Your message dated Thu, 05 Feb 2026 20:41:20 +0000
with message-id <[email protected]>
and subject line Bug#1126914: fixed in python-django 3:6.0.2-1
has caused the Debian Bug report #1126914,
regarding python-django: CVE-2025-13473 CVE-2025-14550 CVE-2026-1207
CVE-2026-1285 CVE-2026-1287 CVE-2026-1312
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126914: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-django
Version: 3:4.2.27-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3:4.2.27-0+deb13u1
Hi,
The following vulnerabilities were published for python-django.
CVE-2025-13473[0]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. The
| `django.contrib.auth.handlers.modwsgi.check_password()` function for
| authentication via `mod_wsgi` allows remote attackers to enumerate
| users via a timing attack. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Stackered for reporting this
| issue.
CVE-2025-14550[1]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a
| potential denial-of-service via a crafted request with multiple
| duplicate headers. Earlier, unsupported Django series (such as
| 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Jiyong Yang for reporting this
| issue.
CVE-2026-1207[2]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only
| implemented on PostGIS) allows remote attackers to inject SQL via
| the band index parameter. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Tarek Nakkouch for reporting
| this issue.
CVE-2026-1285[3]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and
| `Truncator.words()` methods (with `html=True`) and the
| `truncatechars_html` and `truncatewords_html` template filters allow
| a remote attacker to cause a potential denial-of-service via crafted
| inputs containing a large number of unmatched HTML end tags.
| Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x)
| were not evaluated and may also be affected. Django would like to
| thank Seokchan Yoon for reporting this issue.
CVE-2026-1287[4]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in
| column aliases via control characters, using a suitably crafted
| dictionary, with dictionary expansion, as the `**kwargs` passed to
| `QuerySet` methods `annotate()`, `aggregate()`, `extra()`,
| `values()`, `values_list()`, and `alias()`. Earlier, unsupported
| Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated
| and may also be affected. Django would like to thank Solomon Kebede
| for reporting this issue.
CVE-2026-1312[5]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL
| injection in column aliases containing periods when the same alias
| is, using a suitably crafted dictionary, with dictionary expansion,
| used in `FilteredRelation`. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Solomon Kebede for reporting
| this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13473
https://www.cve.org/CVERecord?id=CVE-2025-13473
[1] https://security-tracker.debian.org/tracker/CVE-2025-14550
https://www.cve.org/CVERecord?id=CVE-2025-14550
[2] https://security-tracker.debian.org/tracker/CVE-2026-1207
https://www.cve.org/CVERecord?id=CVE-2026-1207
[3] https://security-tracker.debian.org/tracker/CVE-2026-1285
https://www.cve.org/CVERecord?id=CVE-2026-1285
[4] https://security-tracker.debian.org/tracker/CVE-2026-1287
https://www.cve.org/CVERecord?id=CVE-2026-1287
[5] https://security-tracker.debian.org/tracker/CVE-2026-1312
https://www.cve.org/CVERecord?id=CVE-2026-1312
[6] https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:6.0.2-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Feb 2026 14:17:55 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:6.0.2-1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1126914
Changes:
python-django (3:6.0.2-1) experimental; urgency=high
.
* New upstream security release:
.
- CVE-2025-13473: The check_password function in
django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi
allowed remote attackers to enumerate users via a timing attack.
.
- CVE-2025-14550: ASGIRequest allowed a remote attacker to cause a
potential denial-of-service via a crafted request with multiple duplicate
headers.
.
- CVE-2026-1207: Raster lookups on RasterField (only implemented on
PostGIS) allowed remote attackers to inject SQL via the band index
parameter.
.
- CVE-2026-1285: The django.utils.text.Truncator.chars() and
Truncator.words() methods (with html=True) and the truncatechars_html and
truncatewords_html template filters allowed a remote attacker to cause a
potential denial-of-service via crafted inputs containing a large number
of unmatched HTML end tags.
.
