Accepted python-django 3:5.2.15-2~bpo13+1 (source all) into stable-backports

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Jun 2026 06:21:22 -0700
Source: python-django
Binary: python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 3:5.2.15-2~bpo13+1
Distribution: trixie-backports
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework
Closes: 1102743 1126914 1126978 1129595 1132927 1135755 1138775
Changes:
 python-django (3:5.2.15-2~bpo13+1) trixie-backports; urgency=medium
 .
   * Rebuild for trixie-backports.
   * The fix for CVE-2025-6069 in the python3.9 source package that modified the
     html.parser.HTMLParser class in such a way that changed the behaviour of
     Django's strip_tags method in some edge cases that were tested by Django's
     testsuite. As a result of this regression, we update the testsuite for the
     new expected results.
 .
 python-django (3:5.2.15-2) unstable; urgency=medium
 .
   * Apply a patch from upstream to fix a FTBFS with gettext 0.26.
     (Closes: #1126978)
 .
 python-django (3:5.2.15-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2026-6873: Signed cookie salt namespace collision in
       django.http.HttpRequest.get_signed_cookie
 .
       get_signed_cookie derived the signing salt by concatenating the cookie
       name (key) and salt arguments. When distinct name and salt pairs produced
       the same concatenation, cookies could be accepted in a context different
       from the one where they were signed.
 .
       Cookies are now signed with an unambiguous salt derivation. For backwards
       compatibility, cookies signed by older Django versions are accepted until
       Django 7.0.
 .
     - CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in
       the SMTP backend
 .
       When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a
       partially-initialized connection that would subsequently be reused for
       sending email without encryption. This can occur with fail_silently=True,
       as used by send_mail and BrokenLinkEmailsMiddleware among others.
       Connections configured with EMAIL_USE_SSL are not affected.
 .
     - CVE-2026-8404: Potential exposure of private data via case-sensitive
       Cache-Control directives in UpdateCacheMiddleware
 .
       django.middleware.cache.UpdateCacheMiddleware and
       django.views.decorators.cache.cache_page decorator incorrectly cached
       responses marked with private Cache-Control directives when using mixed
       or uppercase values (e.g. Private).
 .
       The django.views.decorators.cache.cache_control decorator and
       django.utils.cache.patch_cache_control function were not affected
       since they normalize directives to lowercase. This issue only affects
       responses where Cache-Control is set manually.
 .
     - CVE-2026-35193: Potential exposure of private data via missing Vary:
       Authorization in UpdateCacheMiddleware
 .
       django.middleware.cache.UpdateCacheMiddleware and
       django.views.decorators.cache.cache_page decorator allowed responses to
       requests bearing an Authorization header (and without Cache-Control:
       public) to be cached. To conform with the existing mechanism for
       constructing cache keys, responses to these requests will now vary on
       Authorization.
 .
     - CVE-2026-48587: Potential exposure of private data via whitespace padding
       in Vary header
 .
       django.middleware.cache.UpdateCacheMiddleware incorrectly cached
       responses whose Vary header values contained leading or trailing
       whitespace. Because has_vary_header failed to strip that whitespace, a
       response with a "Vary: * "  header (note the trailing space) was not
       recognized as containing the wildcard, causing it to be stored and
       potentially served from the cache when it should not have been.
 .
     <https://www.djangoproject.com/weblog/2026/jun/03/security-releases/>
 .
     (Closes: #1138775)
 .
 python-django (3:5.2.14-2) unstable; urgency=medium
 .
   [ Athos Ribeiro ]
   * Cherry-pick patch to skip NOT NULL constraints on PostgreSQL 18.
     This addresses an issue that surfaces in python-django-postgres-extra.
     (LP: #2136172)
 .
 python-django (3:5.2.14-1) unstable; urgency=high
 .
   * New upstream security release:
 .
      - CVE-2026-5766: Prevent a potential denial-of-service vulnerability in
        ASGI requests via a file upload limit bypass. ASGI requests with a
        missing or understated Content-Length header could bypass the
        FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
        memory and causing service degradation. As a reminder, Django expects a
        limit to be configured at the web server level rather than solely relying
        on FILE_UPLOAD_MAX_MEMORY_SIZE.
