Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted python-django 3:5.2.13-1 (source) into unstable
Date: Tue, 28 Apr 2026 17:21:06 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Apr 2026 09:58:21 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:5.2.13-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1102743 1132927
Changes:
 python-django (3:5.2.13-1) unstable; urgency=medium
 .
   * Upload of 5.2 branch to unstable. (Closes: #1102743)
   * New upstream security release:
 .
     - CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation.
       ASGIRequest normalizes header names following WSGI conventions, mapping
       hyphens to underscores. As a result, even in configurations where reverse
       proxies carefully strip security-sensitive headers named with hyphens,
       such a header could be spoofed by supplying a header named with
       underscores. Under WSGI, it is the responsibility of the server or proxy
       to avoid ambiguous mappings. (Django's runserver was patched via
       CVE-2015-0219.) But under ASGI, there is not the same uniform
       expectation, even if many proxies protect against this under default
       configuration (including nginx via underscores_in_headers off;). Headers
       containing underscores are now ignored by ASGIRequest, matching the
       behavior of Daphne, the reference server for ASGI.
 .
     - CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin. Add
       permissions on inline model instances were not validated on submission of
       forged POST data in GenericInlineModelAdmin.
 .
     - CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable. Admin
       changelist forms using ModelAdmin.list_editable incorrectly allowed new
       instances to be created via forged POST data.
 .
     - CVE-2026-33033: Potential denial-of-service vulnerability in
       MultiPartParser via base64-encoded file upload. When using
       django.http.multipartparser.MultiPartParser, multipart uploads with
       Content-Transfer-Encoding: base64 that include excessive whitespace may
       trigger repeated memory copying, potentially degrading performance.
 .
     - CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
       requests via memory upload limit bypass. ASGI requests with a missing or
       understated Content-Length header could bypass the
       DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body,
       potentially loading an unbounded request body into memory and causing
       service degradation.
 .
     <https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>
 .
     (Closes: #1132927)
 .
   * Don't test Sphinx/GitHub interlinks during autopkgtests. These tests are
     essentially hardcoded to rely on the "django" Python package to
     reside adjacent to the tests in the directory tree. In the context of an
     autopkgtest, however, the "django" package must exist an installed
     package (ie. via the .deb) under /usr/lib/python3, etc.
   * Refresh patches.
 .
 python-django (3:5.2.12-1) unstable; urgency=medium
 .
   * New upstream 5.2.x release.
Checksums-Sha1:
 90c8e2f78efa0f1498fa8b5d32091072e7877fc9 2790 python-django_5.2.13-1.dsc
 87eb3824b2a0369275def77599ff4530690941bc 10890368 python-django_5.2.13.orig.tar.gz
 6d3e29cb26fe7da7e8ea7ebeebb00fd0a0085aa3 35916 python-django_5.2.13-1.debian.tar.xz
 7b9154bebcbab97951bbd490cab354cd8da9d6df 8227 python-django_5.2.13-1_amd64.buildinfo
Checksums-Sha256:
 2d86734fc37fe0425085ab4bd6066f268daf813cf94fb29e6952ddf82b30bd15 2790 python-django_5.2.13-1.dsc
 a31589db5188d074c63f0945c3888fad104627dfcc236fb2b97f71f89da33bc4 10890368 python-django_5.2.13.orig.tar.gz
 cb3e336e29510b2af7a91bb6fa08cb5baaaca35f65700ae40327b3d82f05e3b9 35916 python-django_5.2.13-1.debian.tar.xz
 534bebb87a5c3c39e0a2b5e48b36a5934a36b386731ec5ef9c6249d7d0b54d58 8227 python-django_5.2.13-1_amd64.buildinfo
Files:
 bda9d8e1e53371a6ebfcb0c4101cc111 2790 python optional python-django_5.2.13-1.dsc
 4af55cc09a3d1a828259ad0c05330e6b 10890368 python optional python-django_5.2.13.orig.tar.gz
 104bb9c9702212eee1da0785a2f5812a 35916 python optional python-django_5.2.13-1.debian.tar.xz
 168ab11467fb32b51e48cff31e0729a3 8227 python optional python-django_5.2.13-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmnw6IkACgkQHpU+J9Qx
Hlj6Rg/9HPJGAafKdAkGFYD516XbV9W50Ei1QVa4ZtOzzSW6e7X8+eL3KxsFJbL8
tT5c/rk+zSdNs3+eFK5ThZancwXeeE5DeKj4lowRGYJ7iIIdx3EKfEq1ex4u49Tz
76vq/kENDARI0oFJu+ebARYw/UYHYuwkysQvUyzrj8jucVM9V25zXUezLktvRxZV
aMDLEa/JFslK5y4QVSHoaAUhSdEeD/KMq550tzx/j9mRurR//TQKqdv/sPeRafVd
BSRzd2rINpYKaGrwlSpj/tJ1nQx0ziBbHKSBPxBsZhcyBGFcwFiBNrY9xoi7XVkk
XCmRUEdXz2eV9rYTopRRETTlOGQ303LgQki7qdsotAorIEiXdukqTp9Sj8xRtLAG
zik4IBhLdati0gIpja1cxD7yD8czzGbMv6S4fuQSHXfvSWGfnSqcH3t0ESONyoh5
2huzS4S6A+1WMzVZmy48BeAYIw+E55cdiOIi8EJqYvjuvS/DzUq6t7QTbMLyDGCm
E8uWRDrQ7MJl27CSAQ6v+zqcIKzU/kg6kFTFOvpiYHWFYJuqGCEH2xAFtxKg+w8g
TqhgjsC/EFGmRh0JrKoQHkNIN8h1BgRKiJ4BHE3lRbN9bU3FcOR5EKdX97667ecU
eeINDi9PD655TBcZRmOurdboj9YNqv6wIOIH28FcsHz+8Zhii0I=
=hN6h
-----END PGP SIGNATURE-----
News for package python-django
