[ubuntu/resolute-proposed] python-django 3:5.2.9-0ubuntu3 (Accepted)
Marc Deslauriers
marc.deslauriers at ubuntu.com
Wed Feb 4 19:03:15 UTC 2026
python-django (3:5.2.9-0ubuntu3) resolute; urgency=medium
* SECURITY UPDATE: Username enumeration through timing difference in
mod_wsgi authentication handler
- debian/patches/CVE-2025-13473.patch: standardize timing of
check_password() in mod_wsgi auth handler in
django/contrib/auth/handlers/modwsgi.py,
tests/auth_tests/test_handlers.py.
- CVE-2025-13473
* SECURITY UPDATE: Potential denial-of-service vulnerability via repeated
headers when using ASGI
- debian/patches/CVE-2025-14550.patch: optimize repeated header parsing
in ASGI requests in django/core/handlers/asgi.py,
tests/asgi/tests.py.
- CVE-2025-14550
* SECURITY UPDATE: Potential SQL injection via raster lookups on PostGIS
- debian/patches/CVE-2026-1207.patch: prevent SQL injections in
RasterField lookups via band index in
django/contrib/gis/db/backends/postgis/operations.py,
tests/gis_tests/rasterapp/test_rasterfield.py.
- CVE-2026-1207
* SECURITY UPDATE: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
- debian/patches/CVE-2026-1285.patch: mitigate potential DoS in
django.utils.text.Truncator for HTML input in django/utils/text.py,
tests/utils_tests/test_text.py.
- CVE-2026-1285
* SECURITY UPDATE: Potential SQL injection in column aliases via control
characters
- debian/patches/CVE-2026-1287.patch: protect against SQL injection in
column aliases via control characters in
django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2026-1287
* SECURITY UPDATE: Potential SQL injection via QuerySet.order_by and
FilteredRelation
- debian/patches/CVE-2026-1312-1.patch: protect order_by() from SQL
injection via aliases with periods in
django/db/models/sql/compiler.py, tests/ordering/tests.py.
- debian/patches/CVE-2026-1312-2.patch: raise ValueError when
FilteredRelation aliases contain periods in
django/db/models/sql/query.py, tests/filtered_relation/tests.py,
tests/ordering/tests.py.
- CVE-2026-1312
Date: Wed, 04 Feb 2026 13:38:58 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/python-django/3:5.2.9-0ubuntu3
-------------- next part --------------
Format: 1.8
Date: Wed, 04 Feb 2026 13:38:58 -0500
Source: python-django
Built-For-Profiles: noudeb
Architecture: source
Version: 3:5.2.9-0ubuntu3
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
python-django (3:5.2.9-0ubuntu3) resolute; urgency=medium
.
* SECURITY UPDATE: Username enumeration through timing difference in
mod_wsgi authentication handler
- debian/patches/CVE-2025-13473.patch: standardize timing of
check_password() in mod_wsgi auth handler in
django/contrib/auth/handlers/modwsgi.py,
tests/auth_tests/test_handlers.py.
- CVE-2025-13473
* SECURITY UPDATE: Potential denial-of-service vulnerability via repeated
headers when using ASGI
- debian/patches/CVE-2025-14550.patch: optimize repeated header parsing
in ASGI requests in django/core/handlers/asgi.py,
tests/asgi/tests.py.
- CVE-2025-14550
* SECURITY UPDATE: Potential SQL injection via raster lookups on PostGIS
- debian/patches/CVE-2026-1207.patch: prevent SQL injections in
RasterField lookups via band index in
django/contrib/gis/db/backends/postgis/operations.py,
tests/gis_tests/rasterapp/test_rasterfield.py.
- CVE-2026-1207
* SECURITY UPDATE: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
- debian/patches/CVE-2026-1285.patch: mitigate potential DoS in
django.utils.text.Truncator for HTML input in django/utils/text.py,
tests/utils_tests/test_text.py.
- CVE-2026-1285
* SECURITY UPDATE: Potential SQL injection in column aliases via control
characters
- debian/patches/CVE-2026-1287.patch: protect against SQL injection in
column aliases via control characters in
django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2026-1287
* SECURITY UPDATE: Potential SQL injection via QuerySet.order_by and
FilteredRelation
- debian/patches/CVE-2026-1312-1.patch: protect order_by() from SQL
injection via aliases with periods in
django/db/models/sql/compiler.py, tests/ordering/tests.py.
- debian/patches/CVE-2026-1312-2.patch: raise ValueError when
FilteredRelation aliases contain periods in
django/db/models/sql/query.py, tests/filtered_relation/tests.py,
tests/ordering/tests.py.
- CVE-2026-1312
Checksums-Sha1:
50f661e93e78cb5d5c9718798215dcec03ab6195 2892 python-django_5.2.9-0ubuntu3.dsc
d969e95790f0a2bc882015452a42832c7c8aa1fc 41424 python-django_5.2.9-0ubuntu3.debian.tar.xz
e7658c4573dd080455deb459d02809af072b71dc 17576 python-django_5.2.9-0ubuntu3_source.buildinfo
Checksums-Sha256:
dff89365bcf6b0f19bd759794a1c1783124629c2bccc40b93a204a27412ec9e8 2892 python-django_5.2.9-0ubuntu3.dsc
a6b90a8ea801b6cacf6b0fb0a19430816823bf4874ac6bee7c979d3bab6c7870 41424 python-django_5.2.9-0ubuntu3.debian.tar.xz
7062b299c65096bc4d7dd285f4375c20bef8598034ae4c1ec8c2ac78eee66962 17576 python-django_5.2.9-0ubuntu3_source.buildinfo
Files:
7eca9d55f449ff80c15cb537755cd54a 2892 python optional python-django_5.2.9-0ubuntu3.dsc
0312e89cb7d0cb5e3d23d1604987de57 41424 python optional python-django_5.2.9-0ubuntu3.debian.tar.xz
1309fbe9c097b9e12539867e44ac1043 17576 python optional python-django_5.2.9-0ubuntu3_source.buildinfo
Original-Maintainer: Debian Python Team <team+python at tracker.debian.org>
More information about the Resolute-changes
mailing list