-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Oct 2025 13:43:12 -0700 Source: python-django Architecture: source Version: 2:2.2.28-1~deb11u9 Distribution: bullseye-security Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1116979 Changes: python-django (2:2.2.28-1~deb11u9) bullseye-security; urgency=high . * Non-maintainer upload by the LTS security team. (Closes: #1116979) * CVE-2025-59681: Fix a potential SQL injection in QuerySet.annotate(), alias(), aggregate() and extra(). These methods were subject to SQL injection in column aliases, using a suitably crafted dictionary via dictionary expansion as the **kwargs passed to these methods on MySQL and MariaDB. * CVE-2025-59682: Fix a potential partial directory-traversal vulnerability in archive.extract(). This function, used by startapp --template and startproject --template, allowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory. Checksums-Sha1: d8f5a3f7a8035f12075367a095f97a8599d750e1 2811 python-django_2.2.28-1~deb11u9.dsc 0661bddaeca016d84abc4c808c1c677cd7d4aa7b 9187543 python-django_2.2.28.orig.tar.gz 9660e5ca6b07d6fab6d9117c5354c758f2c83c7e 55248 python-django_2.2.28-1~deb11u9.debian.tar.xz da1c52c28449b0c5a320551701a304333e22cb46 6392 python-django_2.2.28-1~deb11u9_source.buildinfo Checksums-Sha256: 393e7227d68395cb1489403ba8a2e2383959865a62a0fddf804415ff4b6b002b 2811 python-django_2.2.28-1~deb11u9.dsc 0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413 9187543 python-django_2.2.28.orig.tar.gz 4033e1aa2e4d16351c1c6dfc09cd540bd96b34dff7ecb52ebdb9ebf77ddb4b45 55248 python-django_2.2.28-1~deb11u9.debian.tar.xz af792a491beecbe7cb61e4fd094d2af7b6816ed2874efd3bc852ef1c55c4f735 6392 python-django_2.2.28-1~deb11u9_source.buildinfo Files: 9df1a47ef1bc55d148f14072768f1390 2811 python optional python-django_2.2.28-1~deb11u9.dsc 62550f105ef66ac7d08e0126f457578a 9187543 python optional python-django_2.2.28.orig.tar.gz 015f08fcbfd1d8d18f27e2de5ccf3f1e 55248 python optional python-django_2.2.28-1~deb11u9.debian.tar.xz 6a2ea46340ff12aaaab726c3f19823fe 6392 python optional python-django_2.2.28-1~deb11u9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmjmkowACgkQHpU+J9Qx HlhbqQ/+MC14E4ETxfGcyzLFV7gv2jydZek0PTtJKPjM2ozZvW9mJcCDirtlA193 HrhUfIcxxo/V3yBE5TQuiaN501fV9t2mICjod5o86BFkWAPMVaBGD+YmhaoMfqe5 4G52r65Hc6zT/ST9IrX+KCL47fr3x2cExX7zqgtE+7Dw9yo6DIw6PC63JRPBvXMZ YYIs9nUqTi6MDxFeRZPKUR6kjvCHhBreIT0YFO+Wy8OgELdqLfNMibR+ZsR0XnON p7zaOCREodnDwkOc4+6goAxukGdEwaRP3kBpsjDQ/7SgXvZQO93esRKBi40l16FN FWX9EX2KJ7ad8o8Q60gwHnZrTwVfl8NT7m5IDxIoOkKsVwovVr2xabavOJaDa/Gl XzLJZQspKgTA7UWBpih1d3iAXaDD9j4ACxubfxEbtdBJyTtC9qrsEGDhKLXrSaFR bIsqa8f24crdLb9E6hAli7C3NuzZhglmM/1j/f0+BwrubPO0C697mgir4S5kIqBV FGjdndZXP7rkdsdzpozNLECE/Zhjk6JULAJQD8BtcS5TMw2D08L7wRVSELbJJbYG hNiGmBgBGIAbJEZPdnAN+/vwwv/5WFTlEftRENaa8jTNqYlhuYrL9PLOSeBju3NS ZlvStcprN4nWZBkJysgqglCk6+hEvIx/lO/ksn2aWSsbE19wvjs= =vgvC -----END PGP SIGNATURE-----
