[ubuntu/questing-security] python-django 3:5.2.4-1ubuntu2.5 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Tue May 5 15:19:41 UTC 2026
python-django (3:5.2.4-1ubuntu2.5) questing-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service vulnerability in ASGI
requests via file upload limit bypass
- debian/patches/CVE-2026-5766.patch: enforce
DATA_UPLOAD_MAX_MEMORY_SIZE in MemoryFileUploadHandler on ASGI in
django/core/files/uploadhandler.py, tests/asgi/tests.py,
tests/requests_tests/tests.py.
- CVE-2026-5766
* SECURITY UPDATE: Session fixation via public cached pages and
SESSION_SAVE_EVERY_REQUEST
- debian/patches/CVE-2026-35192.patch: ensure Vary header is sent when
setting session cookie with SESSION_SAVE_EVERY_REQUEST=True in
django/contrib/sessions/middleware.py, tests/sessions_tests/tests.py.
- CVE-2026-35192
* SECURITY UPDATE: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
- debian/patches/CVE-2026-6907.patch: prevent caching of requests when
Vary header contains an asterisk in django/middleware/cache.py,
tests/cache/tests.py.
- CVE-2026-6907
Date: 2026-04-28 18:09:53.099667+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/python-django/3:5.2.4-1ubuntu2.5
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list