Your message dated Thu, 05 Feb 2026 17:49:57 +0000
with message-id <[email protected]>
and subject line Bug#1126914: fixed in python-django 3:4.2.28-1
has caused the Debian Bug report #1126914,
regarding python-django: CVE-2025-13473 CVE-2025-14550 CVE-2026-1207
CVE-2026-1285 CVE-2026-1287 CVE-2026-1312
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126914: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-django
Version: 3:4.2.27-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3:4.2.27-0+deb13u1
Hi,
The following vulnerabilities were published for python-django.
CVE-2025-13473[0]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. The
| `django.contrib.auth.handlers.modwsgi.check_password()` function for
| authentication via `mod_wsgi` allows remote attackers to enumerate
| users via a timing attack. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Stackered for reporting this
| issue.
CVE-2025-14550[1]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a
| potential denial-of-service via a crafted request with multiple
| duplicate headers. Earlier, unsupported Django series (such as
| 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Jiyong Yang for reporting this
| issue.
CVE-2026-1207[2]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only
| implemented on PostGIS) allows remote attackers to inject SQL via
| the band index parameter. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Tarek Nakkouch for reporting
| this issue.
CVE-2026-1285[3]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and
| `Truncator.words()` methods (with `html=True`) and the
| `truncatechars_html` and `truncatewords_html` template filters allow
| a remote attacker to cause a potential denial-of-service via crafted
| inputs containing a large number of unmatched HTML end tags.
| Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x)
| were not evaluated and may also be affected. Django would like to
| thank Seokchan Yoon for reporting this issue.
CVE-2026-1287[4]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in
| column aliases via control characters, using a suitably crafted
| dictionary, with dictionary expansion, as the `**kwargs` passed to
| `QuerySet` methods `annotate()`, `aggregate()`, `extra()`,
| `values()`, `values_list()`, and `alias()`. Earlier, unsupported
| Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated
| and may also be affected. Django would like to thank Solomon Kebede
| for reporting this issue.
CVE-2026-1312[5]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL
| injection in column aliases containing periods when the same alias
| is, using a suitably crafted dictionary, with dictionary expansion,
| used in `FilteredRelation`. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Solomon Kebede for reporting
| this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13473
https://www.cve.org/CVERecord?id=CVE-2025-13473
[1] https://security-tracker.debian.org/tracker/CVE-2025-14550
https://www.cve.org/CVERecord?id=CVE-2025-14550
[2] https://security-tracker.debian.org/tracker/CVE-2026-1207
https://www.cve.org/CVERecord?id=CVE-2026-1207
[3] https://security-tracker.debian.org/tracker/CVE-2026-1285
https://www.cve.org/CVERecord?id=CVE-2026-1285
[4] https://security-tracker.debian.org/tracker/CVE-2026-1287
https://www.cve.org/CVERecord?id=CVE-2026-1287
[5] https://security-tracker.debian.org/tracker/CVE-2026-1312
https://www.cve.org/CVERecord?id=CVE-2026-1312
[6] https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:4.2.28-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Feb 2026 07:50:22 -0800
Source: python-django
Architecture: source
Version: 3:4.2.28-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1126914
Changes:
python-django (3:4.2.28-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2025-13473: The check_password function in
django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi
allowed remote attackers to enumerate users via a timing attack.
.
- CVE-2025-14550: ASGIRequest allowed a remote attacker to cause a
potential denial-of-service via a crafted request with multiple duplicate
headers.
.
- CVE-2026-1207: Raster lookups on RasterField (only implemented on
PostGIS) allowed remote attackers to inject SQL via the band index
parameter.
.
- CVE-2026-1285: The django.utils.text.Truncator.chars() and
Truncator.words() methods (with html=True) and the truncatechars_html and
truncatewords_html template filters allowed a remote attacker to cause a
potential denial-of-service via crafted inputs containing a large number
of unmatched HTML end tags.
.
- CVE-2026-1287: FilteredRelation was subject to SQL injection in column
aliases via control characters using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to QuerySet methods
annotate(), aggregate(), extra(), values(), values_list() and alias().
