Package: python-django
Version: 2:2.2.28-1~deb11u12
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django.
* CVE-2026-6873: Signed cookie salt namespace collision in
`django.http.HttpRequest.get_signed_cookie`
`get_signed_cookie()` derived the signing salt by concatenating
the cookie name (`key`) and `salt` arguments. When distinct name
and salt pairs produced the same concatenation, cookies could be
accepted in a context different from the one where they were
signed.
Cookies are now signed with an unambiguous salt derivation. For
backwards compatibility, cookies signed by older Django versions
are accepted until Django 7.0.
* CVE-2026-7666: Potential unencrypted email transmission via `STARTTLS` in the
SMTP backend
When using `EMAIL_USE_TLS`, a failed `STARTTLS` handshake could
leave a partially-initialized connection that would subsequently
be reused for sending email without encryption. This can occur
with `fail_silently=True`, as used by `send_mail()` and
`BrokenLinkEmailsMiddleware`, among others. Connections configured
with `EMAIL_USE_SSL` are not affected.
* CVE-2026-8404: Potential exposure of private data via case-sensitive
`Cache-Control` directives in `UpdateCacheMiddleware`
`django.middleware.cache.UpdateCacheMiddleware` and
`django.views.decorators.cache.cache_page` decorator incorrectly
cached responses marked with private `Cache-Control` directives
when using mixed or uppercase values (e.g. `Private`).
The `django.views.decorators.cache.cache_control` decorator and
`django.utils.cache.patch_cache_control()` function were not
affected, since they normalize directives to lowercase. This issue
only affects responses where `Cache-Control` is set manually.
* CVE-2026-35193: Potential exposure of private data via missing `Vary:
Authorization` in `UpdateCacheMiddleware`
`django.middleware.cache.UpdateCacheMiddleware` and
`django.views.decorators.cache.cache_page` decorator allowed
responses to requests bearing an `Authorization` header (and
without `Cache-Control: public`) to be cached. To conform with the
existing mechanism for constructing cache keys, responses to these
requests will now vary on `Authorization`.
* CVE-2026-48587: Potential exposure of private data via whitespace padding in
`Vary` header
`django.middleware.cache.UpdateCacheMiddleware` incorrectly cached
responses whose `Vary` header values contained leading or trailing
whitespace. Because `has_vary_header()` failed to strip that
whitespace, a response with a `Vary: * ` header (note the trailing
space) was not recognized as containing the wildcard, causing it
to be stored and potentially served from the cache when it should
not have been.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
