Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted python-django 3:5.2.14-1 (source) into unstable
Date: Tue, 05 May 2026 17:06:13 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 09:42:54 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:5.2.14-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1135755
Changes:
 python-django (3:5.2.14-1) unstable; urgency=high
 .
   * New upstream security release:
 .
      - CVE-2026-5766: Prevent a potential denial-of-service vulnerability in
        ASGI requests via a file upload limit bypass. ASGI requests with a
        missing or understated Content-Length header could bypass the
        FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
        memory and causing service degradation. As a reminder, Django expects a
        limit to be configured at the web server level rather than solely relying
        on FILE_UPLOAD_MAX_MEMORY_SIZE.
 .
      - CVE-2026-35192: Address a session fixation issue via public cached pages
        and SESSION_SAVE_EVERY_REQUEST. Response headers did not vary on cookies
        if a session was not modified but SESSION_SAVE_EVERY_REQUEST was True. A
        remote attacker could therefore steal a user's session after that user
        visits a cached public page.
 .
      - CVE-2026-6907: Prevent a potential exposure of private data due to incorrect
        handling of "Vary: *" in UpdateCacheMiddleware. Previously,
        django.middleware.cache.UpdateCacheMiddleware would erroneously cache
        requests where the Vary header contained an asterisk ('*'). This could
        lead to private data being stored and served.
 .
      (Closes: #1135755)
 .
   * Bump Standards-Version to 4.7.4.
Checksums-Sha1:
 df3af7dbe2a10069c29a52f16b39d2ce4bb94e5f 2790 python-django_5.2.14-1.dsc
 b1d57e4e3b6ccf5d8daac075d549a09126da78f3 10895118 python-django_5.2.14.orig.tar.gz
 7f66766465c15d394dac7041999fbad5396ad36e 36252 python-django_5.2.14-1.debian.tar.xz
 2c63a59e6803f3b94cbb6288b1d64523c404df57 8237 python-django_5.2.14-1_amd64.buildinfo
Checksums-Sha256:
 f57e51504f571568a7ae139e4322b819ef3c7e923423eabb58a343d0ca45b765 2790 python-django_5.2.14-1.dsc
 58a63ba841662e5c686b57ba1fec52ddd68c0b93bd96ac3029d55728f00bf8a2 10895118 python-django_5.2.14.orig.tar.gz
 194b02f7e191bb5a1b5c40759ffb7d9758e2298916486cb795d9430129f79f18 36252 python-django_5.2.14-1.debian.tar.xz
 35ff6aca29f53939cce165abe2d1a2e19c776fe63e8268876b6e070dfa1e51ae 8237 python-django_5.2.14-1_amd64.buildinfo
Files:
 3c26d80e2679674f0a79ba382cba533f 2790 python optional python-django_5.2.14-1.dsc
 baec6c1729f0377f0c319ce8652a227a 10895118 python optional python-django_5.2.14.orig.tar.gz
 3f833c3985ad8b9ca004e2a0521a613c 36252 python optional python-django_5.2.14-1.debian.tar.xz
 c4beda9aa4cc7395ea29ef00b8286035 8237 python optional python-django_5.2.14-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmn6IScACgkQHpU+J9Qx
HlgNow/+LyXwNjluXMkRqxoMl4ywxhwyBb34bB5OTmxz/pfNMYVrBT13knw9lM29
p+TS44yl/zQXAhd3V0b3EbHZL5rDgWlEmNH2uozdKv7itCmC50dpODjTRpfILdBk
3OpPMtu/vTEYbP6l8CuBI3z0JxHMr0h9+8ApG6CF3M/saE9CZCEYJGjDAk4mjukd
Wjj6r8AgY3t3P4OQwMHX9Airk0JtGgawEcecY3CzYM/Sy2IwTYDy4yAuIanjJpZ6
evc/92B/nQhbTK24QrWsp/8OgM//3RzT8GISTdbK4msGk7DitdeQdt3lNYuM+c3t
m0Ky6MqBnNQsVH1KR2ft9jfjKEkoNYUxB6L44mBFLkSrMCLzM/wcFyRd6a+D51n/
rrzsCBvlTp7lKacLqtb6NjyqoTFD/GcQLELjy+Mo3yYbB+MWds1sh+F+qW/uaXat
aCEH9o/y8QJTxFdFD33KQh8YskNrWtIMatIkpeWq3oWKJugp2knalKhWpu66iBp1
d6s3eteLDgMVWyA48W8l98/jAXjSwH1f1tGin9VwnyaA1YeHlewoYtWc5ecH98+p
x5KlaXBvSlQ4rBoEJA26svkHs4/hWsrouEGpZFiHrqx9fVOpWjrH06xefxniF0oK
n4NxOEhAdutv69760EXLNCgXPXv4KuwqeOLG5cK7yiEkb7ba01c=
=4RMs
-----END PGP SIGNATURE-----
News for package python-django
