Bug#1121788: marked as done (python-django: CVE-2025-13372 CVE-2025-64460)

Tue, 02 Dec 2025 13:11:19 -0800 

Your message dated Tue, 02 Dec 2025 21:09:15 +0000
with message-id <[email protected]>
and subject line Bug#1121788: fixed in python-django 3:4.2.27-1
has caused the Debian Bug report #1121788,
regarding python-django: CVE-2025-13372 CVE-2025-64460
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1121788: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python-django
Version: 3:3.2.19-1+deb12u1
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for python-django.

    - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation  
                          
      column aliases when using PostgreSQL. FilteredRelation was subject to SQL 
                          
      injection in column aliases via a suitably crafted dictionary as the      
                          
      **kwargs passed to QuerySet.annotate() or QuerySet.alias().               
                          
                                                                                
                          
    - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in    
                          
      XML serializer text extraction. An algorithmic complexity issue in        
                          
      django.core.serializers.xml_serializer.getInnerText() allowed a remote    
                          
      attacker to cause a potential denial-of-service triggering CPU and memory 
                          
      exhaustion via a specially crafted XML input submitted to a service that  
                          
      invokes XML Deserializer. The vulnerability resulted from repeated string 
                          
      concatenation while recursively collecting text nodes, which produced     
                          
      superlinear computation.

  <https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>

Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [email protected] / chris-lamb.co.uk
       `-

--- End Message ---
--- Begin Message --- 
Source: python-django
Source-Version: 3:4.2.27-1
Done: Chris Lamb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Dec 2025 11:34:10 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.27-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1121788
Changes:
 python-django (3:4.2.27-1) unstable; urgency=medium
 .
   * New upstream security release.
     <https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>
 .
     - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
       column aliases when using PostgreSQL. FilteredRelation was subject to SQL
       injection in column aliases via a suitably crafted dictionary as the
       **kwargs passed to QuerySet.annotate() or QuerySet.alias().
 .
     - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
       XML serializer text extraction. An algorithmic complexity issue in
       django.core.serializers.xml_serializer.getInnerText() allowed a remote
       attacker to cause a potential denial-of-service triggering CPU and memory
       exhaustion via a specially crafted XML input submitted to a service that
       invokes XML Deserializer. The vulnerability resulted from repeated string
       concatenation while recursively collecting text nodes, which produced
       superlinear computation.
 .
     (Closes: #1121788))
 .
   * Mark that Python 3.14 is not supported yet.
Checksums-Sha1:
 fd97107ab1b4038a43938f24e5908d61550c694b 2792 python-django_4.2.27-1.dsc
 5c2da0b170d051f5e29bffd29e02a36e13068e22 10432781 
python-django_4.2.27.orig.tar.gz
 0cc6ee93d6d17b457894885e96e0fcd0df6ff245 35148 
python-django_4.2.27-1.debian.tar.xz
 fe971963fdbb828d69d6424f21f7f32165acf198 8046 
python-django_4.2.27-1_amd64.buildinfo
Checksums-Sha256:
 c9de75dc7874faee5197cc48fae4d8b5c84307b9d721e6ce1ea744502ee288eb 2792 
python-django_4.2.27-1.dsc
 b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92 10432781 
python-django_4.2.27.orig.tar.gz
 91592f782abaa1a6d40b19bea9c5af83dbdfa1bfdc99ea2abdd7a50d14e62b2e 35148 
python-django_4.2.27-1.debian.tar.xz
 4b606fabb0932f3894956be0833a75b4380ebaedff3e02a0dd68a26096f75fcd 8046 
python-django_4.2.27-1_amd64.buildinfo
Files:
 5605464303c4aa714a38822b23fe931a 2792 python optional 
python-django_4.2.27-1.dsc
 45431b7954d12014c88cd9f66cfefb2c 10432781 python optional 
python-django_4.2.27.orig.tar.gz
 df64921ec9ac50e8fbe6d63a25589b27 35148 python optional 
python-django_4.2.27-1.debian.tar.xz
 954e52d81bf5db6d9e04cd9cb0fb1b64 8046 python optional 
python-django_4.2.27-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmkvSDgACgkQHpU+J9Qx
HlhY5A/+JVjavUxszhsCQOqucRMEcfrYH3aXXv4BJ15v/+f/VxR9/VJOaVaptw6e
MzCv5rMABLUZ96DZYoCtc+agzYm7RwYTN1tzpjsKpL4dyWTWDaiDHffAHi+NGGQW
wn/YhKjV05kIXaPnmCq7WI566jMFMSkluykAmiJnPps0r6eqKEKN5Y/1taFq2y6N
NBmz5JN6dPH3Hv41IvhvutTv8SRUET/7HoPIm0TefaaPSSy07+Dt7U1Izf1e/kUL
M60dmkOKptv3V4SGPEl7prPbSlgH0hx0R9bZo0eFHPnqAoY6japsukEqS6Dcpnqd
Kt3Ybo7hIvrjiDQc5Lh/BgSM2xUCkgUKtszk7vbiJ9XHoY/zCJMTpmLEkuyqTLcC
ES/h94v8cXSp7VnGhbvZmrOeIjVodvnzBvwu7qZXfAeIVkfjjU5vSKRzPSq0+6+u
lj/m7jgpNoPvqu8C7OeykWUBRd/5xMipWLw8pjSaqayjtyfgglCZ8IUGqulTQ/kG
Vd/9fPQghTSWDECcNccl9aajIxw3JFo/dv4yn4s3vbn9maqnyGvNWQZe+U3xCyfZ
6J5z9sNG39S69FVvC3C952XLXyqFIFaBhVddIOG7ZnQ7QDJBA8+pVS2OD2Gs73Jr
MTrsLdkGqYtM5b2vzWv0NLUdqs/yahbE4f5DX9rPmPlcsngsBgQ=
=W0CK
-----END PGP SIGNATURE-----

Attachment: pgpXMW8qWMgVv.pgp
Description: PGP signature


--- End Message ---

Reply via email to