 .
      - CVE-2026-35192: Address a session fixation issue via public cached pages
        and SESSION_SAVE_EVERY_REQUEST. Response headers did not vary on cookies
        if a session was not modified but SESSION_SAVE_EVERY_REQUEST was True. A
        remote attacker could therefore steal a user's session after that user
        visits a cached public page.
 .
      - CVE-2026-6907: Prevent a potential exposure of private data due to incorrect
        handling of "Vary: *" in UpdateCacheMiddleware. Previously,
        django.middleware.cache.UpdateCacheMiddleware would erroneously cache
        requests where the Vary header contained an asterisk ('*'). This could
        lead to private data being stored and served.
 .
      (Closes: #1135755)
 .
   * Bump Standards-Version to 4.7.4.
 .
 python-django (3:5.2.13-1) unstable; urgency=medium
 .
   * Upload of 5.2 branch to unstable. (Closes: #1102743)
   * New upstream security release:
 .
     - CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation.
       ASGIRequest normalizes header names following WSGI conventions, mapping
       hyphens to underscores. As a result, even in configurations where reverse
       proxies carefully strip security-sensitive headers named with hyphens,
       such a header could be spoofed by supplying a header named with
       underscores. Under WSGI, it is the responsibility of the server or proxy
       to avoid ambiguous mappings. (Django's runserver was patched via
       CVE-2015-0219.) But under ASGI, there is not the same uniform
       expectation, even if many proxies protect against this under default
       configuration (including nginx via underscores_in_headers off;). Headers
       containing underscores are now ignored by ASGIRequest, matching the
       behavior of Daphne, the reference server for ASGI.
 .
     - CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin. Add
       permissions on inline model instances were not validated on submission of
       forged POST data in GenericInlineModelAdmin.
 .
     - CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable. Admin
       changelist forms using ModelAdmin.list_editable incorrectly allowed new
       instances to be created via forged POST data.
 .
     - CVE-2026-33033: Potential denial-of-service vulnerability in
       MultiPartParser via base64-encoded file upload. When using
       django.http.multipartparser.MultiPartParser, multipart uploads with
       Content-Transfer-Encoding: base64 that include excessive whitespace may
       trigger repeated memory copying, potentially degrading performance.
 .
     - CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
       requests via memory upload limit bypass. ASGI requests with a missing or
       understated Content-Length header could bypass the
       DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body,
       potentially loading an unbounded request body into memory and causing
       service degradation.
 .
     <https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>
 .
     (Closes: #1132927)
 .
   * Don't test Sphinx/GitHub interlinks during autopkgtests. These tests are
     essentially hardcoded to rely on the "django" Python package to
     reside adjacent to the tests in the directory tree. In the context of an
     autopkgtest, however, the "django" package must exist an installed
     package (ie. via the .deb) under /usr/lib/python3, etc.
   * Refresh patches.
 .
 python-django (3:5.2.12-1) unstable; urgency=medium
 .
   * New upstream 5.2.x release.
 .
 python-django (3:4.2.30-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation.
       ASGIRequest normalizes header names following WSGI conventions, mapping
       hyphens to underscores. As a result, even in configurations where reverse
       proxies carefully strip security-sensitive headers named with hyphens,
       such a header could be spoofed by supplying a header named with
       underscores. Under WSGI, it is the responsibility of the server or proxy
       to avoid ambiguous mappings. (Django's runserver was patched via
       CVE-2015-0219.) But under ASGI, there is not the same uniform
       expectation, even if many proxies protect against this under default
       configuration (including nginx via underscores_in_headers off;). Headers
       containing underscores are now ignored by ASGIRequest, matching the
       behavior of Daphne, the reference server for ASGI.
 .
     - CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin. Add
       permissions on inline model instances were not validated on submission of
       forged POST data in GenericInlineModelAdmin.
 .
     - CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable. Admin
       changelist forms using ModelAdmin.list_editable incorrectly allowed new
       instances to be created via forged POST data.
 .
