Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-experimental-changes@lists.debian.org> , <debian-devel-changes@lists.debian.org>
Subject: Accepted python-django 3:6.0.4-1 (source) into experimental
Date: Tue, 07 Apr 2026 15:04:29 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Apr 2026 10:28:52 -0400
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:6.0.4-1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1132927
Changes:
 python-django (3:6.0.4-1) experimental; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation.
       ASGIRequest normalizes header names following WSGI conventions, mapping
       hyphens to underscores. As a result, even in configurations where reverse
       proxies carefully strip security-sensitive headers named with hyphens,
       such a header could be spoofed by supplying a header named with
       underscores. Under WSGI, it is the responsibility of the server or proxy
       to avoid ambiguous mappings. (Django's runserver was patched via
       CVE-2015-0219.) But under ASGI, there is not the same uniform
       expectation, even if many proxies protect against this under default
       configuration (including nginx via underscores_in_headers off;). Headers
       containing underscores are now ignored by ASGIRequest, matching the
       behavior of Daphne, the reference server for ASGI.
 .
     - CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin. Add
       permissions on inline model instances were not validated on submission of
       forged POST data in GenericInlineModelAdmin.
 .
     - CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable. Admin
       changelist forms using ModelAdmin.list_editable incorrectly allowed new
       instances to be created via forged POST data.
 .
     - CVE-2026-33033: Potential denial-of-service vulnerability in
       MultiPartParser via base64-encoded file upload. When using
       django.http.multipartparser.MultiPartParser, multipart uploads with
       Content-Transfer-Encoding: base64 that include excessive whitespace may
       trigger repeated memory copying, potentially degrading performance.
 .
     - CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
       requests via memory upload limit bypass. ASGI requests with a missing or
       understated Content-Length header could bypass the
       DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body,
       potentially loading an unbounded request body into memory and causing
       service degradation.
 .
     <https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>
 .
     (Closes: #1132927)
Checksums-Sha1:
 5fe0c80f330fc525ef53c1bd21eacfc78c9922db 2783 python-django_6.0.4-1.dsc
 89cd1b49c06b176b414138a5af1cfa3d340673a4 10907407 python-django_6.0.4.orig.tar.gz
 3c5a6780ad0480f9b916cadda1c64999074111e2 32232 python-django_6.0.4-1.debian.tar.xz
 3fd8921d7341e4d442e448b36c28fc0f03691bc8 8174 python-django_6.0.4-1_amd64.buildinfo
Checksums-Sha256:
 9973cfee12f242d30eebcb42fb7027d01cfb5ae98a06f5bfd515a1e91753feee 2783 python-django_6.0.4-1.dsc
 8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac 10907407 python-django_6.0.4.orig.tar.gz
 e44c8d9fd6db272dd8f1f1298237e17c9505dcb1020e3a7dcfcc6708d1a34951 32232 python-django_6.0.4-1.debian.tar.xz
 8626d479a2d7414ecf789375bfc07d8b820ebe40427ad5c61a8c865ac018ad11 8174 python-django_6.0.4-1_amd64.buildinfo
Files:
 e87af5f3441fceba68149c486a2277f7 2783 python optional python-django_6.0.4-1.dsc
 9d429cbef8c8357a480d0b920dd9a956 10907407 python optional python-django_6.0.4.orig.tar.gz
 2e9858a2a3bd636c8bca6dcf684d40ca 32232 python optional python-django_6.0.4-1.debian.tar.xz
 497c58d26b70fce4554cc1d23f6138d4 8174 python optional python-django_6.0.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmnVF9QACgkQHpU+J9Qx
HlieAxAAhtAiDGgQaIzcM90wELEJDhDmeQWJhwDV5WrNFfDiwn2ay5r67RxdirVc
Xd78tFrYaC2zSyd8/IiWbYPwKwmY83Lp0tMPkbrX4YLwtmstZ/DCboLzo710UJc1
0XOFiaLYIH1pxildKAeexkLdfPU3A7hd3iW1+yal7meDvy2rRTnMAtYw7w3fKqAZ
CB5mR/5dc7N+kwL1vBzKNxxCvuXQ1Msi3CRFGkPtD3a0Z+XsT6VS4Xk/shUIYUqi
9iOQPyT+OfheEblA0d5iRtUHpCC20yf/6fp2Vchbou7rYVMbgPGHb7zbbDp2wpT+
BnpL4ptIz5rwEbwSSZjkH3OmcQwvzRkk0Iu6613kqJPfhTEYrwFc0p8K/ryyNg60
/HNfudQ0apsTaxMaluSiUVoQDFGjmOyuimrH/aI7XqrCcG0FXozFhOydFzMAXfQA
303C5Y2E0ytLwCH6XUz0Y9tkaqnPH7JE3xUfduZPP0qXouXK4ifnWaeB11HUbsVa
YR/ipEzSGPMz8Z78T/jx+MtpLoWylzukveNyvGm1fe2evFBl00zKhMyjuz2tPaMv
CbLd0kokh31Ah7jMpzDmbAim13zA80IfOEIJLID8bgqi2WiNG7vv56ALUoPo6aP8
+sO+dU445knV2Kq/1+O6uUDYpuQUnuUP6Lo31sJ4nfbfiwuXxt0=
=OL/f
-----END PGP SIGNATURE-----
News for package python-django
