[ubuntu/jammy-security] python-django 2:3.2.12-2ubuntu1.25 (Accepted)

Hlib Korzhynskyy hlib.korzhynskyy at canonical.com
Tue Feb 3 15:13:44 UTC 2026 

python-django (2:3.2.12-2ubuntu1.25) jammy-security; urgency=medium

  * SECURITY UPDATE: Username enumeration through timing difference in
    mod_wsgi authentication handler
    - debian/patches/CVE-2025-13473.patch: standardize timing of
      check_password() in mod_wsgi auth handler in
      django/contrib/auth/handlers/modwsgi.py,
      tests/auth_tests/test_handlers.py.
    - CVE-2025-13473
  * SECURITY UPDATE: Potential denial-of-service vulnerability via repeated
    headers when using ASGI
    - debian/patches/CVE-2025-14550.patch: optimize repeated header parsing
      in ASGI requests in django/core/handlers/asgi.py,
      tests/asgi/tests.py.
    - CVE-2025-14550
  * SECURITY UPDATE: Potential SQL injection via raster lookups on PostGIS
    - debian/patches/CVE-2026-1207.patch: prevent SQL injections in
      RasterField lookups via band index in
      django/contrib/gis/db/backends/postgis/operations.py,
      tests/gis_tests/rasterapp/test_rasterfield.py.
    - CVE-2026-1207
  * SECURITY UPDATE: Potential denial-of-service vulnerability in
    django.utils.text.Truncator HTML methods
    - debian/patches/CVE-2026-1285.patch: mitigate potential DoS in
      django.utils.text.Truncator for HTML input in django/utils/text.py,
      tests/utils_tests/test_text.py.
    - CVE-2026-1285
  * SECURITY UPDATE: Potential SQL injection in column aliases via control
    characters
    - debian/patches/CVE-2026-1287.patch: protect against SQL injection in
      column aliases via control characters in
      django/db/models/sql/query.py, tests/aggregation/tests.py,
      tests/annotations/tests.py, tests/queries/tests.py,
      tests/expressions/test_queryset_values.py.
    - CVE-2026-1287

Date: 2026-01-28 15:37:16.120664+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.25
-------------- next part --------------
Sorry, changesfile not available.

More information about the jammy-changes mailing list