-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 29 Dec 2025 12:30:21 -0800 Source: python-django Architecture: source Version: 2:2.2.28-1~deb11u10 Distribution: bullseye-security Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1121788 Changes: python-django (2:2.2.28-1~deb11u10) bullseye-security; urgency=high . * Non-maintainer upload by the LTS security team. * CVE-2025-64459: Prevent a potential SQL injection via _connector keyword argument in QuerySet/Q objects. The methods QuerySet filter(), exclude() and get() as well as the Q() class were subject to SQL injection when using a suitably crafted dictionary as the _connector argument. * CVE-2025-64460: Prevent a potential denial-of-service vulnerability in XML serializer text extraction. An algorithmic complexity issue in django.core.serializers.xml_serializer.getInnerText() allowed a remote attacker to cause a potential denial-of-service triggering CPU and memory exhaustion via a specially crafted XML input submitted to a service that invokes XML Deserializer. The vulnerability resulted from repeated string concatenation while recursively collecting text nodes, which produced superlinear computation. (Closes: #1121788) Checksums-Sha1: 573e2f34d61a4298d85769710d21c7c08bf138d8 2815 python-django_2.2.28-1~deb11u10.dsc 0661bddaeca016d84abc4c808c1c677cd7d4aa7b 9187543 python-django_2.2.28.orig.tar.gz 397bec5832ea27f59bdfdb916704f645ebfda87f 57964 python-django_2.2.28-1~deb11u10.debian.tar.xz f510d2ca7fd38d4a41e82fd812afa1c2d9dccc6e 6588 python-django_2.2.28-1~deb11u10_source.buildinfo Checksums-Sha256: 53a2dadcb52484088251fb918858e3ee64c01b53db471ba1d0dd090c41b5df95 2815 python-django_2.2.28-1~deb11u10.dsc 0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413 9187543 python-django_2.2.28.orig.tar.gz 90d5b83bcb7f8011e49cb394194d0d3434d8d8d01f570d89b218ca76c1663552 57964 python-django_2.2.28-1~deb11u10.debian.tar.xz 63461dc54f4772398c9b820ef3dad965b01a6b1862508687df1667798b16cbd2 6588 python-django_2.2.28-1~deb11u10_source.buildinfo Files: 1c6219f10e0a8ea9dc7346747d0ed12a 2815 python optional python-django_2.2.28-1~deb11u10.dsc 62550f105ef66ac7d08e0126f457578a 9187543 python optional python-django_2.2.28.orig.tar.gz fc66aaa9cd46abe8975a0c7d92cd1fea 57964 python optional python-django_2.2.28-1~deb11u10.debian.tar.xz c4d386d1aa5be330e01e09996c79d143 6588 python optional python-django_2.2.28-1~deb11u10_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmlS9y0ACgkQHpU+J9Qx HliVNA//cjSnWtDx+ysv/DTj3dzYrxW7IdskcL7GqYj8e8UCuhfEpRGQZfZcpXuV bpuj9Pz5x6h6EjoXfxEhx+yCf4O+90W3Fw7cACgWiVFnxhDqwPf6rFkJIylDEsdS kAz2NzXtg3Wj4xn1t+9MndTTgVM6BW40rqNvEzMTH23eznR9YbrfNAQdBUh+so0k jr7p0UNaBE/wtSae7yJtjt8vCLVmelO4gG0BkTZwnm9nhshr3kl8eQfBG3MYVgwL oFNarZTS5/JDE4Tv5WNpDg5OgcmrjjbMIED8LrOG5X2S5UWdJ8XSaC8lYCWyBKbH Tushq4zEUxncckRjM6wr0/mR02vLweFDJJqB4bZXeasCzUX6lvvS/2YejkZ23+5Q 1D+yYI4Gq0KpIX8glBdCgAr2aSi6h9UvZ/HxyyM5mmmnz+zv1HSuTdmWxma+CZG8 G84fZvlCogBVBrnwLhQjBHx7bMqIX6+lEGSt5HDpTWQO86j3f/beUTyp0eJaOEGd FgCCQrWvuWlnMTIaIUGmwVxFYS/t+ei6xGPZ7+zFh6klvahrS5+pQtOb1LJ0r2/y 2l2crEnF2o85Er/Do9sRrOUFc6Lxz3QmF/BXbzW+hvkgYm9typ4d/FKN86nGJZ8+ SeKv4UkQ09hqziGwmGx9lnRQmvbmAntSvxVtB0ACzYKqjyYv8kU= =CD26 -----END PGP SIGNATURE-----
