-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Jul 2026 09:28:48 -0700 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 3:5.2.16-1 Distribution: unstable Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1141629 Changes: python-django (3:5.2.16-1) unstable; urgency=high . * New upstream security release: . - CVE-2026-48588: UpdateCacheMiddleware and the @cache_page decorator cached responses that vary on cookies when the incoming request carried unrelated cookies, which allowed remote attackers to read private data from the shared cache. . - CVE-2026-53877: django.contrib.gis.gdal.GDALRaster over-read its in-memory buffer when constructed from a bytes object, which could disclose adjacent memory or cause service degradation via a potential segmentation fault when the vsi_buffer property is accessed. . - CVE-2026-53878: DomainNameValidator did not prohibit newlines in domain names (unless used via a form field, since CharField strips newlines). If an application used values with newlines in an HTTP response, header injection could occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers. . <https://www.djangoproject.com/weblog/2026/jul/07/security-releases/> . (Closes: #1141629) . * Bump debhelper compatibility level to 14. Checksums-Sha1: 9ed6650d9acf36f06192f34bea63000d51395720 2790 python-django_5.2.16-1.dsc eaffb4974373d59955293e9e87a4052b7e14f55d 10890894 python-django_5.2.16.orig.tar.gz 30fc77580dd492c2e0b48a5ebcde6e642c2cb0c1 38772 python-django_5.2.16-1.debian.tar.xz 7e21db20b0463a7fd49f796e32c01180b81d806f 8199 python-django_5.2.16-1_amd64.buildinfo Checksums-Sha256: ded9b174fad36f42a7075238849467304b3a3fe56e0d1cfd9949cc67558aa13f 2790 python-django_5.2.16-1.dsc 59ea02020c3136fce14bef0bbece21a10a4febef5eed1c51c22ae468efa22200 10890894 python-django_5.2.16.orig.tar.gz 534b99d5c8f7f7938dc8bbf820fd06b7582d130854e23a46800a4a6f155e560d 38772 python-django_5.2.16-1.debian.tar.xz bab292db20602a87d0b264ebefdced56fbd65d5a0621f41c876dd910c0df6e36 8199 python-django_5.2.16-1_amd64.buildinfo Files: 44db6d509bb10bf1bddbb2784575f010 2790 python optional python-django_5.2.16-1.dsc 0fa6df374d72417d9f44f324c35ad4df 10890894 python optional python-django_5.2.16.orig.tar.gz 2c3e548b61019789e7671fdb0edbd3a9 38772 python optional python-django_5.2.16-1.debian.tar.xz dd6182edbd93edcc62da1bde0dee4be5 8199 python optional python-django_5.2.16-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmpNLC0ACgkQHpU+J9Qx HlhjaBAAt/CU31T/pGLMatl4VvzRqJJSJ6LZHx4C1cUG+0lFF4iUykWwSIGWxUu7 xQyBXcyV7il0dmgQ+oh554G2+Uhwvcn4ZzWHgWSuOF+J+/9PJlLtT1xniPbIm7Db TCPKPlch73Ci27EJRiP9E7/BRRhJ64cds8t0hE/mtF4oK6dgkZ71vsy7alvxXKV0 6fcjEf94MZ13JSmumNXTD1lbxhw821eOLMQhQKO28ySeICtZyZ5XdaAWaGrcj+E0 xCPsYhimZH0ZDDcsWWU6MDrN3hovaRQoayIgchrVnVPBU0xCmnKgQ//C3eztVbmz n6vuokfr0f1CCzgG4hN6ugQIwk9Fs7QU0DFHDpqQSGAweqBRepmmWNu3iby6F1W6 FbIZDbMuQhEJle3uDDILS6Dhu5WvFYJJZUmBDG/N+OqBYKO0PEwo1BnUi/G1Xr4f GwdifhyZ7IJpi3aViommSXewHLcyeAM7aG5EPgpQQKVRu7YyXfF0cTm9s1D5OImL zN/rxpfqAg+wtZKzFNCEIAlMTbYN2VR+OjMqW6MvKESMW6Aw3bo6MPYvojbb3jT2 06cdcTEzaoeWwOEmwskzpzeQ10PRbW76y548uSZlFs5PgFC4mBI7jUlS1BpVlF0y GToGVPbBJ3EQzdFbGEOi4rWWKnIDi1g6rgZ4lgd64HVS8AVikT8= =0Tg7 -----END PGP SIGNATURE-----