.
- CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column
aliases containing periods when the same alias is, using a suitably
crafted dictionary, with dictionary expansion, used in FilteredRelation.
.
<https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>
.
(Closes: #1126914)
.
* Drop debian/patches/test-strip-tags-incomplete-entities.patch; applied
upstream.
* Refresh patches.
* Bump Standards-Version to 4.7.3.
Checksums-Sha1:
c8d1c909ecafe9fa50565cbffe974046abf74a21 2790 python-django_4.2.28-1.dsc
e0a589cf92e1887d55cd2b02071aa0383615cc2c 10464933
python-django_4.2.28.orig.tar.gz
84c14096fae92f34c4c23be77f8fb80eaa48cc6a 37332
python-django_4.2.28-1.debian.tar.xz
c27bdf9743f0a97a427ec9000339dd5137cd268c 6625
python-django_4.2.28-1_source.buildinfo
Checksums-Sha256:
7c98fa9646b92e357ed97326731263ad4e2db237d65dd71e59d606c303cbad15 2790
python-django_4.2.28-1.dsc
a4b9cd881991add394cafa8bb3b11ad1742d1e1470ba99c3ef53dc540316ccfe 10464933
python-django_4.2.28.orig.tar.gz
920020f21b1c6d392737ce6dd6923f5fbc9088f7bc6c7a509476f564b8543dd8 37332
python-django_4.2.28-1.debian.tar.xz
0bb656ef07509e78fb3614d51e84b71ba4e89d1da229fa388353dd7849f3f85c 6625
python-django_4.2.28-1_source.buildinfo
Files:
16b05b8a8a20458d9476485cf25bafc6 2790 python optional
python-django_4.2.28-1.dsc
7c9bf3734061c4b22bdf4d922308fe62 10464933 python optional
python-django_4.2.28.orig.tar.gz
50825c15caf1b60b46912dc5cfbda4a8 37332 python optional
python-django_4.2.28-1.debian.tar.xz
d8e366544b6c17d3f5f8a5c3c3738756 6625 python optional
python-django_4.2.28-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmE0zIACgkQHpU+J9Qx
Hlhaaw/7Bef/DNrAtAf6zKDRVxR2fQzf7hn2E5kwp/b8oAKNG54NLawqUogh+AI1
nGRQvLSv5GKjQR9AmvkSFxijS2Ex5iD74i4mPhFNUydgRuGtm71TtxgMLUzI0JEg
a1OGs7TnCJhDN3nNzPvZ1/BmTUfU6aDiees26ityccASiCvvsC9t43In/7iU1jvG
kwjyfWV/1OTfX4//KiykkvBRU1DT+qjeCO672A//lLraBXtQoH3Pl4lxlJR0Yguk
jP96iExleADXN026kSf6oz75BUF6OfoMBq5ZJASwRpmkRLEHbQL8w1ayIH5tPV2a
j6Sy0tyTYRDfl9/l3/qXgLdeBdVHct71v3tdW8+obV/DGVwHiW/ygQ9NyTtP5U3f
To3czVFO1GeBbf3DBfb0XHXgeFKUtoZv/AWAOMWEQXhwJJYYb7fnhMIARxrx43a3
fJ8rU3HX1lXgEifxghzJxtsMxZGFpBasjjY4SYuTyT27Tn0NklFOwbEwveExprFg
gUZ4Chm8MVsZGgeLGTZx/QD5apxGkZ7Q5SHZZJI0RCXIFlngs4YrYdZWTPZrzsjo
pm8QrfDSYtzt6fz9j6Su1qemm2Ido35gAxjs1caUx9knpjA1OobtjaLetEyHMR2r
Nxqp0Mj6P9NhtIPD7JNnUQy5smYX/PXaw1vDl06akR+HaMVHH5k=
=B/TQ
-----END PGP SIGNATURE-----
pgpbVPTvD0lco.pgp
Description: PGP signature
--- End Message ---