     - CVE-2026-33033: Potential denial-of-service vulnerability in
       MultiPartParser via base64-encoded file upload. When using
       django.http.multipartparser.MultiPartParser, multipart uploads with
       Content-Transfer-Encoding: base64 that include excessive whitespace may
       trigger repeated memory copying, potentially degrading performance.
 .
     - CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
       requests via memory upload limit bypass. ASGI requests with a missing or
       understated Content-Length header could bypass the
       DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body,
       potentially loading an unbounded request body into memory and causing
       service degradation.
 .
     <https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>
 .
     (Closes: #1132927)
 .
 python-django (3:4.2.29-1) unstable; urgency=high
 .
   * New upstream sceurity release:
 .
     - CVE-2026-25674: Potential incorrect permissions on newly created file
       system objects.
 .
       Django's file-system storage and file-based cache backends used the
       process umask to control permissions when creating directories. In
       multi-threaded environments, one thread's temporary umask change can
       affect other threads' file and directory creation, resulting in file
       system objects being created with unintended permissions. Django now
       applies the requested permissions via os.chmod() after os.mkdir(),
       removing the dependency on the process-wide umask.
 .
     - CVE-2026-25673: Potential denial-of-service vulnerability in URLField via
       Unicode normalization on Windows.
 .
       The django.forms.URLField form field's to_python() method used
       urllib.parse.urlsplit() to determine whether to prepend a URL scheme to
       the submitted value. On Windows, urlsplit() performs NFKC normalization
       (unicodedata.normalize), which can be disproportionately slow for large
       inputs containing certain characters.
 .
       URLField.to_python() now uses a simplified scheme detection, avoiding
       Unicode normalization entirely and deferring URL validation to the
       appropriate layers. As a result, while leading and trailing whitespace is
       still stripped by default, characters such as newlines, tabs, and other
       control characters within the value are no longer handled by
       URLField.to_python(). When using the default URLValidator, these values
       will continue to raise ValidationError during validation, but if you rely
       on custom validators, ensure they do not depend on the previous behavior
       of URLField.to_python().
 .
     <https://www.djangoproject.com/weblog/2026/mar/03/security-releases/>
 .
     (Closes: #1129595)
 .
 python-django (3:4.2.28-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2025-13473: The check_password function in
       django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi
       allowed remote attackers to enumerate users via a timing attack.
 .
     - CVE-2025-14550: ASGIRequest allowed a remote attacker to cause a
       potential denial-of-service via a crafted request with multiple duplicate
       headers.
 .
     - CVE-2026-1207: Raster lookups on RasterField (only implemented on
       PostGIS) allowed remote attackers to inject SQL via the band index
       parameter.
 .
     - CVE-2026-1285: The django.utils.text.Truncator.chars() and
       Truncator.words() methods (with html=True) and the truncatechars_html and
       truncatewords_html template filters allowed a remote attacker to cause a
       potential denial-of-service via crafted inputs containing a large number
       of unmatched HTML end tags.
 .
     - CVE-2026-1287: FilteredRelation was subject to SQL injection in column
       aliases via control characters using a suitably crafted dictionary, with
       dictionary expansion, as the **kwargs passed to QuerySet methods
       annotate(), aggregate(), extra(), values(), values_list() and alias().
 .
     - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column
       aliases containing periods when the same alias is, using a suitably
       crafted dictionary, with dictionary expansion, used in FilteredRelation.
 .
     <https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>
 .
     (Closes: #1126914)
 .
   * Drop debian/patches/test-strip-tags-incomplete-entities.patch; applied upstream.
   * Refresh patches.
   * Bump Standards-Version to 4.7.3.
