Your message dated Tue, 03 Feb 2026 14:17:45 -0800
with message-id <[email protected]>
and subject line Re: Bug#1126916: Acknowledgement (python-django:
CVE-2025-13473 CVE-2025-14550 CVE-2026-1207 CVE-2026-1285 CVE-2026-1287
CVE-2026-1312)
has caused the Debian Bug report #1126916,
regarding python-django: CVE-2025-13473 CVE-2025-14550 CVE-2026-1207
CVE-2026-1285 CVE-2026-1287 CVE-2026-1312
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126916
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u11
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django
via:
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
CVE-2025-13473[0]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. The
| `django.contrib.auth.handlers.modwsgi.check_password()` function for
| authentication via `mod_wsgi` allows remote attackers to enumerate
| users via a timing attack. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Stackered for reporting this
| issue.
CVE-2025-14550[1]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a
| potential denial-of-service via a crafted request with multiple
| duplicate headers. Earlier, unsupported Django series (such as
| 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Jiyong Yang for reporting this
| issue.
CVE-2026-1207[2]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only
| implemented on PostGIS) allows remote attackers to inject SQL via
| the band index parameter. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Tarek Nakkouch for reporting
| this issue.
CVE-2026-1285[3]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and
| `Truncator.words()` methods (with `html=True`) and the
| `truncatechars_html` and `truncatewords_html` template filters allow
| a remote attacker to cause a potential denial-of-service via crafted
| inputs containing a large number of unmatched HTML end tags.
| Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x)
| were not evaluated and may also be affected. Django would like to
| thank Seokchan Yoon for reporting this issue.
CVE-2026-1287[4]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in
| column aliases via control characters, using a suitably crafted
| dictionary, with dictionary expansion, as the `**kwargs` passed to
| `QuerySet` methods `annotate()`, `aggregate()`, `extra()`,
| `values()`, `values_list()`, and `alias()`. Earlier, unsupported
| Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated
| and may also be affected. Django would like to thank Solomon Kebede
| for reporting this issue.
CVE-2026-1312[5]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL
| injection in column aliases containing periods when the same alias
| is, using a suitably crafted dictionary, with dictionary expansion,
| used in `FilteredRelation`. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Solomon Kebede for reporting
| this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13473
https://www.cve.org/CVERecord?id=CVE-2025-13473
[1] https://security-tracker.debian.org/tracker/CVE-2025-14550
https://www.cve.org/CVERecord?id=CVE-2025-14550
[2] https://security-tracker.debian.org/tracker/CVE-2026-1207
https://www.cve.org/CVERecord?id=CVE-2026-1207
[3] https://security-tracker.debian.org/tracker/CVE-2026-1285
https://www.cve.org/CVERecord?id=CVE-2026-1285
[4] https://security-tracker.debian.org/tracker/CVE-2026-1287
https://www.cve.org/CVERecord?id=CVE-2026-1287
[5] https://security-tracker.debian.org/tracker/CVE-2026-1312
https://www.cve.org/CVERecord?id=CVE-2026-1312
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Duplicate of #1126914 which didn't land in my inbox for some reason.
Debian Bug Tracking System wrote:
> Thank you for filing a new Bug report with Debian.
>
> You can follow progress on this Bug here: 1126916:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126916.
>
> This is an automatically generated reply to let you know your message
> has been received.
>
> Your message is being forwarded to the package maintainers and other
> interested parties for their attention; they will reply in due course.
>
> As you requested using X-Debbugs-CC, your message was also forwarded to
> [email protected]
> (after having been given a Bug report number, if it did not have one).
>
> Your message has been sent to the package maintainer(s):
> [email protected]
>
> If you wish to submit further information on this problem, please
> send it to [email protected].
>
> Please do not send mail to [email protected] unless you wish
> to report a problem with the Bug-tracking system.
>
> --
> 1126916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126916
> Debian Bug Tracking System
> Contact [email protected] with problems
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] 🍥 chris-lamb.co.uk
`-
--- End Message ---
