Your message dated Wed, 03 Jun 2026 15:34:13 +0000
with message-id <[email protected]>
and subject line Bug#1138775: fixed in python-django 3:5.2.15-1
has caused the Debian Bug report #1138775,
regarding python-django: CVE-2026-6873 CVE-2026-7666 CVE-2026-8404
CVE-2026-35193 CVE-2026-48587
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138775
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u12
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django.
* CVE-2026-6873: Signed cookie salt namespace collision in
`django.http.HttpRequest.get_signed_cookie`
`get_signed_cookie()` derived the signing salt by concatenating
the cookie name (`key`) and `salt` arguments. When distinct name
and salt pairs produced the same concatenation, cookies could be
accepted in a context different from the one where they were
signed.
Cookies are now signed with an unambiguous salt derivation. For
backwards compatibility, cookies signed by older Django versions
are accepted until Django 7.0.
* CVE-2026-7666: Potential unencrypted email transmission via `STARTTLS` in the
SMTP backend
When using `EMAIL_USE_TLS`, a failed `STARTTLS` handshake could
leave a partially-initialized connection that would subsequently
be reused for sending email without encryption. This can occur
with `fail_silently=True`, as used by `send_mail()` and
`BrokenLinkEmailsMiddleware`, among others. Connections configured
with `EMAIL_USE_SSL` are not affected.
* CVE-2026-8404: Potential exposure of private data via case-sensitive
`Cache-Control` directives in `UpdateCacheMiddleware`
`django.middleware.cache.UpdateCacheMiddleware` and
`django.views.decorators.cache.cache_page` decorator incorrectly
cached responses marked with private `Cache-Control` directives
when using mixed or uppercase values (e.g. `Private`).
The `django.views.decorators.cache.cache_control` decorator and
`django.utils.cache.patch_cache_control()` function were not
affected, since they normalize directives to lowercase. This issue
only affects responses where `Cache-Control` is set manually.
* CVE-2026-35193: Potential exposure of private data via missing `Vary:
Authorization` in `UpdateCacheMiddleware`
`django.middleware.cache.UpdateCacheMiddleware` and
`django.views.decorators.cache.cache_page` decorator allowed
responses to requests bearing an `Authorization` header (and
without `Cache-Control: public`) to be cached. To conform with the
existing mechanism for constructing cache keys, responses to these
requests will now vary on `Authorization`.
* CVE-2026-48587: Potential exposure of private data via whitespace padding in
`Vary` header
`django.middleware.cache.UpdateCacheMiddleware` incorrectly cached
responses whose `Vary` header values contained leading or trailing
whitespace. Because `has_vary_header()` failed to strip that
whitespace, a response with a `Vary: * ` header (note the trailing
space) was not recognized as containing the wildcard, causing it
to be stored and potentially served from the cache when it should
not have been.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:5.2.15-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 03 Jun 2026 08:17:20 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:5.2.15-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1138775
Changes:
python-django (3:5.2.15-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2026-6873: Signed cookie salt namespace collision in
django.http.HttpRequest.get_signed_cookie
.
get_signed_cookie derived the signing salt by concatenating the cookie
name (key) and salt arguments. When distinct name and salt pairs produced
the same concatenation, cookies could be accepted in a context different
from the one where they were signed.
.
Cookies are now signed with an unambiguous salt derivation. For backwards
compatibility, cookies signed by older Django versions are accepted until
Django 7.0.
.
- CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in
the SMTP backend
.
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a
partially-initialized connection that would subsequently be reused for
sending email without encryption. This can occur with fail_silently=True,
as used by send_mail and BrokenLinkEmailsMiddleware among others.
Connections configured with EMAIL_USE_SSL are not affected.
.
- CVE-2026-8404: Potential exposure of private data via case-sensitive
Cache-Control directives in UpdateCacheMiddleware
.
django.middleware.cache.UpdateCacheMiddleware and
django.views.decorators.cache.cache_page decorator incorrectly cached
responses marked with private Cache-Control directives when using mixed
or uppercase values (e.g. Private).
.
The django.views.decorators.cache.cache_control decorator and
django.utils.cache.patch_cache_control function were not affected
since they normalize directives to lowercase. This issue only affects
responses where Cache-Control is set manually.
.
