-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Feb 2026 15:32:59 -0800 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 3:3.2.25-0+deb12u2 Distribution: bookworm-security Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Changes: python-django (3:3.2.25-0+deb12u2) bookworm-security; urgency=high . * CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack. * CVE-2025-14550: ASGIRequest allowed a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. * CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter. * CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. * CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias(). * CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. Checksums-Sha1: d49279002dd94e22642b47d66a4db0baf8d6542c 2839 python-django_3.2.25-0+deb12u2.dsc a706db3607e3cc567ea4a172589f1360a614a6c6 9836336 python-django_3.2.25.orig.tar.gz ef3f36ada446a3d24e9b6bcf202f7619dd98a282 65924 python-django_3.2.25-0+deb12u2.debian.tar.xz 461e61242bff26bb726166cc00d53e767935dcde 8575 python-django_3.2.25-0+deb12u2_amd64.buildinfo Checksums-Sha256: cb8022a078887f32af5c62fc4f4253e8b2baf6e36b37dbe0f0271bb5ebea0acd 2839 python-django_3.2.25-0+deb12u2.dsc 7ca38a78654aee72378594d63e51636c04b8e28574f5505dff630895b5472777 9836336 python-django_3.2.25.orig.tar.gz fc069926698ebea0f057c3d40803d9a7f9f7ccc5a5c51b6c34fcfb49deab5eec 65924 python-django_3.2.25-0+deb12u2.debian.tar.xz 6bc274ae9dac8ed0cdd03a75efe47c212557a56eeb3859de59433bcf530ecbd4 8575 python-django_3.2.25-0+deb12u2_amd64.buildinfo Files: 45dc81ab8700ab0da92027c6da2effee 2839 python optional python-django_3.2.25-0+deb12u2.dsc a16a8c39121acf9a84433bf0c616d575 9836336 python optional python-django_3.2.25.orig.tar.gz 058cfed9f26d0888ba2a38c03a187aa5 65924 python optional python-django_3.2.25-0+deb12u2.debian.tar.xz e6fae24c6c1aeb2f391eb44a9cfeec82 8575 python optional python-django_3.2.25-0+deb12u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmd1ZEACgkQHpU+J9Qx Hlhkng/9FyFsQLG4RiwgWfhRWkUzLTCXblWZfrPH+BdqvOarHErCIBndXhlxVdqG hcCj71HzjY/nV7uAdijH8bK6XdBSrEJABMpTFbbWpKlp+mct4vA1U2s2h0UXqVo/ +/ieMuuNfGr43t6+aFZq6gvcljUzKsEvP1mswLnPA6Wujleky4IhcvAvsoVs7t8t RyrwqOuNsCKWC4ivG+c4XaxNHYGplS/I0/h+Q1QmhQAdttjDXwdmEC0vPGhJHhSg mtHWJ33c3uW4RY4npZTteSArD17K/Ta0XW0Ww0hDl6nL7eGfErkM7C9QY5cqcK7j Q1DzsTqXhSyIQ3dnWQ6e/OTukURLIiB/Mj5NYdNtKrxMoryTYpcEC1pj1hTem6P8 E/C8OIHJ5m7n5kbEAxfJYgXmGMkY/RtXn19D7eQ0cjTAeq0OLi4tCcPwTkDd/p8U AsisLn1hk0vX7lh1ixthmxCIdu/zHHXqggIhoZ/ndkT/YOGHyK3rH314ApS3cq0S UGC8Thzp81XpPCZr+MZfF1qVe1zvsCVt825rtSKmIYfJKXDXLTWu/2pIWT754hWN EEVS39YMjI60v5yg9vk+k4jvXIvfbxHrEA6Zys6kwTpSP9XiFuR2Y7XAkuBdQ50t fBXkNHmFfPK4Kcg4ZmvcBVi5Dq90uVGmGICjqlkbP+UO2UOb2CQ= =BJ7w -----END PGP SIGNATURE-----
