-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 03 Mar 2026 09:45:28 -0800 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 3:6.0.3-1 Distribution: experimental Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1129595 Changes: python-django (3:6.0.3-1) experimental; urgency=high . * New upstream sceurity release: . - CVE-2026-25674: Potential incorrect permissions on newly created file system objects. . Django's file-system storage and file-based cache backends used the process umask to control permissions when creating directories. In multi-threaded environments, one thread's temporary umask change can affect other threads' file and directory creation, resulting in file system objects being created with unintended permissions. Django now applies the requested permissions via os.chmod() after os.mkdir(), removing the dependency on the process-wide umask. . - CVE-2026-25673: Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows. . The django.forms.URLField form field's to_python() method used urllib.parse.urlsplit() to determine whether to prepend a URL scheme to the submitted value. On Windows, urlsplit() performs NFKC normalization (unicodedata.normalize), which can be disproportionately slow for large inputs containing certain characters. . URLField.to_python() now uses a simplified scheme detection, avoiding Unicode normalization entirely and deferring URL validation to the appropriate layers. As a result, while leading and trailing whitespace is still stripped by default, characters such as newlines, tabs, and other control characters within the value are no longer handled by URLField.to_python(). When using the default URLValidator, these values will continue to raise ValidationError during validation, but if you rely on custom validators, ensure they do not depend on the previous behavior of URLField.to_python(). . <https://www.djangoproject.com/weblog/2026/mar/03/security-releases/> . (Closes: #1129595) Checksums-Sha1: 932a0228c0e23895064a980d1fa7d87e4138b99c 2783 python-django_6.0.3-1.dsc d8d4b3495ec33a794c7723819c2a40dbf58dcc84 10872701 python-django_6.0.3.orig.tar.gz 871c381c914518564c92dfe72c8650c63192f7d4 31604 python-django_6.0.3-1.debian.tar.xz 6379b09351901b0b1ac18bc45a5152466a4da659 8125 python-django_6.0.3-1_amd64.buildinfo Checksums-Sha256: b35ab601541e30ec6ba14eed70a6d068ae8bea14287f5701a43395461fed6f26 2783 python-django_6.0.3-1.dsc 90be765ee756af8a6cbd6693e56452404b5ad15294f4d5e40c0a55a0f4870fe1 10872701 python-django_6.0.3.orig.tar.gz 7aef537b0307ac2d7d8876e4d87a6cff82591f9e011d0548bfc2787535cd1e61 31604 python-django_6.0.3-1.debian.tar.xz b6022f6524d487ee2c65a28a68429a282c4cb1676eadbbf717ca87c1cc3fc3a7 8125 python-django_6.0.3-1_amd64.buildinfo Files: 5a17b8fa14d6f7327479314525c91fa2 2783 python optional python-django_6.0.3-1.dsc 0bb395b518e2f2f17e1a936deb7ba74c 10872701 python optional python-django_6.0.3.orig.tar.gz f2b93e2c77d16fb25e2853212410b6cf 31604 python optional python-django_6.0.3-1.debian.tar.xz 6018efd57ccbf24a2fe1002ce3336a4a 8125 python optional python-django_6.0.3-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmnIR0ACgkQHpU+J9Qx Hlg1MxAAhC0tpLFo0yepbIRtseYxzr2tFJC58emcBkuZp4kwhohqiUnd94oThb5K 306ePc3AmmJe/rB7JVWeZP42j9+/K2Mu7MpbIyiUv1pY7DyquMFHwhO7XfDLxwUr lIcSlKU3vD5ilJ/8H54arWPB4a14EqXillWwV4MDpNKHtGdQO0wmOU09tKcct3Oc phBTy/xEAW4YBc99uz8mQro/DxIFGrOMX4n4R2XFaGUQz798gPAkNtB1u4did8Gw 9oUED2am2O5I5ho8h2MQJiRh9EPct3bPSGjHqf/M6HSyw2j093JIyzN2esQmi6WV 2jHLmzt39+E5O2oPOmmzOetMi083jN+r1AgwLcFj5gQEajXqpvGexbVbAod/Gbli 5MBExtmVZTPgmUg6+U9ihBD/YLFQLN5AKuhwhDQBufvbTBLxhQOgk26DBb5I66wb A51eXtsc0OEhbSXqeOn4ZhEAeTx2xdahMUN9O/CjiLkQ1h27A8GdAKaZQ35rdfg8 yOvZdMdsn4oEPiBNGrclq1nO4q+UiUvtk38GId7PAiUqhOwIGyy47Ys8kYD+HhfL xGktvEqiWJVKbKNYo1Pz+zJ8g6rPXZq682rbq/nvLCfh3tgzPhNa05aC0Ei8UW9s 9wmai8qu3m5wlRBduO11gaCbAegdJfnmGMlaqMK8SHx6C0Tajo8= =jEcx -----END PGP SIGNATURE-----
