Accepted python-django 3:4.2.28-0+deb13u1 (source) into proposed-updates

Debian FTP Masters Fri, 27 Feb 2026 13:17:42 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 18 Feb 2026 14:44:14 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.28-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1126914
Changes:
 python-django (3:4.2.28-0+deb13u1) trixie-security; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2025-13473: The check_password function in
       django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi
       allowed remote attackers to enumerate users via a timing attack.
 .
     - CVE-2025-14550: When receiving duplicates of a single header, ASGIRequest
       allowed a remote attacker to cause a potential denial-of-service via a
       specifically created request with multiple duplicate headers. The
       vulnerability resulted from repeated string concatenation while combining
       repeated headers, which produced super-linear computation resulting in
       service degradation or outage.
 .
     - CVE-2026-1207: Raster lookups on RasterField (only implemented on
       PostGIS) allowed remote attackers to inject SQL via the band index
       parameter.
 .
     - CVE-2026-1285: The django.utils.text.Truncator.chars() and
       Truncator.words() methods (with html=True) and the truncatechars_html and
       truncatewords_html template filters allowed a remote attacker to cause a
       potential denial-of-service via crafted inputs containing a large number
       of unmatched HTML end tags.
 .
     - CVE-2026-1287: FilteredRelation was subject to SQL injection in column
       aliases via control characters using a suitably crafted dictionary, with
       dictionary expansion, as the **kwargs passed to QuerySet methods
       annotate(), aggregate(), extra(), values(), values_list() and alias().
 .
     - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column
       aliases containing periods when the same alias is, using a suitably
       crafted dictionary, with dictionary expansion, used in FilteredRelation.
 .
     <https://docs.djangoproject.com/en/dev/releases/4.2.28/> (Closes: #1126914)
Checksums-Sha1:
 47dd07f4da32720edf7cdc2fab454f49814a984f 2822 
python-django_4.2.28-0+deb13u1.dsc
 e0a589cf92e1887d55cd2b02071aa0383615cc2c 10464933 
python-django_4.2.28.orig.tar.gz
 89a4eadabd051781962a6132c2998b8f9d0137df 34912 
python-django_4.2.28-0+deb13u1.debian.tar.xz
 81b0457f606b5bb25f0b2422a2bbca17dd750e09 8219 
python-django_4.2.28-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
 412809afa692ce92d6dd16dd1c0ce3b1e21a63deccf1f7cac8029b48d8db4c94 2822 
python-django_4.2.28-0+deb13u1.dsc
 a4b9cd881991add394cafa8bb3b11ad1742d1e1470ba99c3ef53dc540316ccfe 10464933 
python-django_4.2.28.orig.tar.gz
 ab401b922c1dc56718a0901c379e9a2a2015c5fee79302f70f72868ef2b6026f 34912 
python-django_4.2.28-0+deb13u1.debian.tar.xz
 d05b20f088c463074ab5fb1ea8c628d1753b37ca0e3841e34e8f438d3535b93a 8219 
python-django_4.2.28-0+deb13u1_amd64.buildinfo
Files:
 202e38d78d1227b18cdf1d4661f7e456 2822 python optional 
python-django_4.2.28-0+deb13u1.dsc
 7c9bf3734061c4b22bdf4d922308fe62 10464933 python optional 
python-django_4.2.28.orig.tar.gz
 36dec15d615e0cfd41ba89161ba11092 34912 python optional 
python-django_4.2.28-0+deb13u1.debian.tar.xz
 64c5ad2013cdbc42329b29c37b9956c1 8219 python optional 
python-django_4.2.28-0+deb13u1_amd64.buildinfo
pgpD0BvbelBvd.pgp
Description: PGP signature
Accepted python-django 3:4.2.28-0+deb13u1 (source) into proposed-updates

Reply via email to
