Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted python-django 3:4.2.27-1 (source) into unstable
Date: Tue, 02 Dec 2025 21:09:15 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Dec 2025 11:34:10 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.27-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1121788
Changes:
 python-django (3:4.2.27-1) unstable; urgency=medium
 .
   * New upstream security release.
     <https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>
 .
     - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
       column aliases when using PostgreSQL. FilteredRelation was subject to SQL
       injection in column aliases via a suitably crafted dictionary as the
       **kwargs passed to QuerySet.annotate() or QuerySet.alias().
 .
     - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
       XML serializer text extraction. An algorithmic complexity issue in
       django.core.serializers.xml_serializer.getInnerText() allowed a remote
       attacker to cause a potential denial-of-service triggering CPU and memory
       exhaustion via a specially crafted XML input submitted to a service that
       invokes XML Deserializer. The vulnerability resulted from repeated string
       concatenation while recursively collecting text nodes, which produced
       superlinear computation.
 .
     (Closes: #1121788))
 .
   * Mark that Python 3.14 is not supported yet.
Checksums-Sha1:
 fd97107ab1b4038a43938f24e5908d61550c694b 2792 python-django_4.2.27-1.dsc
 5c2da0b170d051f5e29bffd29e02a36e13068e22 10432781 python-django_4.2.27.orig.tar.gz
 0cc6ee93d6d17b457894885e96e0fcd0df6ff245 35148 python-django_4.2.27-1.debian.tar.xz
 fe971963fdbb828d69d6424f21f7f32165acf198 8046 python-django_4.2.27-1_amd64.buildinfo
Checksums-Sha256:
 c9de75dc7874faee5197cc48fae4d8b5c84307b9d721e6ce1ea744502ee288eb 2792 python-django_4.2.27-1.dsc
 b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92 10432781 python-django_4.2.27.orig.tar.gz
 91592f782abaa1a6d40b19bea9c5af83dbdfa1bfdc99ea2abdd7a50d14e62b2e 35148 python-django_4.2.27-1.debian.tar.xz
 4b606fabb0932f3894956be0833a75b4380ebaedff3e02a0dd68a26096f75fcd 8046 python-django_4.2.27-1_amd64.buildinfo
Files:
 5605464303c4aa714a38822b23fe931a 2792 python optional python-django_4.2.27-1.dsc
 45431b7954d12014c88cd9f66cfefb2c 10432781 python optional python-django_4.2.27.orig.tar.gz
 df64921ec9ac50e8fbe6d63a25589b27 35148 python optional python-django_4.2.27-1.debian.tar.xz
 954e52d81bf5db6d9e04cd9cb0fb1b64 8046 python optional python-django_4.2.27-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmkvSDgACgkQHpU+J9Qx
HlhY5A/+JVjavUxszhsCQOqucRMEcfrYH3aXXv4BJ15v/+f/VxR9/VJOaVaptw6e
MzCv5rMABLUZ96DZYoCtc+agzYm7RwYTN1tzpjsKpL4dyWTWDaiDHffAHi+NGGQW
wn/YhKjV05kIXaPnmCq7WI566jMFMSkluykAmiJnPps0r6eqKEKN5Y/1taFq2y6N
NBmz5JN6dPH3Hv41IvhvutTv8SRUET/7HoPIm0TefaaPSSy07+Dt7U1Izf1e/kUL
M60dmkOKptv3V4SGPEl7prPbSlgH0hx0R9bZo0eFHPnqAoY6japsukEqS6Dcpnqd
Kt3Ybo7hIvrjiDQc5Lh/BgSM2xUCkgUKtszk7vbiJ9XHoY/zCJMTpmLEkuyqTLcC
ES/h94v8cXSp7VnGhbvZmrOeIjVodvnzBvwu7qZXfAeIVkfjjU5vSKRzPSq0+6+u
lj/m7jgpNoPvqu8C7OeykWUBRd/5xMipWLw8pjSaqayjtyfgglCZ8IUGqulTQ/kG
Vd/9fPQghTSWDECcNccl9aajIxw3JFo/dv4yn4s3vbn9maqnyGvNWQZe+U3xCyfZ
6J5z9sNG39S69FVvC3C952XLXyqFIFaBhVddIOG7ZnQ7QDJBA8+pVS2OD2Gs73Jr
MTrsLdkGqYtM5b2vzWv0NLUdqs/yahbE4f5DX9rPmPlcsngsBgQ=
=W0CK
-----END PGP SIGNATURE-----
News for package python-django
