Source: python-django Version: 3:4.2.27-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 3:4.2.27-0+deb13u1
Hi, The following vulnerabilities were published for python-django. CVE-2025-13473[0]: | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and | 4.2 before 4.2.28. The | `django.contrib.auth.handlers.modwsgi.check_password()` function for | authentication via `mod_wsgi` allows remote attackers to enumerate | users via a timing attack. Earlier, unsupported Django series (such | as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be | affected. Django would like to thank Stackered for reporting this | issue. CVE-2025-14550[1]: | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and | 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a | potential denial-of-service via a crafted request with multiple | duplicate headers. Earlier, unsupported Django series (such as | 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be | affected. Django would like to thank Jiyong Yang for reporting this | issue. CVE-2026-1207[2]: | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and | 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only | implemented on PostGIS) allows remote attackers to inject SQL via | the band index parameter. Earlier, unsupported Django series (such | as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be | affected. Django would like to thank Tarek Nakkouch for reporting | this issue. CVE-2026-1285[3]: | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and | 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and | `Truncator.words()` methods (with `html=True`) and the | `truncatechars_html` and `truncatewords_html` template filters allow | a remote attacker to cause a potential denial-of-service via crafted | inputs containing a large number of unmatched HTML end tags. | Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) | were not evaluated and may also be affected. Django would like to | thank Seokchan Yoon for reporting this issue. CVE-2026-1287[4]: | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and | 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in | column aliases via control characters, using a suitably crafted | dictionary, with dictionary expansion, as the `**kwargs` passed to | `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, | `values()`, `values_list()`, and `alias()`. Earlier, unsupported | Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated | and may also be affected. Django would like to thank Solomon Kebede | for reporting this issue. CVE-2026-1312[5]: | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and | 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL | injection in column aliases containing periods when the same alias | is, using a suitably crafted dictionary, with dictionary expansion, | used in `FilteredRelation`. Earlier, unsupported Django series (such | as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be | affected. Django would like to thank Solomon Kebede for reporting | this issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-13473 https://www.cve.org/CVERecord?id=CVE-2025-13473 [1] https://security-tracker.debian.org/tracker/CVE-2025-14550 https://www.cve.org/CVERecord?id=CVE-2025-14550 [2] https://security-tracker.debian.org/tracker/CVE-2026-1207 https://www.cve.org/CVERecord?id=CVE-2026-1207 [3] https://security-tracker.debian.org/tracker/CVE-2026-1285 https://www.cve.org/CVERecord?id=CVE-2026-1285 [4] https://security-tracker.debian.org/tracker/CVE-2026-1287 https://www.cve.org/CVERecord?id=CVE-2026-1287 [5] https://security-tracker.debian.org/tracker/CVE-2026-1312 https://www.cve.org/CVERecord?id=CVE-2026-1312 [6] https://www.djangoproject.com/weblog/2026/feb/03/security-releases/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
