Your message dated Sat, 11 Jul 2026 10:42:31 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1137723,
regarding bookworm-pu: package python-django/3:3.2.25-0+deb12u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137723: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137723
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: oldstable-proposed-updates
User: [email protected]
Usertags: pu
Dear stable release managers,
Please consider python-django (3:3.2.25-0+deb12u3) for
oldstable-proposed-updates:
python-django (3:3.2.25-0+deb12u3) oldstable-proposed-updates; urgency=medium
.
* The fix for CVE-2025-6069 in the python3.11 source package (released
as part of a suite of updates in 3.11.2-6+deb12u7) modified the
html.parser.HTMLParser class in such a way that changed the behaviour of
Django's strip_tags() method. As a result of this change, we update the
testsuite here for the newly expected results in order to prevent a build
failure. (Closes: #1137039)
The full diff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
diff --git debian/changelog debian/changelog
index 9acbd14c0..7840cadbc 100644
--- debian/changelog
+++ debian/changelog
@@ -1,3 +1,14 @@
+python-django (3:3.2.25-0+deb12u3) oldstable-proposed-updates; urgency=medium
+
+ * The fix for CVE-2025-6069 in the python3.11 source package (released
+ as part of a suite of updates in 3.11.2-6+deb12u7) modified the
+ html.parser.HTMLParser class in such a way that changed the behaviour of
+ Django's strip_tags() method. As a result of this change, we update the
+ testsuite here for the newly expected results in order to prevent a build
+ failure. (Closes: #1137039)
+
+ -- Chris Lamb <[email protected]> Tue, 26 May 2026 14:32:47 -0700
+
python-django (3:3.2.25-0+deb12u2) bookworm-security; urgency=high
* CVE-2025-13473: The check_password function in
diff --git debian/patches/Workaround-changes-in-CVE-2025-6069.patch
debian/patches/Workaround-changes-in-CVE-2025-6069.patch
new file mode 100644
index 000000000..62e8bc9b0
--- /dev/null
+++ debian/patches/Workaround-changes-in-CVE-2025-6069.patch
@@ -0,0 +1,27 @@
+From: Chris Lamb <[email protected]>
+Date: Mon, 26 Jan 2026 13:22:33 -0800
+Subject: Workaround changes in CVE-2025-6069
+
+The changes to the html.parser.HTMLParser to fix CVE-2025-6069 caused a change
+of behaviour that affected Django's strip_tags.
+---
+ tests/utils_tests/test_html.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 5321341b2001..d4f1c6ae573c 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -89,10 +89,10 @@ class TestUtilsHtml(SimpleTestCase):
+ ('&gotcha&#;<>', '&gotcha&#;<>'),
+ ('<sc<!-- -->ript>test<<!-- -->/script>', 'ript>test'),
+ ('<script>alert()</script>&h', 'alert()h'),
+- ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
++ ('><!' + ('&' * 16000) + 'D', '>'),
+ ('X<<<<br>br>br>br>X', 'XX'),
+ ("<" * 50 + "a>" * 50, ""),
+- (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
++ (">" + "<a" * 500 + "a", '>'),
+ ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
+ ("<" + "a" * 1_002, "<" + "a" * 1_002),
+ )
diff --git debian/patches/series debian/patches/series
index adc9a5cdb..9df8e7c32 100644
--- debian/patches/series
+++ debian/patches/series
@@ -35,3 +35,4 @@
0037-CVE-2026-1285.patch
0038-CVE-2026-1287.patch
0039-CVE-2026-1312.patch
+Workaround-changes-in-CVE-2025-6069.patch
--- End Message ---
--- Begin Message ---
Version: 12.15
This update was released as part of 12.15.
--- End Message ---