[ubuntu/questing-updates] python-django 3:5.2.4-1ubuntu2.4 (Accepted)

[Ubuntu Archive Robot]

python-django (3:5.2.4-1ubuntu2.4) questing-security; urgency=medium

  * SECURITY UPDATE: Potential denial-of-service vulnerability in
    MultiPartParser via base64-encoded file upload
    - debian/patches/CVE-2026-33033.patch: mitigate potential DoS in
      MultiPartParser in django/http/multipartparser.py,
      tests/requests_tests/tests.py.
    - CVE-2026-33033
  * SECURITY UPDATE: Potential denial-of-service vulnerability in ASGI
    requests via memory upload limit bypass
    - debian/patches/CVE-2026-33034.patch: enforce
      DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ASGI requests in
      django/http/request.py, tests/asgi/tests.py.
    - CVE-2026-33034
  * SECURITY UPDATE: ASGI header spoofing via underscore/hyphen conflation
    - debian/patches/CVE-2026-3902.patch: ignore headers with underscores
      in ASGIRequest in django/core/handlers/asgi.py,
      django/test/client.py, tests/asgi/tests.py.
    - CVE-2026-3902
  * SECURITY UPDATE: Privilege abuse in GenericInlineModelAdmin
    - debian/patches/CVE-2026-4277.patch: Check add permissions in
      GenericInlineModelAdmin in django/contrib/contenttypes/admin.py,
      tests/generic_inline_admin/tests.py.
    - CVE-2026-4277
  * SECURITY UPDATE: Privilege abuse in ModelAdmin.list_editable
    - debian/patches/CVE-2026-4292.patch: Disallow instance creation via
      ModelAdmin.list_editable in django/contrib/admin/options.py,
      tests/admin_views/admin.py, tests/admin_views/tests.py.
    - CVE-2026-4292

Date: 2026-04-01 14:51:11.296747+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/python-django/3:5.2.4-1ubuntu2.4
-------------- next part --------------
Sorry, changesfile not available.