Bug#1126461: trixie-pu: package python-django/3:4.2.27-1+deb13u1

[Salvatore Bonaccorso]

Hi,

On Tue, Jan 27, 2026 at 08:17:55AM +0100, Moritz Mühlenhoff wrote:
> Am Mon, Jan 26, 2026 at 11:21:46AM -0800 schrieb Chris Lamb:
> > Package: release.debian.org
> > Severity: normal
> > Tags: trixie
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > Dear stable release managers,
> > 
> > Re. https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/300,
> > please consider python-django (3:4.2.27-1+deb13u1) for trixie:
> >   
> >   python-django (3:4.2.27-1+deb13u1) trixie; urgency=high
> 
> Let's fix Django via a DSA instead, I'll review the debdiff in the coming
> days and get back to you.

IMHO though the version has to be choosen differently. Is this a new
usptream version inport on top of the packaging?

Then please choose 3:4.2.27-0+deb13u1 instead. This is even more
importantly to do as there was a 3:4.2.27-1 upload.

Regards,
Salvatore

Bug#1126461: trixie-pu: package python-django/3:4.2.27-1+deb13u1

[Moritz Mühlenhoff]

Am Mon, Jan 26, 2026 at 11:21:46AM -0800 schrieb Chris Lamb:
> Package: release.debian.org
> Severity: normal
> Tags: trixie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Dear stable release managers,
> 
> Re. https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/300,
> please consider python-django (3:4.2.27-1+deb13u1) for trixie:
>   
>   python-django (3:4.2.27-1+deb13u1) trixie; urgency=high

Let's fix Django via a DSA instead, I'll review the debdiff in the coming
days and get back to you.

Cheers,
Moritz

Bug#1126461: trixie-pu: package python-django/3:4.2.27-1+deb13u1

[Chris Lamb]

Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release managers,

Re. https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/300,
please consider python-django (3:4.2.27-1+deb13u1) for trixie:
  
  python-django (3:4.2.27-1+deb13u1) trixie; urgency=high
  .
* New upstream security release:
  .
  - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
column aliases when using PostgreSQL. FilteredRelation was subject to 
SQL
injection in column aliases via a suitably crafted dictionary as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias().
  .
  - CVE-2025-57833: Potential SQL injection in FilteredRelation column
aliases. The FilteredRelation feature in Django was subject to a
potential SQL injection vulnerability in column aliases that was
exploitable via suitably crafted dictionary with dictionary expansion as
the **kwargs passed QuerySet.annotate() or QuerySet.alias(). This CVE
was fixed in Django 4.2.24. (Closes: #1113865)
  .
  - CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
subject to SQL injection in column aliases, using a suitably crafted
dictionary with dictionary expansion as the **kwargs passed to these
methods on MySQL and MariaDB. This CVE was fixed in Django 4.2.25.
  .
  - CVE-2025-59682: Potential partial directory-traversal via
archive.extract(). The django.utils.archive.extract() function, used by
startapp --template and startproject --template allowed partial
directory-traversal via an archive with file paths sharing a common
prefix with the target directory. This CVE was fixed in Django 4.2.25.
  .
  - CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
argument in QuerySet/Q objects. The methods QuerySet.filter(),
QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
SQL injection when using a suitably crafted dictionary (with dictionary
expansion) as the _connector argument. This CVE was fixed in Django
4.2.26.
  .
  - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
XML serializer text extraction. An algorithmic complexity issue in
django.core.serializers.xml_serializer.getInnerText() allowed a remote
attacker to cause a potential denial-of-service triggering CPU and 
memory
exhaustion via a specially crafted XML input submitted to a service that
invokes XML Deserializer. The vulnerability resulted from repeated 
string
concatenation while recursively collecting text nodes, which produced
superlinear computation. (Closes: #1121788)
  .
  


The relevant Debusine job is as follows:

  https://debusine.debian.net/debian/developers/work-request/357875/

There are three failures of autopkgtests in reverse-dependencies, which I
have investigated as follows:

  * src:debusine — appears to be some unshare(1)/namespace issue.
  * src:django-ldapdb — "Depends: python3-volatildap but it is not installable"
  * src:pyinstaller —  Socket/internet issue 
"tests/functional/test_scipy.py::test_scipy[onedir-scipy.spatial] Error: 
websocket: close 1006 (abnormal closure): unexpected EOF"

The full diff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diff --git debian/changelog debian/changelog
index 8120d436f..a4c0b0d99 100644
--- debian/changelog
+++ debian/changelog
@@ -1,3 +1,52 @@
+python-django (3:4.2.27-1+deb13u1) trixie; urgency=high
+
+  * New upstream security release:
+
+- CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
+  column aliases when using PostgreSQL. FilteredRelation was subject to SQL
+  injection in column aliases via a suitably crafted dictionary as the
+  **kwargs passed to QuerySet.annotate() or QuerySet.alias().
+
+- CVE-2025-57833: Potential SQL injection in FilteredRelation column
+  aliases. The FilteredRelation feature in Django was subject to a
+  potential SQL injection vulnerability in column aliases that was
+  exploitable via suitably crafted dictionary with dictionary expansion as
+  the **kwargs passed QuerySet.annotate() or QuerySet.alias(). This CVE
+  was fixed in Django 4.2.24. (Closes: #1113865)
+
+- CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
+  aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
+  QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
+  subject to SQL injection