Public bug reported: Scheduled-For: ubuntu-25.06 Ubuntu: 3:4.2.18-1ubuntu1.1 Debian Unstable: 3:4.2.21-1 Debian Experimental: 3:5.2-1
A new release of python-django is available for merging from Debian Unstable. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the questing Release Notes: https://discourse.ubuntu.com/t/questing-quokka-release-notes/ ### New Debian Changes ### python-django (3:4.2.21-1) unstable; urgency=medium * New upstream security release: - CVE-2025-32873: Denial-of-service possibility in strip_tags() django.utils.html.strip_tags() would be slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was therefore also vulnerable. strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags. (Closes: #1104872) <https://www.djangoproject.com/weblog/2025/may/07/security- releases/> * Bump Standards-Version to 4.7.2. * Add pybuild-plugin-pyproject to Build-Depends. -- Chris Lamb <[email protected]> Fri, 09 May 2025 15:47:11 -0700 python-django (3:4.2.20-1) unstable; urgency=high * New upstream security release: - CVE-2025-26699: Address a potential denial-of-service in django.utils.text.wrap. The wrap() method and wordwrap template filter were subject to a potential denial-of-service attack when used with very long strings. (Closes: #1099682) <https://www.djangoproject.com/weblog/2025/mar/06/security- releases/> -- Chris Lamb <[email protected]> Thu, 06 Mar 2025 17:55:06 +0000 python-django (3:4.2.19-1) unstable; urgency=medium * New upstream bugfix release. <https://www.djangoproject.com/weblog/2025/feb/05/bugfix-releases/> -- Chris Lamb <[email protected]> Wed, 05 Feb 2025 16:45:05 +0000 ### Old Ubuntu Delta ### python-django (3:4.2.18-1ubuntu1.1) plucky-security; urgency=medium * SECURITY UPDATE: Denial of service in strip_tags() - debian/patches/CVE-2025-32873.patch: check tag depth in django/utils/html.py, tests/utils_tests/test_html.py. - CVE-2025-32873 -- Marc Deslauriers <[email protected]> Wed, 30 Apr 2025 10:30:41 -0400 python-django (3:4.2.18-1ubuntu1) plucky; urgency=medium * SECURITY UPDATE: Denial of service. - debian/patches/CVE-2025-26699.patch: Change wrap to use textwrap library in ./django/utils/text.py. - CVE-2025-26699 -- Hlib Korzhynskyy <[email protected]> Fri, 07 Mar 2025 09:49:59 -0330 ** Affects: python-django (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: python-django (Ubuntu) Milestone: None => ubuntu-25.06 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2110437 Title: Merge python-django from Debian Unstable for questing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/2110437/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
