Accepted python-django 2:2.2.28-1~deb11u11 (source) into oldoldstable-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 22 Jan 2026 14:39:14 -0800
Source: python-django
Architecture: source
Version: 2:2.2.28-1~deb11u11
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Changes:
 python-django (2:2.2.28-1~deb11u11) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS security team.
   * CVE-2024-39614: Fix a potential denial-of-service in
     django.utils.translation.get_supported_language_variant. This method was
     subject to a potential DoS attack when used with very long strings
     containing specific characters. To mitigate this vulnerability, the
     language code provided to get_supported_language_variant is now parsed up
     to a maximum length of 500 characters.
   * CVE-2024-45231: Potential user email enumeration via response status on
     password reset. Due to unhandled email sending failures, the
     django.contrib.auth.forms.PasswordResetForm class allowed remote
     attackers to enumerate user emails by issuing password reset requests and
     observing the outcomes. To mitigate this risk, exceptions occurring
     during password reset email sending are now handled and logged using the
     django.contrib.auth logger.
   * CVE-2024-42005: Potential SQL injection in QuerySet.values() and
     values_list(). QuerySet.values() and values_list() methods on models with a
     JSONField are subject to SQL injection in column aliases via a crafted JSON
     object key as a passed *arg.
   * CVE-2024-41991: Potential denial-of-service vulnerability in
     django.utils.html.urlize() and AdminURLFieldWidget. The urlize and
     urlizetrunc template filters, and the AdminURLFieldWidget widget, are
     subject to a potential denial-of-service attack via certain inputs with a
     very large number of Unicode characters.
   * CVE-2024-39329: Avoid a username enumeration vulnerability through timing
     difference for users with unusable password. The authenticate method of
     django.contrib.auth.backends.ModelBackend method allowed remote attackers
     to enumerate users via a timing attack involving login requests for users
     with unusable passwords.
   * CVE-2024-41989: Memory exhaustion in django.utils.numberformat. The
     floatformat template filter is subject to significant memory
     consumption when given a string representation of a number in scientific
     notation with a large exponent.
   * CVE-2024-39330: Address a potential directory-traversal in
     django.core.files.storage.Storage.save. Derived classes of this method's
     base class which override generate_filename without replicating the file
     path validations existing in the parent class allowed for potential
     directory-traversal via certain inputs when calling save(). Built-in
     Storage sub-classes were not affected by this vulnerability.
   * The fix for CVE-2025-6069 in the python3.9 source package (released
     as part of a suite of updates in DLA 4445-1) that modified the
     html.parser.HTMLParser class in such a way that changed the behaviour of
     Django's strip_tags() method in some edge cases that were tested by
     Django's testsuite. As a result of this regression, update the testsuite
     for the new expected results.
Checksums-Sha1:
 d4addc5be525674992f25126e833c4c56a0366a0 2842 python-django_2.2.28-1~deb11u11.dsc
 0661bddaeca016d84abc4c808c1c677cd7d4aa7b 9187543 python-django_2.2.28.orig.tar.gz
 53930c9bc68cd16f4ae5c843a55d0156a829b126 64544 python-django_2.2.28-1~deb11u11.debian.tar.xz
 ff38e36e71702d65d9687f6681da60c34197bdef 6992 python-django_2.2.28-1~deb11u11_source.buildinfo
Checksums-Sha256:
 fea9e589c47c34aacb2e8a607066b795ba7703b855260050710e78977046259f 2842 python-django_2.2.28-1~deb11u11.dsc
 0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413 9187543 python-django_2.2.28.orig.tar.gz
 ce1cab25d45d0b2dc3411c71f28ac729832b79f41638f03b62835adfb586faa0 64544 python-django_2.2.28-1~deb11u11.debian.tar.xz
 56d8bc00db35bfb4e33c0370b01ad41df2adf02c6c87922ed0d80c93cc1473ab 6992 python-django_2.2.28-1~deb11u11_source.buildinfo
Files:
 67c4116058b95dc34e56920820c7742e 2842 python optional python-django_2.2.28-1~deb11u11.dsc
 62550f105ef66ac7d08e0126f457578a 9187543 python optional python-django_2.2.28.orig.tar.gz
 3b672187f972bae2d5d7f5284c08edff 64544 python optional python-django_2.2.28-1~deb11u11.debian.tar.xz
 c4291ce3cae636e785acd2fddf7ca636 6992 python optional python-django_2.2.28-1~deb11u11_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAml6frUACgkQHpU+J9Qx
HlgizA/9FhhE9lQsOn51IHnpuwCwsVmaznVX40+KfMkGZ+qYfjaJSW/X1HXWMcre
E1RJkCG1F0oMDYIpmbdRhR2UElpWZhXptleJ66Tey3Nm3wWtk01wcJOmNwRH+d5t
pMrZgvRy7HOA0o6RLf2WnrkYhdVTiZMSaqJcMHBemW+ReIOOM0MEg27MdC8elIZ4
qtTIe1AO8qQU27AEMx4AoU6b3KfYFYqOOctyggJ3tjQc+tC49PnIJs+BAZTNht7w
fx2LvcBBJEumAFg5mezFOhauGUOzlwUZwUfjhS9PyaZB6hWkJiteZA55LNcJlJOQ
1HwVWSM6UvBnRsEVXZD+IEeOvzQ3K4RiYtcrt5iCDZ/jAyxYCzJ035mY7Z1v36yO
yZOk/RAL5hvndLB+U3OH31JAFZXbjRBxb9epS7VpPnRH/T/l19Ha2Vg51My9KI+T
EIFTR8OwoJagRDo3gcom+5KSoH/jvz03+3xr3P287O3Ul6+W3vcxZfTbElhhr2re
5TMzDFNLpI2luK7g2WCfJUhBCkwLVeAco/VarhpO9eYzg1G1GXhoPw7j1N7j022N
MT+c3ue0IqvwmPB7gGOeN18xi4gR0HbXCcs/jczR8BeIihHf93UTrmy7byb7S/xQ
8VG2C9wGCPYBjB5rLtByMwvZYe4erZnx/tseSypkzBsAooHt3BI=
=eLjH
-----END PGP SIGNATURE-----