Bug#1113865: marked as done (python-django: CVE-2025-57833)

Debian Bug Tracking System Wed, 03 Sep 2025 08:53:18 -0700

Your message dated Wed, 03 Sep 2025 15:51:14 +0000
with message-id <[email protected]>
and subject line Bug#1113865: fixed in python-django 3:4.2.24-1
has caused the Debian Bug report #1113865,
regarding python-django: CVE-2025-57833
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1113865: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113865
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: python-django
Version: 2:2.2.28-1~deb11u7
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-django.

CVE-2025-57833[0]: Potential SQL injection in FilteredRelation
 column aliases FilteredRelation was subject to SQL injection in
 column aliases, using a suitably crafted dictionary, with
 dictionary expansion, as the **kwargs passed QuerySet.annotate()
 or QuerySet.alias().


For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-57833
    https://www.cve.org/CVERecord?id=CVE-2025-57833
    https://www.djangoproject.com/weblog/2025/sep/03/security-releases/


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [email protected] / chris-lamb.co.uk
       `-

--- End Message ---

--- Begin Message ---

Source: python-django
Source-Version: 3:4.2.24-1
Done: Chris Lamb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 03 Sep 2025 08:28:19 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.24-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1113865
Changes:
 python-django (3:4.2.24-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2025-57833: Potential SQL injection in FilteredRelation column
       aliases. The FilteredRelation feature in Django was subject to a
       potential SQL injection vulnerability in column aliases that was
       exploitable via suitably crafted dictionary with dictionary expansion as
       the **kwargs passed QuerySet.annotate() or QuerySet.alias().
       (Closes: #1113865)
 .
     <https://www.djangoproject.com/weblog/2025/sep/03/security-releases/>
Checksums-Sha1:
 2a06701c0d9224da663c6e0f14aa270ad520cd93 2792 python-django_4.2.24-1.dsc
 f43cdbf9274935cde2a630cd447e93a94fb3e3f3 10452798 
python-django_4.2.24.orig.tar.gz
 a46400b28e2e73439a6466d5476403ba8d279a36 34108 
python-django_4.2.24-1.debian.tar.xz
 035bd145add7428a15a71406810d469207ccb6d5 8056 
python-django_4.2.24-1_amd64.buildinfo
Checksums-Sha256:
 e68e1b3d96276aaea7c738a7d2dc2f35062c93b21e01fdcf9e3f70deb0b35581 2792 
python-django_4.2.24-1.dsc
 40cd7d3f53bc6cd1902eadce23c337e97200888df41e4a73b42d682f23e71d80 10452798 
python-django_4.2.24.orig.tar.gz
 9012aa426ae27bc10e1953f75dfb2b7aef548ad616c4887ade35ed9d5a30f927 34108 
python-django_4.2.24-1.debian.tar.xz
 b82b8f991ed554544ae01e543b5cdc78d8ce1f91a8d04ede9292df1caed3b4cc 8056 
python-django_4.2.24-1_amd64.buildinfo
Files:
 0b95b3a45d6ffef747e6dfc8846dcae3 2792 python optional 
python-django_4.2.24-1.dsc
 ec583b38346957b87ac7d8b0d917e1f4 10452798 python optional 
python-django_4.2.24.orig.tar.gz
 443610bb146e6c18a203edd0c698a287 34108 python optional 
python-django_4.2.24-1.debian.tar.xz
 96b8252de717b519df271057cd9db621 8056 python optional 
python-django_4.2.24-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmi4YDYACgkQHpU+J9Qx
Hlja/Q/+NgwapHLT94TYFK1MHQCuzKHlK55brf37Aze7fvzzTmwoSXJR5l91fEc/
OfCVV1g5EKSGRjILfd/iRNVKBVFkorVD1kDVADNIQge6m/VCL3eupnJ049sw2ItL
KRHLsURm5tMv7W1f8G2AvUKyjonMUnwhAG31YTOUs6mf/btYSzGKd+jrk2WZAf3N
He7BUmTIvzgRsNBtqQ5jfk7yZl6ZUjsYF/U/HKNFlADOH0qmBxbu9Qo77pqtSZEr
zrkTSU0WVSbV+cXkXMHpVZYZTa8jX4BsGfN4JWgJNf7AaCLJaq6RGPRqoPs21apg
Qd7HSa1uivOzbIATshQ9nHP+968pcZ65hrrdJ3WTpo0iAKzgs50OmycIQ1R0Vdgm
U/UKGZMmyVkIfGLlUe092SEgq1fxrhmB5YEMiRaAyBTaKaASWJ5/vtOLu+zsE54q
7qcT2+cbB7sZcFMIGSTQMcgyS+rDiI/Us0srtTSi49QRqzoHAZ8+Fwp0v69+HlB6
toIvGTC1Q1EGjhJPNrtb0Vm4SoxWwVG7ethF1+NpCg0KkNp6zQPVsG+3/Z1WAW5x
riEIdi6Qa1r+7ecMzNY5CNEeIOR9lVxzjMfL2OX4VQJ6YmVH6xcHmuPx2IefbHFr
7+q1DOcLYDk5w8kN/6oVTnBxZczgNpAQcYn2Ln6WArwKvvSTOsM=
=DKrF
-----END PGP SIGNATURE-----

pgpbVWL6PbIEU.pgp
Description: PGP signature

--- End Message ---

Bug#1113865: marked as done (python-django: CVE-2025-57833)

Reply via email to