Accepted python-django 2:2.2.28-1~deb11u12 (source) into oldoldstable-security

Debian FTP Masters Thu, 19 Feb 2026 11:01:55 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 18 Feb 2026 12:34:40 -0800
Source: python-django
Architecture: source
Version: 2:2.2.28-1~deb11u12
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Changes:
 python-django (2:2.2.28-1~deb11u12) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS security team.
   * CVE-2025-13473: The check_password function in
     django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi
     allowed remote attackers to enumerate users via a timing attack.
   * CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS)
     allowed remote attackers to inject SQL via the band index parameter.
   * CVE-2026-1285: The django.utils.text.Truncator.chars() and
     Truncator.words() methods (with html=True) and the truncatechars_html and
     truncatewords_html template filters allowed a remote attacker to cause a
     potential denial-of-service via crafted inputs containing a large number of
     unmatched HTML end tags.
   * CVE-2026-1287: FilteredRelation was subject to SQL injection in column
     aliases via control characters using a suitably crafted dictionary, with
     dictionary expansion, as the **kwargs passed to QuerySet methods
     annotate(), aggregate(), extra(), values(), values_list() and alias().
   * CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column
     aliases containing periods when the same alias is, using a suitably
     crafted dictionary, with dictionary expansion, used in FilteredRelation.
   * The fix for CVE-2025-6069 in the python3.9 source package (released
     as part of a suite of updates in DLA 4445-1) that modified the
     html.parser.HTMLParser class in such a way that changed the behaviour of
     Django's strip_tags() method in some edge cases that were tested by
     Django's testsuite. As a result of this regression, update the testsuite
     for the new expected results.
   * Fix a merge issue in an previously-released test for CVE-2025-57833, where
     one test was harmlessly masking another.
Checksums-Sha1:
 6d8dd4910a6ba151b87c115c1bc709adb9722452 2842 
python-django_2.2.28-1~deb11u12.dsc
 0661bddaeca016d84abc4c808c1c677cd7d4aa7b 9187543 
python-django_2.2.28.orig.tar.gz
 72c00ce20e0ad8044ceab802e26ce6e7419596c6 69764 
python-django_2.2.28-1~deb11u12.debian.tar.xz
 5add6e830d070ce3a3481d109fcb07b2597e3fe4 6850 
python-django_2.2.28-1~deb11u12_source.buildinfo
Checksums-Sha256:
 a33bf5dd462378a8eb238cf84598614a0c119996d7f4b81f63be7d4da90913b8 2842 
python-django_2.2.28-1~deb11u12.dsc
 0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413 9187543 
python-django_2.2.28.orig.tar.gz
 20daa2021be82a4aab96830f1643f8797f0ae16a0176bdc44f6c83cdd2bdf1d7 69764 
python-django_2.2.28-1~deb11u12.debian.tar.xz
 a535b4927a30a8b11b813339f77c9659474b931f624bf2f5fbbd69b223270eeb 6850 
python-django_2.2.28-1~deb11u12_source.buildinfo
Files:
 9e233cf0e7d0095d21b2b078164edffd 2842 python optional 
python-django_2.2.28-1~deb11u12.dsc
 62550f105ef66ac7d08e0126f457578a 9187543 python optional 
python-django_2.2.28.orig.tar.gz
 4fc09e87f9eeb0ecaf11d6582b29fc47 69764 python optional 
python-django_2.2.28-1~deb11u12.debian.tar.xz
 a1b31d126831599daa07361e5f209f7c 6850 python optional 
python-django_2.2.28-1~deb11u12_source.buildinfo
pgpceEXZU0WTA.pgp
Description: PGP signature
Accepted python-django 2:2.2.28-1~deb11u12 (source) into oldoldstable-security

Reply via email to
