-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 04 Jun 2025 08:21:53 -0700 Source: python-django Architecture: source Version: 3:4.2.22-1 Distribution: unstable Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1107282 Changes: python-django (3:4.2.22-1) unstable; urgency=high . * New upstream security release: . - CVE-2025-48432: Potential log injection via unescaped request path. . Django's internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. . Although this does not directly impact Django's security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function now escapes all positional formatting arguments using a safe encoding. . (Closes: #1107282) . <https://www.djangoproject.com/weblog/2025/jun/04/security-releases/> Checksums-Sha1: 85373c92455f7b2b11112a3f5b100bded36e9d33 2790 python-django_4.2.22-1.dsc 9311aafa19c03378cbf0d9758b80cb458bccf87f 10427236 python-django_4.2.22.orig.tar.gz 2336441fbf39d74df12e855a931fa0cd6320ef30 33828 python-django_4.2.22-1.debian.tar.xz e2b83b1f6ef6e70f1e60c55887dfbb479712ddf5 9401 python-django_4.2.22-1_source.buildinfo Checksums-Sha256: 77bbbe2bafbe4e6c3d36d83602a11bd6f1d807be1612f1d4799b20f98e166d2b 2790 python-django_4.2.22-1.dsc e726764b094407c313adba5e2e866ab88f00436cad85c540a5bf76dc0a912c9e 10427236 python-django_4.2.22.orig.tar.gz 119116bb321db7db3ab59a7d6356ca35d72d2ff84ad251d9d38d7cf70378c7fc 33828 python-django_4.2.22-1.debian.tar.xz 47c78490860dcaf51c6abefcb703c1ebaf0d711f3b502a1309a1f7f129576a0c 9401 python-django_4.2.22-1_source.buildinfo Files: d906238ee314208b7f107498b0998cef 2790 python optional python-django_4.2.22-1.dsc 129ec31e2b5b48daf6ad33380a2da976 10427236 python optional python-django_4.2.22.orig.tar.gz 6add58e41a5aad5e62a853de54f3083a 33828 python optional python-django_4.2.22-1.debian.tar.xz e2606c7f323052c5465b78185263a0eb 9401 python optional python-django_4.2.22-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmhAtL4ACgkQHpU+J9Qx Hlh+4A/8CUBg+ioshGRbT7L38s4lVjzzbxDSWASq8vp3b88FoeQlV/+gAdBdlCAQ 7cWVXQN6DUibOHuLh49/zqIH8yeQ6eXkU3n8zTjqlWDB1oS2mE+f+alx21GXaDoT II/NST+XpCKkitvnZObK6z2njFiGStpy8PaOPa3nr3zb99Ai3lOr699aJ1eD3BS8 rMP/0+f5a8jqazvgEDQqdz08mP5VAGyVDIenHZZpeqxt401u0lJiEy8ppcKiGFax i/n1N1tXCEYwgJWV9iOCV0pTrLbd18rIcFyG/PdEcpmOHShDenxMbt9Zg7H5VvsS 2tiw1ISVKTIJqxfdwY9qu3i+svaokfg99ggIRzM9Za15ZHxzMWu1SWziioP+1J/2 HExJ5BSWwzsdoKzUtlZCGQyGtx+JQtheM+hEA8qL/KYlcDDsXr3iug1VTiqmcTD+ dAAa+K/reKJxMZnqH+HdruvPUD/utzN0a0NLfBkQbrKxT9qWNk2DfKLKGBMT1nnU HXJRxEQ9a9tqYOd6BAoNM4hxmQTu9LgO5MIHbSadWBVa/WH9+JxhAXEdcuXgswSP xUdqNIVKJwSLb5PJtIdCyxqeLam1BeEbQFmEMe16B7AsCFjOkMRGnJL47umWBkwi DBj4Hj04WYLZOv6SPFkkDj3RN+BSHWwjsVZonLqf2/Ojmq6xfEQ= =GY8+ -----END PGP SIGNATURE-----
