[ubuntu/noble-updates] python-django 3:4.2.11-1ubuntu1.14 (Accepted)

Ubuntu Archive Robot ubuntu-archive-robot at lists.canonical.com
Tue Feb 3 16:28:50 UTC 2026 

python-django (3:4.2.11-1ubuntu1.14) noble-security; urgency=medium

  * SECURITY UPDATE: Username enumeration through timing difference in
    mod_wsgi authentication handler
    - debian/patches/CVE-2025-13473.patch: standardize timing of
      check_password() in mod_wsgi auth handler in
      django/contrib/auth/handlers/modwsgi.py,
      tests/auth_tests/test_handlers.py.
    - CVE-2025-13473
  * SECURITY UPDATE: Potential denial-of-service vulnerability via repeated
    headers when using ASGI
    - debian/patches/CVE-2025-14550.patch: optimize repeated header parsing
      in ASGI requests in django/core/handlers/asgi.py,
      tests/asgi/tests.py.
    - CVE-2025-14550
  * SECURITY UPDATE: Potential SQL injection via raster lookups on PostGIS
    - debian/patches/CVE-2026-1207.patch: prevent SQL injections in
      RasterField lookups via band index in
      django/contrib/gis/db/backends/postgis/operations.py,
      tests/gis_tests/rasterapp/test_rasterfield.py.
    - CVE-2026-1207
  * SECURITY UPDATE: Potential denial-of-service vulnerability in
    django.utils.text.Truncator HTML methods
    - debian/patches/CVE-2026-1285.patch: mitigate potential DoS in
      django.utils.text.Truncator for HTML input in django/utils/text.py,
      tests/utils_tests/test_text.py.
    - CVE-2026-1285
  * SECURITY UPDATE: Potential SQL injection in column aliases via control
    characters
    - debian/patches/CVE-2026-1287.patch: protect against SQL injection in
      column aliases via control characters in
      django/db/models/sql/query.py, tests/aggregation/tests.py,
      tests/annotations/tests.py, tests/queries/tests.py,
      tests/expressions/test_queryset_values.py.
    - CVE-2026-1287
  * SECURITY UPDATE: Potential SQL injection via QuerySet.order_by and
    FilteredRelation
    - debian/patches/CVE-2026-1312-1.patch: protect order_by() from SQL
      injection via aliases with periods in
      django/db/models/sql/compiler.py, tests/ordering/tests.py.
    - debian/patches/CVE-2026-1312-2.patch: raise ValueError when
      FilteredRelation aliases contain periods in
      django/db/models/sql/query.py, tests/filtered_relation/tests.py,
      tests/ordering/tests.py.
    - CVE-2026-1312

Date: 2026-01-28 15:33:10.700437+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/python-django/3:4.2.11-1ubuntu1.14
-------------- next part --------------
Sorry, changesfile not available.

More information about the noble-changes mailing list