-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Feb 2026 12:34:40 -0800 Source: python-django Architecture: source Version: 2:2.2.28-1~deb11u12 Distribution: bullseye-security Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Changes: python-django (2:2.2.28-1~deb11u12) bullseye-security; urgency=high . * Non-maintainer upload by the LTS security team. * CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack. * CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter. * CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. * CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias(). * CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. * The fix for CVE-2025-6069 in the python3.9 source package (released as part of a suite of updates in DLA 4445-1) that modified the html.parser.HTMLParser class in such a way that changed the behaviour of Django's strip_tags() method in some edge cases that were tested by Django's testsuite. As a result of this regression, update the testsuite for the new expected results. * Fix a merge issue in an previously-released test for CVE-2025-57833, where one test was harmlessly masking another. Checksums-Sha1: 6d8dd4910a6ba151b87c115c1bc709adb9722452 2842 python-django_2.2.28-1~deb11u12.dsc 0661bddaeca016d84abc4c808c1c677cd7d4aa7b 9187543 python-django_2.2.28.orig.tar.gz 72c00ce20e0ad8044ceab802e26ce6e7419596c6 69764 python-django_2.2.28-1~deb11u12.debian.tar.xz 5add6e830d070ce3a3481d109fcb07b2597e3fe4 6850 python-django_2.2.28-1~deb11u12_source.buildinfo Checksums-Sha256: a33bf5dd462378a8eb238cf84598614a0c119996d7f4b81f63be7d4da90913b8 2842 python-django_2.2.28-1~deb11u12.dsc 0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413 9187543 python-django_2.2.28.orig.tar.gz 20daa2021be82a4aab96830f1643f8797f0ae16a0176bdc44f6c83cdd2bdf1d7 69764 python-django_2.2.28-1~deb11u12.debian.tar.xz a535b4927a30a8b11b813339f77c9659474b931f624bf2f5fbbd69b223270eeb 6850 python-django_2.2.28-1~deb11u12_source.buildinfo Files: 9e233cf0e7d0095d21b2b078164edffd 2842 python optional python-django_2.2.28-1~deb11u12.dsc 62550f105ef66ac7d08e0126f457578a 9187543 python optional python-django_2.2.28.orig.tar.gz 4fc09e87f9eeb0ecaf11d6582b29fc47 69764 python optional python-django_2.2.28-1~deb11u12.debian.tar.xz a1b31d126831599daa07361e5f209f7c 6850 python optional python-django_2.2.28-1~deb11u12_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmXVzMACgkQHpU+J9Qx HlhCgRAAs4a0bi6kfZ58wGoFgpZaJ+Z0tc0gsJlKXLdJACQynDBh7j0TXaMKGoSC 3B1JuYfDLzLO4Rv1IsYgDhMLeNQ79iRsfS2kg7+LaaxdK/eTsc9jXWHBFG8oBrGt YMTrwx/G2uYaEVkK3c8CbupqmOgoKVl6bzEchxRfqOM+WXp9gr7nm/QidrY5NZep rATvlUqr4+J2zFLOM4oQ1VjyKfmS99fDssP4iESAPUB+GNxlTM8VSLdAGZlUN6vc 3cvsN/YIgwWJOIiXP3+NW/RuaayVcCK9qz5LfQ5EQI10Hw8wrAH7hbc7KBshkihL 5zwcDjUnNEuWH/E4ivkkunZH3//7xBi0RLU0rlkvJ3X6FCXrmt4ZOBC9RlFAum9Y 8/0yj4lkVb0UfyohAOiW5bw2l+Ilz0itkfLhgsP+LXAys0CnxKyo8yi5dIEAAhmn QANkfxI6LfSajxDML7eC54oMjOhwTVudXESw5y42rTOE2L4hMHJtm/rJhtZnqqSs 8fQ1u0s78rDc7YRRdYOBw9kakIgTykrWdBrSXVz9BMEop7chv48d70e1drCHJs5G uJ4PGR9Bhp4uYgpjdokUeyi1+r+ny/06YZahKhkqM7cMJVOvFKfQ9BD8bA215xJZ 1gOdpy9szXuFqVqYbR2OMdbRc6KiY7Vdb2a+JYqEqGA6q2aeoF8= =XPpm -----END PGP SIGNATURE-----
