Package: python-django Version: 2:2.2.28-1~deb11u12 X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for python-django. CVE-2026-3902[0]: | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and | 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof | headers by exploiting an ambiguous mapping of two header variants | (with hyphens or with underscores) to a single version with | underscores. Earlier, unsupported Django series (such as 5.0.x, | 4.1.x, and 3.2.x) were not evaluated and may also be affected. | Django would like to thank Tarek Nakkouch for reporting this issue. CVE-2026-4277[1]: | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and | 4.2 before 4.2.30. Add permissions on inline model instances were | not validated on submission of forged `POST` data in | `GenericInlineModelAdmin`. Earlier, unsupported Django series (such | as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be | affected. Django would like to thank N05ec@LZU-DSLab for reporting | this issue. CVE-2026-4292[2]: | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and | 4.2 before 4.2.30. Admin changelist forms using | `ModelAdmin.list_editable` incorrectly allowed new instances to be | created via forged `POST` data. Earlier, unsupported Django series | (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be | affected. Django would like to thank Cantina for reporting this | issue. CVE-2026-33033[3]: | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and | 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to | degrade performance by submitting multipart uploads with `Content- | Transfer-Encoding: base64` including excessive whitespace. Earlier, | unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not | evaluated and may also be affected. Django would like to thank | Seokchan Yoon for reporting this issue. CVE-2026-33034[4]: | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and | 4.2 before 4.2.30. ASGI requests with a missing or understated | `Content-Length` header could bypass the | `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading | `HttpRequest.body`, allowing remote attackers to load an unbounded | request body into memory. Earlier, unsupported Django series (such | as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be | affected. Django would like to thank Superior for reporting this | issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: https://www.djangoproject.com/weblog/2026/apr/07/security-releases/ and: [0] https://security-tracker.debian.org/tracker/CVE-2026-3902 https://www.cve.org/CVERecord?id=CVE-2026-3902 [1] https://security-tracker.debian.org/tracker/CVE-2026-4277 https://www.cve.org/CVERecord?id=CVE-2026-4277 [2] https://security-tracker.debian.org/tracker/CVE-2026-4292 https://www.cve.org/CVERecord?id=CVE-2026-4292 [3] https://security-tracker.debian.org/tracker/CVE-2026-33033 https://www.cve.org/CVERecord?id=CVE-2026-33033 [4] https://security-tracker.debian.org/tracker/CVE-2026-33034 https://www.cve.org/CVERecord?id=CVE-2026-33034 Regards, -- ,''`. : :' : Chris Lamb `. `'` [email protected] / chris-lamb.co.uk `-