- CVE-2026-1287: FilteredRelation was subject to SQL injection in column
aliases via control characters using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to QuerySet methods
annotate(), aggregate(), extra(), values(), values_list() and alias().
.
- CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column
aliases containing periods when the same alias is, using a suitably
crafted dictionary, with dictionary expansion, used in FilteredRelation.
.
<https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>
.
(Closes: #1126914)
.
* Bump Standards-Version to 4.7.3.
Checksums-Sha1:
4b3a96e9f5b29c198e66a2db9fce7d84f740c172 2783 python-django_6.0.2-1.dsc
350bfde2ee630b03dde6daf87ad06fac7a8a5642 10886874
python-django_6.0.2.orig.tar.gz
8037da154347c23540116319f0221b118991cec2 31064
python-django_6.0.2-1.debian.tar.xz
81a340c640bd65f1041e6ea79ea0658a8c24be0c 8268
python-django_6.0.2-1_amd64.buildinfo
Checksums-Sha256:
209b13bd88342561728fbf94026179e7c7791f3f6171196538cdf5ae300db366 2783
python-django_6.0.2-1.dsc
3046a53b0e40d4b676c3b774c73411d7184ae2745fe8ce5e45c0f33d3ddb71a7 10886874
python-django_6.0.2.orig.tar.gz
1fa5e3177973bb6888baaa6a70dc10e4df911d586d4468ab73d781d30e85bcce 31064
python-django_6.0.2-1.debian.tar.xz
42554ee304060d9593f386ebbbdaf42a172f2d3e45b52389439000809e03ba37 8268
python-django_6.0.2-1_amd64.buildinfo
Files:
1b4ec43e51578d82f3e0d8002346b641 2783 python optional python-django_6.0.2-1.dsc
0836ceb8f1f4694f87f0a698c64bd00e 10886874 python optional
python-django_6.0.2.orig.tar.gz
afb9b555347485ab1b4bea4bf3e48c25 31064 python optional
python-django_6.0.2-1.debian.tar.xz
609d07970fdd6200b5bb98b3f7583cfb 8268 python optional
python-django_6.0.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmE+9kACgkQHpU+J9Qx
Hli7Pw//c2IqDy1CkHQcQYx0FDtNr6zym1HbEtXpYvhMA96Oh1AupQnGplgQuao/
4D0O6roRkxAUPZdDhEoHxSgP+iJ6r0r1jNahwHbd8fkXB4XK+dpoq9Om8FpTGLON
3aP19at/8hPkSGCGDNwph9b2J5eqj6vlHaPD9RIHg+GjvkzElr8rnxSD0ZClOwWt
SlCMB9gVIGV7ExfoUWbkKy/l0z1PX1hTH0LcOIFhoBiANY2Jr+Y8fdnCNe3B8f4i
O8t5Cv1FcGuyv1Te2pi6KrgeRdFGcZEEFwSFF/9BBW/RfoOTyg/qO8v41gHFXqBl
Rnhl7doXuBTlUf0+tm0fFyhz/3apG3tE2uycjrdX1TfF189+G7IS9olfbzKzE8uS
MS1jS7WnTi9APB5hb/42UGeQP5YqCJLchCOig5IWrxUQALKLDcAoLJZeyrHIjhpn
tus/cq/fyQvDrAxPLxxjsUo3xZ4U3KrZ7Q7YNqsqxE41vcoM4RadBQf3IJeoxwn4
eg22dlVdkDLxe9txHgdJKVmqRNMm3I6gan7/ANRTrqOJFg/mi/Ep67zNz5FOgimo
P/MybpYa6wruFwkA8QDGLwuj/TCD8ucOxECeHkpkNdUvOE0N6U+masd4gtt8aRbC
Bz+jz0W3T3HvAx6koCx8+36JUOtINRDcwf6muF72QjO38XbS/04=
=v5le
-----END PGP SIGNATURE-----
pgpKyVikeIgW7.pgp
Description: PGP signature
--- End Message ---
