4.2.28-0+deb13u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137724
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stable-proposed-updates
User: [email protected]
Usertags: pu
Dear stable release managers,
Please consider python-django (3:4.2.28-0+deb13u2) for stable-proposed-updates:
python-django (3:4.2.28-0+deb13u2) stable-proposed-updates; urgency=medium
.
* The fix for CVE-2025-6069 in the python3.13 source package (released
as part of a suite of updates in 3.13.5-2+deb13u2) modified Python's
html.parser.HTMLParser class in such a way that changed the behaviour of
Django's strip_tags() method. As a result of this change, we update the
testsuite here for the newly expected results in order to prevent a build
failure. (Closes: #1137039)
The full diff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
diff --git debian/changelog debian/changelog
index 5247a7def..96941a9dd 100644
--- debian/changelog
+++ debian/changelog
@@ -1,3 +1,14 @@
+python-django (3:4.2.28-0+deb13u2) stable-proposed-updates; urgency=medium
+
+ * The fix for CVE-2025-6069 in the python3.13 source package (released
+ as part of a suite of updates in 3.13.5-2+deb13u2) modified Python's
+ html.parser.HTMLParser class in such a way that changed the behaviour of
+ Django's strip_tags() method. As a result of this change, we update the
+ testsuite here for the newly expected results in order to prevent a build
+ failure. (Closes: #1137039)
+
+ -- Chris Lamb <[email protected]> Tue, 26 May 2026 14:35:49 -0700
+
python-django (3:4.2.28-0+deb13u1) trixie-security; urgency=high
* New upstream security release:
diff --git debian/patches/0006-Workaround-changes-in-CVE-2025-6069.patch
debian/patches/0006-Workaround-changes-in-CVE-2025-6069.patch
new file mode 100644
index 000000000..a3fe4577b
--- /dev/null
+++ debian/patches/0006-Workaround-changes-in-CVE-2025-6069.patch
@@ -0,0 +1,23 @@
+From: Chris Lamb <[email protected]>
+Date: Fri, 22 May 2026 11:20:52 -0700
+Subject: Workaround changes in CVE-2025-6069
+
+---
+ tests/utils_tests/test_html.py | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index a5acc582f7b4..9c5f5e7ecc6f 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -116,9 +116,7 @@ class TestUtilsHtml(SimpleTestCase):
+ (3, 8): (3, 8, math.inf),
+ }
+ major_version = sys.version_info[:2]
+- htmlparser_fixed_security = sys.version_info >=
min_fixed_security.get(
+- major_version, major_version
+- )
++ htmlparser_fixed_security = True
+ htmlparser_fixed_incomplete_entities = (
+ sys.version_info
+ >= min_fixed_incomplete_entities.get(major_version, major_version)
diff --git debian/patches/series debian/patches/series
index 0e8a07b38..936ff0a3f 100644
--- debian/patches/series
+++ debian/patches/series
@@ -3,3 +3,4 @@
0004-Use-locally-installed-documentation-sources.patch
0004-Set-the-default-shebang-to-new-projects-to-use-Pytho.patch
py313-test-help-default-options-with-custom-arguments.patch
+0006-Workaround-changes-in-CVE-2025-6069.patch
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---