-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Jul 2026 13:48:57 -0700 Source: python-django Binary: python-django-doc python3-django Built-For-Profiles: nocheck Architecture: source all Version: 3:5.2.16-1~bpo13+1 Distribution: trixie-backports Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework Closes: 1141629 Changes: python-django (3:5.2.16-1~bpo13+1) trixie-backports; urgency=medium . * Rebuild for trixie-backports. * Drop debhelper-compat level to 13 for trixie-backports. . python-django (3:5.2.16-1) unstable; urgency=high . * New upstream security release: . - CVE-2026-48588: UpdateCacheMiddleware and the @cache_page decorator cached responses that vary on cookies when the incoming request carried unrelated cookies, which allowed remote attackers to read private data from the shared cache. . - CVE-2026-53877: django.contrib.gis.gdal.GDALRaster over-read its in-memory buffer when constructed from a bytes object, which could disclose adjacent memory or cause service degradation via a potential segmentation fault when the vsi_buffer property is accessed. . - CVE-2026-53878: DomainNameValidator did not prohibit newlines in domain names (unless used via a form field, since CharField strips newlines). If an application used values with newlines in an HTTP response, header injection could occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers. . <https://www.djangoproject.com/weblog/2026/jul/07/security-releases/> . (Closes: #1141629) . * Bump debhelper compatibility level to 14. Checksums-Sha1: 4ba7364d4b74a64bbaa191627680d6badfad1e96 2824 python-django_5.2.16-1~bpo13+1.dsc eaffb4974373d59955293e9e87a4052b7e14f55d 10890894 python-django_5.2.16.orig.tar.gz 86588e8763a131a9d162d8887bf45a5ac9f3e688 39216 python-django_5.2.16-1~bpo13+1.debian.tar.xz 78d10bae21bda56d4b6b4c71b79042fcd9f5b41f 3022216 python-django-doc_5.2.16-1~bpo13+1_all.deb c2f1a406771a9ba98e3ce9300f9af551a2597c59 8301 python-django_5.2.16-1~bpo13+1_amd64.buildinfo 413d36475ca3af7992bd2b43f5c70e57673de9d0 2897360 python3-django_5.2.16-1~bpo13+1_all.deb Checksums-Sha256: 90c0e2cb8d7c396f3b820a4a39a4139e11fa5a5404a57c88ced81938e5b81b13 2824 python-django_5.2.16-1~bpo13+1.dsc 59ea02020c3136fce14bef0bbece21a10a4febef5eed1c51c22ae468efa22200 10890894 python-django_5.2.16.orig.tar.gz c20a61b5308a95333bbfb4fe9194a0f2eea62dc1327ba02dbeb25973cd82e8b7 39216 python-django_5.2.16-1~bpo13+1.debian.tar.xz 3674cd0d4c3a1e2e56e0a412ca966d7491c5a33a9a359244753341369c912abf 3022216 python-django-doc_5.2.16-1~bpo13+1_all.deb 228b1040a88d890e1ea7e8040cc986d90456db2cbbdc303e1ea9ed800467add4 8301 python-django_5.2.16-1~bpo13+1_amd64.buildinfo 1c11db3c5688bdbcd3d021b1a946a5babe140ce448a3ad2720377925e81af2c0 2897360 python3-django_5.2.16-1~bpo13+1_all.deb Files: 0941d4ce79b08c09d64e93086f5e42cd 2824 python optional python-django_5.2.16-1~bpo13+1.dsc 0fa6df374d72417d9f44f324c35ad4df 10890894 python optional python-django_5.2.16.orig.tar.gz d79616243e7b5a7d703d65bf1b215a24 39216 python optional python-django_5.2.16-1~bpo13+1.debian.tar.xz a6d779b3d5256b474f082cd943e3056c 3022216 doc optional python-django-doc_5.2.16-1~bpo13+1_all.deb 6d0e801b8ab4b93993b45a345b0c2fb3 8301 python optional python-django_5.2.16-1~bpo13+1_amd64.buildinfo f559e0256a53c90107dfa46dfcbbce08 2897360 python optional python3-django_5.2.16-1~bpo13+1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmpRXiAACgkQHpU+J9Qx HlgIIRAAr1nyYjxpHRDRZXNnDbvWIZI3Lp8WLgtPxRFpPtPwqk5YlVh7fkKqxROs EdvbkC1k8pslyAptxzZMnpVYylJtSsWVIoSOxl+9Zhbu2c2vIqLZxT6mO8z8yfx2 3MG+B4FZJcDJEu4g8I7htd0+5bt90gacBnFGsOK7yacKDwPNRsspHgobJfDYxsZ5 mroTSyW9fx5B6KKkzRMEiDa1T6FYmVoDhR51Vs0gnQEBH2cjRNHMgE4sqkZ5vpJ2 XTUrXd5Z8WSc8RpDHKp1NyHBkkPXMZjAOzLUbZTg8W6zRhuqBfwUrmn0OLomqd64 oa2Rp9wt+HN9CChw9Hn923hukXSY6UeEY8cTAkww7EfMEXqPUlpVyA3+sfND5X0W WkM7EBaP8cDGupps1/P3YoyeOqcTzLHtWx/AjcA3ZmdqdYP8fyxjgZtGABNNWDFE AsZYtC4ELpdbcSoUHLzj09EShUCvuCK1J4OvGzM2Q4hJ/W1oBKy23ofm+4YDY27R 3H860+OZeDIhNLTJmp4US8HhZXRv0vWe/dmQqCxl7fXvqDdq4euk5FI5Inhx58zg 1As+/I8heurwp2lmpyW5kmri1BW2hun+Aa/6wBCwcr3rx6gCoWbC7nmrf2qhyIpR j618N2stRG6kJlec/rhfU2d8UPtZtlQz7fOJh7nCUk8HiVYsyXE= =0CKv -----END PGP SIGNATURE-----