- CVE-2026-35193: Potential exposure of private data via missing Vary:
Authorization in UpdateCacheMiddleware
.
django.middleware.cache.UpdateCacheMiddleware and
django.views.decorators.cache.cache_page decorator allowed responses to
requests bearing an Authorization header (and without Cache-Control:
public) to be cached. To conform with the existing mechanism for
constructing cache keys, responses to these requests will now vary on
Authorization.
.
- CVE-2026-48587: Potential exposure of private data via whitespace padding
in Vary header
.
django.middleware.cache.UpdateCacheMiddleware incorrectly cached
responses whose Vary header values contained leading or trailing
whitespace. Because has_vary_header failed to strip that whitespace, a
response with a "Vary: * " header (note the trailing space) was not
recognized as containing the wildcard, causing it to be stored and
potentially served from the cache when it should not have been.
.
<https://www.djangoproject.com/weblog/2026/jun/03/security-releases/>
.
(Closes: #1138775)
Checksums-Sha1:
677c0c5cae569fbd7ec7ec6cd573af51e143794f 2790 python-django_5.2.15-1.dsc
ae2dc3fb0aaf8e60f5339f43f9c2b9441f62a162 10873669
python-django_5.2.15.orig.tar.gz
b3258f8c44f0735631d2eba02fc80190cb7a7ebe 37536
python-django_5.2.15-1.debian.tar.xz
b168f0445ad94d209c451956dc2babc29a768908 8158
python-django_5.2.15-1_amd64.buildinfo
Checksums-Sha256:
6c4cea5397ffc5a7db5be92b8578c54864960d6d0f880ae2011f445899bfad0a 2790
python-django_5.2.15-1.dsc
5154a9bf84ac01dde011e367f355c07dbb329532e06810dcf3ef2af269e236e7 10873669
python-django_5.2.15.orig.tar.gz
1193eb58fb8521e4af178b30bf4f0f9266e389113c081fa6dbbf583905dc3510 37536
python-django_5.2.15-1.debian.tar.xz
b7126848b5b76a203337bd48701bda05870e685d80a4f9b40d59e1d137f47296 8158
python-django_5.2.15-1_amd64.buildinfo
Files:
21bccefa97dce1f79f873d3a90fe5b8e 2790 python optional
python-django_5.2.15-1.dsc
9db6f4aaaf130e3f53a4c5255c1b1bcd 10873669 python optional
python-django_5.2.15.orig.tar.gz
249b75c8a516a708835fe0aa7ab63325 37536 python optional
python-django_5.2.15-1.debian.tar.xz
528814bafd80f4a5e5e3c750d25bc024 8158 python optional
python-django_5.2.15-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmogRroACgkQHpU+J9Qx
HliIkw/9FuIVsZMmimrHNEykO9Z/92gHcipm95G/O4/XCZLOi6pxKboeynxP07au
g+/OhvB2q0ToCyOhYme2uzRC/bz2ZEM+56G6cc+uqqsDGHLj8tzEez/TvKH+9GPT
75tSobQVNhS4AiKNF8ZhQ3F2SA0LMYfP6CQ+5DoopXqzGGyhKNG/6oh9jG8zbSTB
mz0G5P1BQQXzevW3ROgqzyQYv4tB6ggj9l17j0DpzQvyGXQCEtIZFf2rrRaibY9M
X1TvYleYPKQktVPyNBP6pmXfQmRrxIuBn1nJxVW1zt+6Y/TSW127CSt5lfrmxReL
BAZeHDWtvOCa4E0Dj8n3YSiimOPQZQTXfzUewhkDJ19xYWf2WEqD9Yz3SK6wVm0a
kALy0siDz1h6UnEhIoM0CiAIIIFT39L+k2ALxjG2oqa7iS/JSNkIQt17BlrWagYT
RyHiOdW2wgbHyzc+/0T8m4PrUYZeWNatK/p8RMLYatoE2LZtuH2HQSAqzH6a6Yxq
k/xwJraCmt2rI/j7qXVitUqded32D2ox6qeyp1Li2YCkytsmYbdLF9l5/vw6rCWb
gx6bYJkjNH0+UhMYf/US7ZoiYxCkYilfBHJxlI+VCm4t2kh+97vgyZwmTbg4QYaO
+xWJ1gtjlb9xSRTJnePEeqVhGBjw09f1SPvKBWph2Dcp1Y/Fax0=
=W5dK
-----END PGP SIGNATURE-----
pgpFW_KGx0REU.pgp
Description: PGP signature
--- End Message ---
