Your message dated Wed, 03 Jun 2026 15:19:05 +0000
with message-id <[email protected]>
and subject line Bug#1138775: fixed in python-django 3:6.0.6-1
has caused the Debian Bug report #1138775,
regarding python-django: CVE-2026-6873 CVE-2026-7666 CVE-2026-8404
CVE-2026-35193 CVE-2026-48587
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138775
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u12
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django.
* CVE-2026-6873: Signed cookie salt namespace collision in
`django.http.HttpRequest.get_signed_cookie`
`get_signed_cookie()` derived the signing salt by concatenating
the cookie name (`key`) and `salt` arguments. When distinct name
and salt pairs produced the same concatenation, cookies could be
accepted in a context different from the one where they were
signed.
Cookies are now signed with an unambiguous salt derivation. For
backwards compatibility, cookies signed by older Django versions
are accepted until Django 7.0.
* CVE-2026-7666: Potential unencrypted email transmission via `STARTTLS` in the
SMTP backend
When using `EMAIL_USE_TLS`, a failed `STARTTLS` handshake could
leave a partially-initialized connection that would subsequently
be reused for sending email without encryption. This can occur
with `fail_silently=True`, as used by `send_mail()` and
`BrokenLinkEmailsMiddleware`, among others. Connections configured
with `EMAIL_USE_SSL` are not affected.
* CVE-2026-8404: Potential exposure of private data via case-sensitive
`Cache-Control` directives in `UpdateCacheMiddleware`
`django.middleware.cache.UpdateCacheMiddleware` and
`django.views.decorators.cache.cache_page` decorator incorrectly
cached responses marked with private `Cache-Control` directives
when using mixed or uppercase values (e.g. `Private`).
The `django.views.decorators.cache.cache_control` decorator and
`django.utils.cache.patch_cache_control()` function were not
affected, since they normalize directives to lowercase. This issue
only affects responses where `Cache-Control` is set manually.
* CVE-2026-35193: Potential exposure of private data via missing `Vary:
Authorization` in `UpdateCacheMiddleware`
`django.middleware.cache.UpdateCacheMiddleware` and
`django.views.decorators.cache.cache_page` decorator allowed
responses to requests bearing an `Authorization` header (and
without `Cache-Control: public`) to be cached. To conform with the
existing mechanism for constructing cache keys, responses to these
requests will now vary on `Authorization`.
* CVE-2026-48587: Potential exposure of private data via whitespace padding in
`Vary` header
`django.middleware.cache.UpdateCacheMiddleware` incorrectly cached
responses whose `Vary` header values contained leading or trailing
whitespace. Because `has_vary_header()` failed to strip that
whitespace, a response with a `Vary: * ` header (note the trailing
space) was not recognized as containing the wildcard, causing it
to be stored and potentially served from the cache when it should
not have been.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:6.0.6-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 03 Jun 2026 08:06:41 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:6.0.6-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1138775
Changes:
python-django (3:6.0.6-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2026-6873: Signed cookie salt namespace collision in
django.http.HttpRequest.get_signed_cookie
.
get_signed_cookie derived the signing salt by concatenating the cookie
name (key) and salt arguments. When distinct name and salt pairs produced
the same concatenation, cookies could be accepted in a context different
from the one where they were signed.
.
Cookies are now signed with an unambiguous salt derivation. For backwards
compatibility, cookies signed by older Django versions are accepted until
Django 7.0.
.
- CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in
the SMTP backend
.
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a
partially-initialized connection that would subsequently be reused for
sending email without encryption. This can occur with fail_silently=True,
as used by send_mail and BrokenLinkEmailsMiddleware among others.
Connections configured with EMAIL_USE_SSL are not affected.
.
- CVE-2026-8404: Potential exposure of private data via case-sensitive
Cache-Control directives in UpdateCacheMiddleware
.
django.middleware.cache.UpdateCacheMiddleware and
django.views.decorators.cache.cache_page decorator incorrectly cached
responses marked with private Cache-Control directives when using mixed
or uppercase values (e.g. Private).
.
The django.views.decorators.cache.cache_control decorator and
django.utils.cache.patch_cache_control function were not affected
since they normalize directives to lowercase. This issue only affects
responses where Cache-Control is set manually.
.
