Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-experimental-changes@lists.debian.org> , <debian-devel-changes@lists.debian.org>
Subject: Accepted python-django 3:6.0.5-1 (source) into experimental
Date: Tue, 05 May 2026 16:50:08 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 08:03:16 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:6.0.5-1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1135755
Changes:
 python-django (3:6.0.5-1) experimental; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2026-5766: Prevent a potential denial-of-service vulnerability in
       ASGI requests via a file upload limit bypass. ASGI requests with a
       missing or understated Content-Length header could bypass the
       FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
       memory and causing service degradation. As a reminder, Django expects a
       limit to be configured at the web server level rather than solely relying
       on FILE_UPLOAD_MAX_MEMORY_SIZE.
 .
     - CVE-2026-35192: Address a session fixation issue via public cached pages
       and SESSION_SAVE_EVERY_REQUEST. Response headers did not vary on cookies
       if a session was not modified but SESSION_SAVE_EVERY_REQUEST was True. A
       remote attacker could therefore steal a user's session after that user
       visits a cached public page.
 .
     - CVE-2026-6907: Prevent a potential exposure of private data due to incorrect
       handling of "Vary: *" in UpdateCacheMiddleware. Previously,
       django.middleware.cache.UpdateCacheMiddleware would erroneously cache
       requests where the Vary header contained an asterisk ('*'). This could
       lead to private data being stored and served.
 .
     (Closes: #1135755)
 .
   * Bump Standards-Version to 4.7.4.
Checksums-Sha1:
 043c11cfc0fce20bb61de3468d6093955b958ce7 2783 python-django_6.0.5-1.dsc
 b9f5649872874dd17cf1c9d7cc25617cb23c5b7c 10924131 python-django_6.0.5.orig.tar.gz
 a485087ffbc602c8d9622dc4ae71a32e830a77d8 32564 python-django_6.0.5-1.debian.tar.xz
 de6e7b5695af6bc843a776929c6332054c59bee1 8227 python-django_6.0.5-1_amd64.buildinfo
Checksums-Sha256:
 86550e52d69e3a46f04c1c4b4b96b6b68f295061ee486432ec9479ac8a52ad1d 2783 python-django_6.0.5-1.dsc
 bc6d6872e98a2864c836e42edd644b362db311147dd5aa8d5b82ba7a032f5269 10924131 python-django_6.0.5.orig.tar.gz
 e22b9310019e71a79dbbd99bb2f4a246bafa64376461d752e9df07539c1623ce 32564 python-django_6.0.5-1.debian.tar.xz
 9222ac9c24c375c0b87ffa528705a5fc1e80cc87896fd22ac032721fd963fa25 8227 python-django_6.0.5-1_amd64.buildinfo
Files:
 f4b5d6158f823c8fb374578ed01d4a60 2783 python optional python-django_6.0.5-1.dsc
 44c18a8f264c1326e6fe4f1053fea5fc 10924131 python optional python-django_6.0.5.orig.tar.gz
 c40740e19763dfc64b246607bf9c7fc5 32564 python optional python-django_6.0.5-1.debian.tar.xz
 167bdb4e05103c9d3e363f147087d33b 8227 python optional python-django_6.0.5-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmn6HfwACgkQHpU+J9Qx
HlgJhA/+IRljCV6x1Z1YcD8hp1ehHXZNzpAKrBiVCLTta2bRxVtIKQwbvvUtdyGm
Vyyz8MzzyRh0SatFH5ykiPHhUZsjYNd0+5cpKdl4qBYNRf6lGgWk9M9+fdZ7rCaZ
Boyak6Gpmf8sIwS6hrkHiLpW6XBSkvlsEQmZN9bDOpzqI0XHcw6Ima7B/fiiKMOW
SzLpHxSLGHh3hpkr0KwmgjkuV2dZKs4GCrYlTQcCHWm4W0W1SmPpld4lZ1uQACb0
T/dxU4SHRptoHxBue5c3ATBjIV/Q+2h3l6phWCAOgGeNhVqWsAZR/DX2brxeWVD3
fGrIG63cPwmFay25KFuliM5Jfu5lRrroWXwhtrcb09nMDQlgnB5qg7cZ4B5n2mhu
vUy9m3M30QCptkmUVHHD7C3d5orY+XsdQBP4Iq5E0UPfxMqC/XIdEh1X903n9Nwm
EaJDxjnBZri+vQIcxS+l6EQMlpUCMI7pxmfYKmUuv8u3LXiWMpPeVm7LrmGC/b6N
wn13sss7pIZDVI/bIAFLCqBiIyEk2priyuKcXYF4wDTig3Ywi3y+DkNNWQnaKk8c
/sAer++3Lx7BwPQ9hbtSVHHl27y9rbucDU+081EBLwJUG1d4AoGbI766dG2aJT31
VnXiNWKUXPxCme+D0CcFaCg29+rJqzKRGvUKmtNzssrzGfK8qhA=
=PsYa
-----END PGP SIGNATURE-----
News for package python-django
