-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 04 Feb 2026 07:50:22 -0800 Source: python-django Architecture: source Version: 3:4.2.28-1 Distribution: unstable Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1126914 Changes: python-django (3:4.2.28-1) unstable; urgency=high . * New upstream security release: . - CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack. . - CVE-2025-14550: ASGIRequest allowed a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. . - CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter. . - CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. . - CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias(). . - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. . <https://www.djangoproject.com/weblog/2026/feb/03/security-releases/> . (Closes: #1126914) . * Drop debian/patches/test-strip-tags-incomplete-entities.patch; applied upstream. * Refresh patches. * Bump Standards-Version to 4.7.3. Checksums-Sha1: c8d1c909ecafe9fa50565cbffe974046abf74a21 2790 python-django_4.2.28-1.dsc e0a589cf92e1887d55cd2b02071aa0383615cc2c 10464933 python-django_4.2.28.orig.tar.gz 84c14096fae92f34c4c23be77f8fb80eaa48cc6a 37332 python-django_4.2.28-1.debian.tar.xz c27bdf9743f0a97a427ec9000339dd5137cd268c 6625 python-django_4.2.28-1_source.buildinfo Checksums-Sha256: 7c98fa9646b92e357ed97326731263ad4e2db237d65dd71e59d606c303cbad15 2790 python-django_4.2.28-1.dsc a4b9cd881991add394cafa8bb3b11ad1742d1e1470ba99c3ef53dc540316ccfe 10464933 python-django_4.2.28.orig.tar.gz 920020f21b1c6d392737ce6dd6923f5fbc9088f7bc6c7a509476f564b8543dd8 37332 python-django_4.2.28-1.debian.tar.xz 0bb656ef07509e78fb3614d51e84b71ba4e89d1da229fa388353dd7849f3f85c 6625 python-django_4.2.28-1_source.buildinfo Files: 16b05b8a8a20458d9476485cf25bafc6 2790 python optional python-django_4.2.28-1.dsc 7c9bf3734061c4b22bdf4d922308fe62 10464933 python optional python-django_4.2.28.orig.tar.gz 50825c15caf1b60b46912dc5cfbda4a8 37332 python optional python-django_4.2.28-1.debian.tar.xz d8e366544b6c17d3f5f8a5c3c3738756 6625 python optional python-django_4.2.28-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmE0zIACgkQHpU+J9Qx Hlhaaw/7Bef/DNrAtAf6zKDRVxR2fQzf7hn2E5kwp/b8oAKNG54NLawqUogh+AI1 nGRQvLSv5GKjQR9AmvkSFxijS2Ex5iD74i4mPhFNUydgRuGtm71TtxgMLUzI0JEg a1OGs7TnCJhDN3nNzPvZ1/BmTUfU6aDiees26ityccASiCvvsC9t43In/7iU1jvG kwjyfWV/1OTfX4//KiykkvBRU1DT+qjeCO672A//lLraBXtQoH3Pl4lxlJR0Yguk jP96iExleADXN026kSf6oz75BUF6OfoMBq5ZJASwRpmkRLEHbQL8w1ayIH5tPV2a j6Sy0tyTYRDfl9/l3/qXgLdeBdVHct71v3tdW8+obV/DGVwHiW/ygQ9NyTtP5U3f To3czVFO1GeBbf3DBfb0XHXgeFKUtoZv/AWAOMWEQXhwJJYYb7fnhMIARxrx43a3 fJ8rU3HX1lXgEifxghzJxtsMxZGFpBasjjY4SYuTyT27Tn0NklFOwbEwveExprFg gUZ4Chm8MVsZGgeLGTZx/QD5apxGkZ7Q5SHZZJI0RCXIFlngs4YrYdZWTPZrzsjo pm8QrfDSYtzt6fz9j6Su1qemm2Ido35gAxjs1caUx9knpjA1OobtjaLetEyHMR2r Nxqp0Mj6P9NhtIPD7JNnUQy5smYX/PXaw1vDl06akR+HaMVHH5k= =B/TQ -----END PGP SIGNATURE-----