Checksums-Sha1:
 a3f0dc5b1374907cad2b764603d5828c2d6b8d86 2824 python-django_5.2.15-2~bpo13+1.dsc
 ae2dc3fb0aaf8e60f5339f43f9c2b9441f62a162 10873669 python-django_5.2.15.orig.tar.gz
 7ab83073a11041ad360f655fb72ddeb7b675e819 38884 python-django_5.2.15-2~bpo13+1.debian.tar.xz
 9637d1f1d8ae910986f744e14244d709e08aec1d 3019264 python-django-doc_5.2.15-2~bpo13+1_all.deb
 3fdfa544b8db91dbb7e1c701c6aa1e2a120220b0 8301 python-django_5.2.15-2~bpo13+1_amd64.buildinfo
 273f6e09fcbf49dad524a6fbcacd1b0b490567ab 2896720 python3-django_5.2.15-2~bpo13+1_all.deb
Checksums-Sha256:
 e51a029b87b0d51524f03479d63b755cf0156520e82e6ad8335e1527cdabbfaa 2824 python-django_5.2.15-2~bpo13+1.dsc
 5154a9bf84ac01dde011e367f355c07dbb329532e06810dcf3ef2af269e236e7 10873669 python-django_5.2.15.orig.tar.gz
 22a17395891c6d4ac6f7d4300d4d156ac4a05cb4c562ce74f725315052ef9c75 38884 python-django_5.2.15-2~bpo13+1.debian.tar.xz
 3de3f5280d6f3c624119e3a95ebbe3ea27e367867868492c1f50469e2846ddb5 3019264 python-django-doc_5.2.15-2~bpo13+1_all.deb
 0e834c17350fe90af1b3840131fc32a994ef5133f3f4c1b5cc796236a3369643 8301 python-django_5.2.15-2~bpo13+1_amd64.buildinfo
 cc5fb91bc1db51c50661a00e35df615175b2fd6c46ed44b66b2e656c8107c2d1 2896720 python3-django_5.2.15-2~bpo13+1_all.deb
Files:
 458cda5146b6c519f0a633a9ce324c68 2824 python optional python-django_5.2.15-2~bpo13+1.dsc
 9db6f4aaaf130e3f53a4c5255c1b1bcd 10873669 python optional python-django_5.2.15.orig.tar.gz
 8e03e52d1d88e5b7ef0db1028f65386f 38884 python optional python-django_5.2.15-2~bpo13+1.debian.tar.xz
 9c3b3a6151158ae656c177229d9e2861 3019264 doc optional python-django-doc_5.2.15-2~bpo13+1_all.deb
 15d57e0ff95f16f00e9a04dfe20973d7 8301 python optional python-django_5.2.15-2~bpo13+1_amd64.buildinfo
 3808a1b79dbb385cc962358775c2d64b 2896720 python optional python3-django_5.2.15-2~bpo13+1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmo+8UUACgkQHpU+J9Qx
HljH5w//UfChkY0wgYGw88j2ynTrlx1k6MCX1e7q8XVERRyQcU8muGG8R/4NGW+O
aWQ0H7h9VgyyuveqOwJcV6qdVqCjouIKKKBOHPZDiKKAeyhkkc0xBG/JPVzFIwoA
gSvj27k+cBmy6S74tc2iAXRwDRlPD+plancOhr4ogsgdcIeoahpcattYYfIYkAT6
3gk1DZXR3GdU6bwYGaCol9PzZ+DsnSm5IhsMUkbFR/kpDKxiT+0LideUMnvQnKWb
bmfRyPqIkrsXDm7SXm1tlAWGsOo4g6/1H2cDLl5lqtbJsJ8B5t/7noPG1oeSCHG+
uMYnM60knbTXxy0nRbIJduAWW+H4/wdkKFDPF5ttJ69SGkx/EIApM+4JueNeMguf
gSuwRdLCVnm9B3tKNje7Qg38QrK1WOAxU/qga/I1c1WgMzHm51c7O8aKeTFp2DsY
Qf7S4K+Zf92Kz/3IGd3YrUeNqcsUFGpclV30IQy6+TLaw7eGGrg58KQXPRPSyIMB
M7rUvx1gnzxwipuRKDKsJzgIOQ0Mk0wLArxt3+6SFKQig/nz1Tu+ndRfgftxWlxB
27RwczTOg7pw3qhRe7jFohFOZHM7aB4KBsbWU4RfuU0jQRcRYpr0zjOjwYTaChBl
ttcQi2mkEEXPqKa4Q+lpMtQZwDdyL1L5IBNQHMgCRYFWUOZWTqQ=
=i7Km
-----END PGP SIGNATURE-----