-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 03 Mar 2026 09:48:56 -0800 Source: python-django Architecture: source Version: 3:4.2.29-1 Distribution: unstable Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1129595 Changes: python-django (3:4.2.29-1) unstable; urgency=high . * New upstream sceurity release: . - CVE-2026-25674: Potential incorrect permissions on newly created file system objects. . Django's file-system storage and file-based cache backends used the process umask to control permissions when creating directories. In multi-threaded environments, one thread's temporary umask change can affect other threads' file and directory creation, resulting in file system objects being created with unintended permissions. Django now applies the requested permissions via os.chmod() after os.mkdir(), removing the dependency on the process-wide umask. . - CVE-2026-25673: Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows. . The django.forms.URLField form field's to_python() method used urllib.parse.urlsplit() to determine whether to prepend a URL scheme to the submitted value. On Windows, urlsplit() performs NFKC normalization (unicodedata.normalize), which can be disproportionately slow for large inputs containing certain characters. . URLField.to_python() now uses a simplified scheme detection, avoiding Unicode normalization entirely and deferring URL validation to the appropriate layers. As a result, while leading and trailing whitespace is still stripped by default, characters such as newlines, tabs, and other control characters within the value are no longer handled by URLField.to_python(). When using the default URLValidator, these values will continue to raise ValidationError during validation, but if you rely on custom validators, ensure they do not depend on the previous behavior of URLField.to_python(). . <https://www.djangoproject.com/weblog/2026/mar/03/security-releases/> . (Closes: #1129595) Checksums-Sha1: 5ccf463a8f505df79cfcb208ebb32aac9cee43e0 2790 python-django_4.2.29-1.dsc fa2d7682f482f2d86b10f4ce2b7c0a8b0d382cc0 10438980 python-django_4.2.29.orig.tar.gz 15d915240f6e16c78cc8d704ddd8134859991881 37852 python-django_4.2.29-1.debian.tar.xz ad604ba01199f534ab5b30f118e7516558ae817d 6477 python-django_4.2.29-1_source.buildinfo Checksums-Sha256: 8edc06eae6f9c4b330d58af3481c237423104d7c2d65e581236006e7d5686c4f 2790 python-django_4.2.29-1.dsc 86d91bc8086569c8d08f9c55888b583a921ac1f95ed3bdc7d5659d4709542014 10438980 python-django_4.2.29.orig.tar.gz 9d4588b2c11a7c219f2178c040dd5e9f20483d647203c37f21f273c03990a868 37852 python-django_4.2.29-1.debian.tar.xz 39faa56709746c87d9835ab0096f8658f1f1d3bfb236808e0b97115974c9b46f 6477 python-django_4.2.29-1_source.buildinfo Files: bd5913ac1054070cfbd507b8b748aa31 2790 python optional python-django_4.2.29-1.dsc 8fa52c7ec011ebaa7fcf6fba78561346 10438980 python optional python-django_4.2.29.orig.tar.gz b46f7473cf08d84e1e0a353b26bfb88a 37852 python optional python-django_4.2.29-1.debian.tar.xz bfd04a88d1408a623130ef9aab53274c 6477 python optional python-django_4.2.29-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmnI6AACgkQHpU+J9Qx Hli5OQ/+J+JMVUSOVIVrK3v5YXRs3H0QL5lE/2js61JY69gNAXgU3CCQijNpesaH ZTdNSsUhmhVuknJDUbw0Gj6LZ1qsPTw0Of5WLzPGQTlsAnmgFGG9wzLgbHFpJg3+ mqcC8YF7DI31cxK+gKPX6hsFMO8I1CQdTFDEprEaKlKV9SzeTW2DAf5DVUm23PA4 sV22dTro8XZ67L0LxhE686Uo6D0B8G1h5kXiL4VgDRKTvxeaVcVMiBN29KnuabOP HcyRn2oVOGj9/XNvNSclbd6Q10Gm2rO6CwwW92aEv2Uw+nQXtoRle4h2VSOi1LjX frUj9sOym4ZDtHAdg7ATS3+RqIMuSDC0KvHm7+LwI3TT2R48eqnTXIlJAsmJR4Tu lHO07X97nVpfsmVf7+kh+xM8VGgBLZhAtSRhPYhORPwPjEmjEFH5uzq/iTj+sVjT YDeZLH6KAMdym9/j70QWGIDuOr/5tiH2sS6Cx/0pw32K5N2+No5ZtJu1QzQ577PL tW5Qd+pLuFLcHEqrDxV7Ctkf63csV/+V9RtGO1R61fJ4b2WAVMU/qjdz5+ORw0op PE9fMrxqjv+hrDOy47WYUjwR5ySQJcoiBYBIL+6pwM7etMQmKtXCbX0I5Uv9oVwe 8dZl/kOt7r9pHLjEDxMk/dI2PgYiqDbOMcGBULCSJmDoSTdyzAg= =zpT5 -----END PGP SIGNATURE-----
