Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-experimental-changes@lists.debian.org> , <debian-devel-changes@lists.debian.org>
Subject: Accepted python-django 3:6.0.6-1 (source) into experimental
Date: Wed, 03 Jun 2026 15:19:05 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 03 Jun 2026 08:06:41 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:6.0.6-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1138775
Changes:
 python-django (3:6.0.6-1) experimental; urgency=medium
 .
   * New upstream security release:
 .
     - CVE-2026-6873: Signed cookie salt namespace collision in
       django.http.HttpRequest.get_signed_cookie
 .
       get_signed_cookie derived the signing salt by concatenating the cookie
       name (key) and salt arguments. When distinct name and salt pairs produced
       the same concatenation, cookies could be accepted in a context different
       from the one where they were signed.
 .
       Cookies are now signed with an unambiguous salt derivation. For backwards
       compatibility, cookies signed by older Django versions are accepted until
       Django 7.0.
 .
     - CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in
       the SMTP backend
 .
       When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a
       partially-initialized connection that would subsequently be reused for
       sending email without encryption. This can occur with fail_silently=True,
       as used by send_mail and BrokenLinkEmailsMiddleware among others.
       Connections configured with EMAIL_USE_SSL are not affected.
 .
     - CVE-2026-8404: Potential exposure of private data via case-sensitive
       Cache-Control directives in UpdateCacheMiddleware
 .
       django.middleware.cache.UpdateCacheMiddleware and
       django.views.decorators.cache.cache_page decorator incorrectly cached
       responses marked with private Cache-Control directives when using mixed
       or uppercase values (e.g. Private).
 .
       The django.views.decorators.cache.cache_control decorator and
       django.utils.cache.patch_cache_control function were not affected
       since they normalize directives to lowercase. This issue only affects
       responses where Cache-Control is set manually.
 .
     - CVE-2026-35193: Potential exposure of private data via missing Vary:
       Authorization in UpdateCacheMiddleware
 .
       django.middleware.cache.UpdateCacheMiddleware and
       django.views.decorators.cache.cache_page decorator allowed responses to
       requests bearing an Authorization header (and without Cache-Control:
       public) to be cached. To conform with the existing mechanism for
       constructing cache keys, responses to these requests will now vary on
       Authorization.
 .
     - CVE-2026-48587: Potential exposure of private data via whitespace padding
       in Vary header
 .
       django.middleware.cache.UpdateCacheMiddleware incorrectly cached
       responses whose Vary header values contained leading or trailing
       whitespace. Because has_vary_header failed to strip that whitespace, a
       response with a "Vary: * "  header (note the trailing space) was not
       recognized as containing the wildcard, causing it to be stored and
       potentially served from the cache when it should not have been.
 .
     <https://www.djangoproject.com/weblog/2026/jun/03/security-releases/>
 .
     (Closes: #1138775)
   * New upstream version 6.0.6
Checksums-Sha1:
 edbb1f9876697c005fb8274c68fa9c74840f3d63 2783 python-django_6.0.6-1.dsc
 e96b895019c21b8dc19b6ae983c9315216222941 10905525 python-django_6.0.6.orig.tar.gz
 0b68cfcc3e721f5bc63a75f030aa0b7eae024101 33328 python-django_6.0.6-1.debian.tar.xz
 41f4fb34f8530bea11210e22a8585a2e07f905ea 8148 python-django_6.0.6-1_amd64.buildinfo
Checksums-Sha256:
 ab1ada67074206adfb6319a3668217411b297bfca2ee158c5c824692fd4fc370 2783 python-django_6.0.6-1.dsc
 ad03916ba59523d781ae5c3f631960c23d69a9d9c43cecda52fc23b47e953713 10905525 python-django_6.0.6.orig.tar.gz
 c923c66b4893e2315e8dd091516c4a6cce5f1d51d77ef5c91a07e07821ead4c1 33328 python-django_6.0.6-1.debian.tar.xz
 a50e52b1abcc52f6d8a4f9cba7971f02afeb324076d7ba15202aa25e718a4eef 8148 python-django_6.0.6-1_amd64.buildinfo
Files:
 e8cac059dccb8ed0b0592b703b83c9ad 2783 python optional python-django_6.0.6-1.dsc
 b45e074d29f85e1417fb2d2ea97c2df3 10905525 python optional python-django_6.0.6.orig.tar.gz
 3dcd2a9a20e5e9af73e0d8809a8afbad 33328 python optional python-django_6.0.6-1.debian.tar.xz
 60980a45eb5e6918869442deb8eb2203 8148 python optional python-django_6.0.6-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmogQ/0ACgkQHpU+J9Qx
HljZPxAAvJ6mCWCzaZQCLeLTxCOsPYJGVSLeRqdSdrkxs7Cq30kpaCw8f3Ld38i2
G6TQvALBMyRcWFIxuxF5fpW/gUliB/PHu2BP3veoxZTJ+mGddv1Ru+UZ+CaXNByI
51mCaey0kt3nfQxPdH/SCVhx5zWZ3dqgSznpX8+/IS4vt1/V+8OBjMA6VzOMNxtY
erTTwQyoABcufEi9+TJnV5zgi9Uz+JpspPwnx006Rv9vs+utCZLVkfjQjVX2HdkG
8yaxnBzcjvpdVBagKmXX6BlWO+S9zGO3NBi+JR/uDV1PDYKFdqTBVlUrOwKE1010
RhZPZQ4R0J6C3yNCaaIHqqGskHlCPOV09AH/hJ6DH0yacpSXfepnzHB5boszbQ65
pwhOnabKWUWEKRWAmUNJH1LuErOA7l6pt/NmKIYmvcw4wSrRsincLn+0ZnUSLAS/
x0j3SJ1Rx0JikJBnykRhkHQU7FkGgHoIM3HZ7loQLoiLR+H/TN0XwyjoPQg9BoP7
X+r4zue+1j/bwtxsWB53ecprIz+3f6TqtImzU9CeyKQRtiN1LJQ1IucZtP1FtlNu
+d9uWGZdhMieMjtlDafmQgdyDLEtPTBnHRApfE2ZbfySCUUe8gjKcD8jL9Ur8Y4v
QsSEbdvvJg1kmYW9aoIEjvsFsB/JeYqxeBsSCvo3DsOitdrvyiA=
=1/r8
-----END PGP SIGNATURE-----
News for package python-django
