-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 03 Feb 2026 14:17:55 -0800 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 3:6.0.2-1 Distribution: experimental Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1126914 Changes: python-django (3:6.0.2-1) experimental; urgency=high . * New upstream security release: . - CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack. . - CVE-2025-14550: ASGIRequest allowed a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. . - CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter. . - CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. . - CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias(). . - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. . <https://www.djangoproject.com/weblog/2026/feb/03/security-releases/> . (Closes: #1126914) . * Bump Standards-Version to 4.7.3. Checksums-Sha1: 4b3a96e9f5b29c198e66a2db9fce7d84f740c172 2783 python-django_6.0.2-1.dsc 350bfde2ee630b03dde6daf87ad06fac7a8a5642 10886874 python-django_6.0.2.orig.tar.gz 8037da154347c23540116319f0221b118991cec2 31064 python-django_6.0.2-1.debian.tar.xz 81a340c640bd65f1041e6ea79ea0658a8c24be0c 8268 python-django_6.0.2-1_amd64.buildinfo Checksums-Sha256: 209b13bd88342561728fbf94026179e7c7791f3f6171196538cdf5ae300db366 2783 python-django_6.0.2-1.dsc 3046a53b0e40d4b676c3b774c73411d7184ae2745fe8ce5e45c0f33d3ddb71a7 10886874 python-django_6.0.2.orig.tar.gz 1fa5e3177973bb6888baaa6a70dc10e4df911d586d4468ab73d781d30e85bcce 31064 python-django_6.0.2-1.debian.tar.xz 42554ee304060d9593f386ebbbdaf42a172f2d3e45b52389439000809e03ba37 8268 python-django_6.0.2-1_amd64.buildinfo Files: 1b4ec43e51578d82f3e0d8002346b641 2783 python optional python-django_6.0.2-1.dsc 0836ceb8f1f4694f87f0a698c64bd00e 10886874 python optional python-django_6.0.2.orig.tar.gz afb9b555347485ab1b4bea4bf3e48c25 31064 python optional python-django_6.0.2-1.debian.tar.xz 609d07970fdd6200b5bb98b3f7583cfb 8268 python optional python-django_6.0.2-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmE+9kACgkQHpU+J9Qx Hli7Pw//c2IqDy1CkHQcQYx0FDtNr6zym1HbEtXpYvhMA96Oh1AupQnGplgQuao/ 4D0O6roRkxAUPZdDhEoHxSgP+iJ6r0r1jNahwHbd8fkXB4XK+dpoq9Om8FpTGLON 3aP19at/8hPkSGCGDNwph9b2J5eqj6vlHaPD9RIHg+GjvkzElr8rnxSD0ZClOwWt SlCMB9gVIGV7ExfoUWbkKy/l0z1PX1hTH0LcOIFhoBiANY2Jr+Y8fdnCNe3B8f4i O8t5Cv1FcGuyv1Te2pi6KrgeRdFGcZEEFwSFF/9BBW/RfoOTyg/qO8v41gHFXqBl Rnhl7doXuBTlUf0+tm0fFyhz/3apG3tE2uycjrdX1TfF189+G7IS9olfbzKzE8uS MS1jS7WnTi9APB5hb/42UGeQP5YqCJLchCOig5IWrxUQALKLDcAoLJZeyrHIjhpn tus/cq/fyQvDrAxPLxxjsUo3xZ4U3KrZ7Q7YNqsqxE41vcoM4RadBQf3IJeoxwn4 eg22dlVdkDLxe9txHgdJKVmqRNMm3I6gan7/ANRTrqOJFg/mi/Ep67zNz5FOgimo P/MybpYa6wruFwkA8QDGLwuj/TCD8ucOxECeHkpkNdUvOE0N6U+masd4gtt8aRbC Bz+jz0W3T3HvAx6koCx8+36JUOtINRDcwf6muF72QjO38XbS/04= =v5le -----END PGP SIGNATURE-----
