Accepted python-django 3:3.2.25-0+deb12u1 (source) into oldstable-proposed-updates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 27 Jan 2026 11:16:59 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:3.2.25-0+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1051226 1099682 1113865
Changes:
 python-django (3:3.2.25-0+deb12u1) bookworm-security; urgency=high
 .
   * Update to upstream's last 3.2 series release:
 .
     - CVE-2023-41164: Potential denial of service vulnerability in
       django.utils.encoding.uri_to_iri().
 .
       This method was subject to potential denial of service attack via certain
       inputs with a very large number of Unicode characters. This fix was
       released in Django 3.2.21. (Closes: #1051226)
 .
     - CVE-2023-43665: Address a denial-of-service possibility in
       django.utils.text.Truncator.
 .
       Following the fix for CVE-2019-14232, the regular expressions used in the
       implementation of django.utils.text.Truncator’s chars() and words()
       methods (with html=True) were revised and improved. However, these
       regular expressions still exhibited linear backtracking complexity, so
       when given a very long, potentially malformed HTML input, the evaluation
       would still be slow, leading to a potential denial of service
       vulnerability.
 .
       The chars() and words() methods are used to implement the
       truncatechars_html and truncatewords_html template filters, which were
       thus also vulnerable.
 .
       The input processed by Truncator, when operating in HTML mode, has been
       limited to the first five million characters in order to avoid potential
       performance and memory issues. This fix was included in Django 3.2.22.
 .
     - CVE-2024-24680: Potential denial-of-service in intcomma template filter.
       The intcomma template filter was subject to a potential denial-of-service
       attack when used with very long strings. This fix was included in Django
       3.2.24.
 .
     - CVE-2024-27351: Fix a potential regular expression denial-of-service
       (ReDoS) attack in django.utils.text.Truncator.words. This method
       (with html=True) and the truncatewords_html template filter were subject
       to a potential regular expression denial-of-service attack via a suitably
       crafted string. This is, in part, a follow up to CVE-2019-14232 and
       CVE-2023-43665, and was included in Django 3.2.25.
 .
   * Drop debian/patches/CVE-2023-36053.patch now that we include the fix
     directly via 3.2.20.
 .
   * CVE-2024-39329: Avoid a username enumeration vulnerability through timing
     difference for users with unusable password. The authenticate method of
     django.contrib.auth.backends.ModelBackend method allowed remote attackers
     to enumerate users via a timing attack involving login requests for users
     with unusable passwords.
 .
   * CVE-2024-39330: Address a potential directory-traversal in
     django.core.files.storage.Storage.save. Derived classes of this method's
     base class which override generate_filename without replicating the file
     path validations existing in the parent class allowed for potential
     directory-traversal via certain inputs when calling save(). Built-in
     Storage sub-classes were not affected by this vulnerability.
 .
   * CVE-2024-39614: Fix a potential denial-of-service in
     django.utils.translation.get_supported_language_variant. This method was
     subject to a potential DoS attack when used with very long strings
     containing specific characters. To mitigate this vulnerability, the
     language code provided to get_supported_language_variant is now parsed up
     to a maximum length of 500 characters.
 .
   * CVE-2024-41989: Memory exhaustion in django.utils.numberformat. The
     floatformat template filter is subject to significant memory consumption
     when given a string representation of a number in scientific notation with
     a large exponent.
 .
   * CVE-2024-41991: Potential denial-of-service vulnerability in
     django.utils.html.urlize() and AdminURLFieldWidget. The urlize and
     urlizetrunc template filters, and the AdminURLFieldWidget widget, are
     subject to a potential denial-of-service attack via certain inputs with a
     very large number of Unicode characters.
 .
   * CVE-2024-42005: Potential SQL injection in QuerySet.values() and
     values_list(). QuerySet.values() and values_list() methods on models with a
     JSONField are subject to SQL injection in column aliases via a crafted JSON
     object key as a passed *arg.
 .
   * CVE-2024-45231: Potential user email enumeration via response status on
     password reset. Due to unhandled email sending failures, the
     django.contrib.auth.forms.PasswordResetForm class allowed remote attackers
     to enumerate user emails by issuing password reset requests and observing
     the outcomes. To mitigate this risk, exceptions occurring during password
     reset email sending are now handled and logged using the
     django.contrib.auth logger.
 .
   * CVE-2024-53907: Potential DoS in django.utils.html.strip_tags.
     The strip_tags() method and striptags template filter were subject to a
     potential denial-of-service attack via certain inputs containing large
     sequences of nested incomplete HTML entities.
 .
   * CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
     validation. A lack of upper bound limit enforcement in strings passed when
     performing IPv6 validation could have led to a potential denial-of-service
     (DoS) attack. The undocumented and private functions clean_ipv6_address and
     is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField
     form field, which has now been updated to define a max_length of 39
     characters. The GenericIPAddressField model field was not affected.
 .
   * CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
     column aliases when using PostgreSQL. FilteredRelation was subject to SQL
     injection in column aliases via a suitably crafted dictionary as the
     **kwargs passed to QuerySet.annotate() or QuerySet.alias().
 .
   * CVE-2025-26699: Address a potential denial-of-service in
     django.utils.text.wrap. The wrap() method and wordwrap template filter were
     subject to a potential denial-of-service attack when used with very long
     strings. (Closes: #1099682)
 .
   * CVE-2025-32873: Denial-of-service possibility in strip_tags()
     django.utils.html.strip_tags() would be slow to evaluate certain inputs
     containing large sequences of incomplete HTML tags. This function is used
     to implement the striptags template filter, which was therefore also
     vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
     encounters an unusually large number of unclosed opening tags.
