Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted python-django 3:4.2.30-1 (source) into unstable
Date: Tue, 07 Apr 2026 18:48:32 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Apr 2026 14:04:57 -0400
Source: python-django
Architecture: source
Version: 3:4.2.30-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1132927
Changes:
 python-django (3:4.2.30-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation.
       ASGIRequest normalizes header names following WSGI conventions, mapping
       hyphens to underscores. As a result, even in configurations where reverse
       proxies carefully strip security-sensitive headers named with hyphens,
       such a header could be spoofed by supplying a header named with
       underscores. Under WSGI, it is the responsibility of the server or proxy
       to avoid ambiguous mappings. (Django's runserver was patched via
       CVE-2015-0219.) But under ASGI, there is not the same uniform
       expectation, even if many proxies protect against this under default
       configuration (including nginx via underscores_in_headers off;). Headers
       containing underscores are now ignored by ASGIRequest, matching the
       behavior of Daphne, the reference server for ASGI.
 .
     - CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin. Add
       permissions on inline model instances were not validated on submission of
       forged POST data in GenericInlineModelAdmin.
 .
     - CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable. Admin
       changelist forms using ModelAdmin.list_editable incorrectly allowed new
       instances to be created via forged POST data.
 .
     - CVE-2026-33033: Potential denial-of-service vulnerability in
       MultiPartParser via base64-encoded file upload. When using
       django.http.multipartparser.MultiPartParser, multipart uploads with
       Content-Transfer-Encoding: base64 that include excessive whitespace may
       trigger repeated memory copying, potentially degrading performance.
 .
     - CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
       requests via memory upload limit bypass. ASGI requests with a missing or
       understated Content-Length header could bypass the
       DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body,
       potentially loading an unbounded request body into memory and causing
       service degradation.
 .
     <https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>
 .
     (Closes: #1132927)
Checksums-Sha1:
 2500ac06220d01bd469bb2ddde71697c2a655014 2790 python-django_4.2.30-1.dsc
 8cec07a43d7dbb469cd94c9e4776941c75e3bbcf 10468707 python-django_4.2.30.orig.tar.gz
 d3c694c26eb02f21c17cd4acba2983d29234f6a2 38480 python-django_4.2.30-1.debian.tar.xz
 85fa5b14157d97dd89621f02f565293db6dcdc00 6541 python-django_4.2.30-1_source.buildinfo
Checksums-Sha256:
 130f7c58dea817b01c9853c83c7b67ed285db1b6d3fbb34a80a0e63a2c45a8fe 2790 python-django_4.2.30-1.dsc
 4ebc7a434e3819db6cf4b399fb5b3f536310a30e8486f08b66886840be84b37c 10468707 python-django_4.2.30.orig.tar.gz
 470b20939211298c6990956ede5694a5c8266e3adb9dda9f011d4e1211835665 38480 python-django_4.2.30-1.debian.tar.xz
 048feda57efbe3a86217d34b302cb15b95d4ce5bd93b8f6b4978a0fba8009704 6541 python-django_4.2.30-1_source.buildinfo
Files:
 b02d93dabe1c7058d8f81dd37a6abcab 2790 python optional python-django_4.2.30-1.dsc
 b85ae58022eb81ba8bcef7027872019f 10468707 python optional python-django_4.2.30.orig.tar.gz
 80b1af9f1b63204525605b41ec8c39b0 38480 python optional python-django_4.2.30-1.debian.tar.xz
 b433699a3c94d85aab9fe9b654f6210e 6541 python optional python-django_4.2.30-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmnVStwACgkQHpU+J9Qx
HlhZ2Q//UseGMN3M5WYrPPaBkzKWX5bKs8QWjHOwh2vuNVlwzxcBJo2vzloDOK+a
P2qBSodSJMK12YUlPBYD8FJDcd2o0UWl6AcdlhPjiqvC/000NRVYPrKn+eMCh0ra
04w+Z4+6eXgabkrPuch2ULh+4mgz+/Lqhj7hzUahFiap76SCVgBm7hRCiqXZla0D
o4czKgj6vBvkPtN7GeNuLwIq4nzbLUOBedTegBy6ZP7GTuvm+77U7incQmcu1o3n
ulhyLDd43c4OwQFaen1WxaR8MtTvfZy2sFmhwBnqraXD+O1O3Qsk7KVEbozI7NdE
zPIUxsrFwP6Q5y6Yt6z1pFtbUjDIa85/t2xbGa2x/y6QCol3UAft9jOuQmmWk8sC
NZiWMbk73mrG0grmLr3QiVMqKAfCt66GMX1aOxBsPGI6BX6RLW6703fNedp68EaM
M27Tr1O4x8gAlWT+T1odfFU4OPmf7KoH5040rA0WLUElnH3kRtGaisguA+qQqn9B
3wnxF3BjovA5OLV/0MfmxBvFOW9QwBQI/Zmlf9645qaLYfUCW/YcA9pWGxvLqRv4
cMTvHK/FdBE6+a7+KkeaujvZkuS2h46LH95Jbg+EHGErL5lhDUFAj5e6C/w7YvrE
F+b1FdGJthtpFEcrKSEoxxGc6AugFT3uEVgCZ28vcd+09kza6P8=
=gCov
-----END PGP SIGNATURE-----
News for package python-django
