Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted python-django 3:5.2.15-1 (source) into unstable
Date: Wed, 03 Jun 2026 15:34:13 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 03 Jun 2026 08:17:20 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:5.2.15-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1138775
Changes:
 python-django (3:5.2.15-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2026-6873: Signed cookie salt namespace collision in
       django.http.HttpRequest.get_signed_cookie
 .
       get_signed_cookie derived the signing salt by concatenating the cookie
       name (key) and salt arguments. When distinct name and salt pairs produced
       the same concatenation, cookies could be accepted in a context different
       from the one where they were signed.
 .
       Cookies are now signed with an unambiguous salt derivation. For backwards
       compatibility, cookies signed by older Django versions are accepted until
       Django 7.0.
 .
     - CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in
       the SMTP backend
 .
       When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a
       partially-initialized connection that would subsequently be reused for
       sending email without encryption. This can occur with fail_silently=True,
       as used by send_mail and BrokenLinkEmailsMiddleware among others.
       Connections configured with EMAIL_USE_SSL are not affected.
 .
     - CVE-2026-8404: Potential exposure of private data via case-sensitive
       Cache-Control directives in UpdateCacheMiddleware
 .
       django.middleware.cache.UpdateCacheMiddleware and
       django.views.decorators.cache.cache_page decorator incorrectly cached
       responses marked with private Cache-Control directives when using mixed
       or uppercase values (e.g. Private).
 .
       The django.views.decorators.cache.cache_control decorator and
       django.utils.cache.patch_cache_control function were not affected
       since they normalize directives to lowercase. This issue only affects
       responses where Cache-Control is set manually.
 .
     - CVE-2026-35193: Potential exposure of private data via missing Vary:
       Authorization in UpdateCacheMiddleware
 .
       django.middleware.cache.UpdateCacheMiddleware and
       django.views.decorators.cache.cache_page decorator allowed responses to
       requests bearing an Authorization header (and without Cache-Control:
       public) to be cached. To conform with the existing mechanism for
       constructing cache keys, responses to these requests will now vary on
       Authorization.
 .
     - CVE-2026-48587: Potential exposure of private data via whitespace padding
       in Vary header
 .
       django.middleware.cache.UpdateCacheMiddleware incorrectly cached
       responses whose Vary header values contained leading or trailing
       whitespace. Because has_vary_header failed to strip that whitespace, a
       response with a "Vary: * "  header (note the trailing space) was not
       recognized as containing the wildcard, causing it to be stored and
       potentially served from the cache when it should not have been.
 .
     <https://www.djangoproject.com/weblog/2026/jun/03/security-releases/>
 .
     (Closes: #1138775)
Checksums-Sha1:
 677c0c5cae569fbd7ec7ec6cd573af51e143794f 2790 python-django_5.2.15-1.dsc
 ae2dc3fb0aaf8e60f5339f43f9c2b9441f62a162 10873669 python-django_5.2.15.orig.tar.gz
 b3258f8c44f0735631d2eba02fc80190cb7a7ebe 37536 python-django_5.2.15-1.debian.tar.xz
 b168f0445ad94d209c451956dc2babc29a768908 8158 python-django_5.2.15-1_amd64.buildinfo
Checksums-Sha256:
 6c4cea5397ffc5a7db5be92b8578c54864960d6d0f880ae2011f445899bfad0a 2790 python-django_5.2.15-1.dsc
 5154a9bf84ac01dde011e367f355c07dbb329532e06810dcf3ef2af269e236e7 10873669 python-django_5.2.15.orig.tar.gz
 1193eb58fb8521e4af178b30bf4f0f9266e389113c081fa6dbbf583905dc3510 37536 python-django_5.2.15-1.debian.tar.xz
 b7126848b5b76a203337bd48701bda05870e685d80a4f9b40d59e1d137f47296 8158 python-django_5.2.15-1_amd64.buildinfo
Files:
 21bccefa97dce1f79f873d3a90fe5b8e 2790 python optional python-django_5.2.15-1.dsc
 9db6f4aaaf130e3f53a4c5255c1b1bcd 10873669 python optional python-django_5.2.15.orig.tar.gz
 249b75c8a516a708835fe0aa7ab63325 37536 python optional python-django_5.2.15-1.debian.tar.xz
 528814bafd80f4a5e5e3c750d25bc024 8158 python optional python-django_5.2.15-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmogRroACgkQHpU+J9Qx
HliIkw/9FuIVsZMmimrHNEykO9Z/92gHcipm95G/O4/XCZLOi6pxKboeynxP07au
g+/OhvB2q0ToCyOhYme2uzRC/bz2ZEM+56G6cc+uqqsDGHLj8tzEez/TvKH+9GPT
75tSobQVNhS4AiKNF8ZhQ3F2SA0LMYfP6CQ+5DoopXqzGGyhKNG/6oh9jG8zbSTB
mz0G5P1BQQXzevW3ROgqzyQYv4tB6ggj9l17j0DpzQvyGXQCEtIZFf2rrRaibY9M
X1TvYleYPKQktVPyNBP6pmXfQmRrxIuBn1nJxVW1zt+6Y/TSW127CSt5lfrmxReL
BAZeHDWtvOCa4E0Dj8n3YSiimOPQZQTXfzUewhkDJ19xYWf2WEqD9Yz3SK6wVm0a
kALy0siDz1h6UnEhIoM0CiAIIIFT39L+k2ALxjG2oqa7iS/JSNkIQt17BlrWagYT
RyHiOdW2wgbHyzc+/0T8m4PrUYZeWNatK/p8RMLYatoE2LZtuH2HQSAqzH6a6Yxq
k/xwJraCmt2rI/j7qXVitUqded32D2ox6qeyp1Li2YCkytsmYbdLF9l5/vw6rCWb
gx6bYJkjNH0+UhMYf/US7ZoiYxCkYilfBHJxlI+VCm4t2kh+97vgyZwmTbg4QYaO
+xWJ1gtjlb9xSRTJnePEeqVhGBjw09f1SPvKBWph2Dcp1Y/Fax0=
=W5dK
-----END PGP SIGNATURE-----
News for package python-django