- CVE-2026-35193: Potential exposure of private data via missing Vary:
Authorization in UpdateCacheMiddleware
.
django.middleware.cache.UpdateCacheMiddleware and
django.views.decorators.cache.cache_page decorator allowed responses to
requests bearing an Authorization header (and without Cache-Control:
public) to be cached. To conform with the existing mechanism for
constructing cache keys, responses to these requests will now vary on
Authorization.
.
- CVE-2026-48587: Potential exposure of private data via whitespace padding
in Vary header
.
django.middleware.cache.UpdateCacheMiddleware incorrectly cached
responses whose Vary header values contained leading or trailing
whitespace. Because has_vary_header failed to strip that whitespace, a
response with a "Vary: * " header (note the trailing space) was not
recognized as containing the wildcard, causing it to be stored and
potentially served from the cache when it should not have been.
.
<https://www.djangoproject.com/weblog/2026/jun/03/security-releases/>
.
(Closes: #1138775)
* New upstream version 6.0.6
Checksums-Sha1:
edbb1f9876697c005fb8274c68fa9c74840f3d63 2783 python-django_6.0.6-1.dsc
e96b895019c21b8dc19b6ae983c9315216222941 10905525
python-django_6.0.6.orig.tar.gz
0b68cfcc3e721f5bc63a75f030aa0b7eae024101 33328
python-django_6.0.6-1.debian.tar.xz
41f4fb34f8530bea11210e22a8585a2e07f905ea 8148
python-django_6.0.6-1_amd64.buildinfo
Checksums-Sha256:
ab1ada67074206adfb6319a3668217411b297bfca2ee158c5c824692fd4fc370 2783
python-django_6.0.6-1.dsc
ad03916ba59523d781ae5c3f631960c23d69a9d9c43cecda52fc23b47e953713 10905525
python-django_6.0.6.orig.tar.gz
c923c66b4893e2315e8dd091516c4a6cce5f1d51d77ef5c91a07e07821ead4c1 33328
python-django_6.0.6-1.debian.tar.xz
a50e52b1abcc52f6d8a4f9cba7971f02afeb324076d7ba15202aa25e718a4eef 8148
python-django_6.0.6-1_amd64.buildinfo
Files:
e8cac059dccb8ed0b0592b703b83c9ad 2783 python optional python-django_6.0.6-1.dsc
b45e074d29f85e1417fb2d2ea97c2df3 10905525 python optional
python-django_6.0.6.orig.tar.gz
3dcd2a9a20e5e9af73e0d8809a8afbad 33328 python optional
python-django_6.0.6-1.debian.tar.xz
60980a45eb5e6918869442deb8eb2203 8148 python optional
python-django_6.0.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmogQ/0ACgkQHpU+J9Qx
HljZPxAAvJ6mCWCzaZQCLeLTxCOsPYJGVSLeRqdSdrkxs7Cq30kpaCw8f3Ld38i2
G6TQvALBMyRcWFIxuxF5fpW/gUliB/PHu2BP3veoxZTJ+mGddv1Ru+UZ+CaXNByI
51mCaey0kt3nfQxPdH/SCVhx5zWZ3dqgSznpX8+/IS4vt1/V+8OBjMA6VzOMNxtY
erTTwQyoABcufEi9+TJnV5zgi9Uz+JpspPwnx006Rv9vs+utCZLVkfjQjVX2HdkG
8yaxnBzcjvpdVBagKmXX6BlWO+S9zGO3NBi+JR/uDV1PDYKFdqTBVlUrOwKE1010
RhZPZQ4R0J6C3yNCaaIHqqGskHlCPOV09AH/hJ6DH0yacpSXfepnzHB5boszbQ65
pwhOnabKWUWEKRWAmUNJH1LuErOA7l6pt/NmKIYmvcw4wSrRsincLn+0ZnUSLAS/
x0j3SJ1Rx0JikJBnykRhkHQU7FkGgHoIM3HZ7loQLoiLR+H/TN0XwyjoPQg9BoP7
X+r4zue+1j/bwtxsWB53ecprIz+3f6TqtImzU9CeyKQRtiN1LJQ1IucZtP1FtlNu
+d9uWGZdhMieMjtlDafmQgdyDLEtPTBnHRApfE2ZbfySCUUe8gjKcD8jL9Ur8Y4v
QsSEbdvvJg1kmYW9aoIEjvsFsB/JeYqxeBsSCvo3DsOitdrvyiA=
=1/r8
-----END PGP SIGNATURE-----
pgp1r1_axkvcY.pgp
Description: PGP signature
--- End Message ---