 .
   * CVE-2025-48432: Potential log injection via unescaped request path.
     Django's internal HTTP response logging used request.path directly,
     allowing control characters (e.g. newlines or ANSI escape sequences) to be
     written unescaped into logs. This could enable log injection or forgery,
     letting attackers manipulate log appearance or structure, especially in
     logs processed by external systems or viewed in terminals.  Although this
     does not directly impact Django's security model, it poses risks when logs
     are consumed or interpreted by other tools. To fix this, the internal
     django.utils.log.log_response() function now escapes all positional
     formatting arguments using a safe encoding.
 .
   * CVE-2025-57833: Potential SQL injection in FilteredRelation column
     aliases. The FilteredRelation feature in Django was subject to a potential
     SQL injection vulnerability in column aliases that was exploitable via
     suitably crafted dictionary with dictionary expansion as the **kwargs
     passed QuerySet.annotate() or QuerySet.alias(). (Closes: #1113865)
 .
   * CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
     aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
     QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
     subject to SQL injection in column aliases, using a suitably crafted
     dictionary with dictionary expansion as the **kwargs passed to these
     methods on MySQL and MariaDB.
 .
   * CVE-2025-59682: Potential partial directory-traversal via
     archive.extract(). The django.utils.archive.extract() function, used by
     startapp --template and startproject --template allowed partial
     directory-traversal via an archive with file paths sharing a common prefix
     with the target directory.
 .
   * CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
     argument in QuerySet/Q objects. The methods QuerySet.filter(),
     QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
     SQL injection when using a suitably crafted dictionary (with dictionary
     expansion) as the _connector argument.
 .
   * CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
     XML serializer text extraction. An algorithmic complexity issue in
     django.core.serializers.xml_serializer.getInnerText() allowed a remote
     attacker to cause a potential denial-of-service triggering CPU and memory
     exhaustion via a specially crafted XML input submitted to a service that
     invokes XML Deserializer. The vulnerability resulted from repeated string
     concatenation while recursively collecting text nodes, which produced
     superlinear computation.
Checksums-Sha1:
 d72a19cf720cc19ae1d6f3c91baee611235525f8 2839 python-django_3.2.25-0+deb12u1.dsc
 a706db3607e3cc567ea4a172589f1360a614a6c6 9836336 python-django_3.2.25.orig.tar.gz
 862d8e6cff78ff225cdf2a18845a3344ba9091f6 59692 python-django_3.2.25-0+deb12u1.debian.tar.xz
 571ba182b124914be62097c3964347d25858def1 8575 python-django_3.2.25-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
 17be5d5817085e73622e0f0561ecfd5d2f86a5f66cfa07c40892a7f9a978c067 2839 python-django_3.2.25-0+deb12u1.dsc
 7ca38a78654aee72378594d63e51636c04b8e28574f5505dff630895b5472777 9836336 python-django_3.2.25.orig.tar.gz
 389a8b7335db0c1633083ecb1973309e057d043665b215ca2283ad6056eb76b4 59692 python-django_3.2.25-0+deb12u1.debian.tar.xz
 1e56efd9ab7ca8844978f707c0292274f4eb2db5b5d8900986bb59e98a3d9140 8575 python-django_3.2.25-0+deb12u1_amd64.buildinfo
Files:
 38e4967b7933a9db365dd895d2adf59d 2839 python optional python-django_3.2.25-0+deb12u1.dsc
 a16a8c39121acf9a84433bf0c616d575 9836336 python optional python-django_3.2.25.orig.tar.gz
 7fae93c1a04d1a0bf0af05e58e61662d 59692 python optional python-django_3.2.25-0+deb12u1.debian.tar.xz
 b9b3dc1aa5bf65bf233ebfba7b996e0e 8575 python optional python-django_3.2.25-0+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmOKV0ACgkQHpU+J9Qx
HlhHFBAAi18+4evUCoO964oTRV1jPLv4a2poQTLr7NtMFJXPSvH5BYJz1RY4KNyx
uTF8bUy2MMpJO2o5uj2S1/GN2e76O8lEmKeTveM8GNmwUOc8gh6LoiZe+tPOARj7
+3uE8yGYchrEHXBeynn+zu94zbx0ykGC3/mhVGpE0HLfqmebR2411Ejuf572URiC
ESY4qKKqG1bIli7rKJLfNrS10KYrX+E7nlkkRWZtBPfMVBtE74QZJVQFH/VqUtXk
0UBy8fdju9KVUGc6D0mtk7MX+OuhDX6WyY8EIUz6s/G7WBEJEA+pKLuc5g9bJeGF
EuqLLqfDF1d3UbVMOHkDtyCwipcC7dOla/ieL0NfcpOjdynhMzdsR3eBx0CSjRoX
1o2EnrLXKwalL+4GX5vfKU5GFeI3KyV1T3IrBJR7bKVpfUdoaXe8uFcT1RnI6c5R
uxaaFOTXUqolO6wjuRElFniLGB8teGBGkPXuyarhfMkq0j8aRkW28ZkskBQC+gaW
ArfYJmNatMYeRofsKSwo0GHJPcMfWHh1GLKjz5QLJ+EJWRbwEhqFS/vhRn6hYNgE
YfbB/W+HO0OnyaYyfSEzVy16d6RBH9KTsUkwv+Vbp3+YFiBC5yByrj8BAXkZZaB8
wZeUEYiNaFcTW0Z8z2NJpFJApVtCuWsqJrXa0OawV+YcAyimyoc=
=e+u2
-----END PGP SIGNATURE-----