-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Jun 2025 08:09:36 -0700
Source: python-django
Architecture: source
Version: 3:5.2.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1107282
Changes:
python-django (3:5.2.2-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2025-48432: Potential log injection via unescaped request path.
.
Django's internal HTTP response logging used request.path directly,
allowing control characters (e.g. newlines or ANSI escape sequences) to
be written unescaped into logs. This could enable log injection or
forgery, letting attackers manipulate log appearance or structure,
especially in logs processed by external systems or viewed in terminals.
.
Although this does not directly impact Django's security model, it poses
risks when logs are consumed or interpreted by other tools. To fix this,
the internal django.utils.log.log_response() function now escapes all
positional formatting arguments using a safe encoding.
.
(Closes: #1107282)
.
<https://www.djangoproject.com/weblog/2025/jun/04/security-releases/>
Checksums-Sha1:
815bf140cea5fa9cd64cc8248deacff479f3f731 2783 python-django_5.2.2-1.dsc
87dff3ef8d00b15491d5bb64b2404caf66d8ae59 10827542 python-django_5.2.2.orig.tar.gz
64540d58bbea28783ffd4d67fef89c9335974c56 30388 python-django_5.2.2-1.debian.tar.xz
7928b4c602277e30ec7e19c5852211057b226efd 9397 python-django_5.2.2-1_source.buildinfo
Checksums-Sha256:
09df05276f720000e04b7b48b90a4480af3626a866a7401cbe874ad627ca3fe4 2783 python-django_5.2.2-1.dsc
85852e517f84435e9b13421379cd6c43ef5b48a9c8b391d29a26f7900967e952 10827542 python-django_5.2.2.orig.tar.gz
8582aa7fb7a1b222c7a2c08761b8aa7ea1e67cc4065a428ae240c4b76e8f97ef 30388 python-django_5.2.2-1.debian.tar.xz
0abc1a8c8f8504e91adec763343fc23f6e2f3c2168691fec9fa431b059982934 9397 python-django_5.2.2-1_source.buildinfo
Files:
1113b266a44f3c1f29ac17ee58ad3785 2783 python optional python-django_5.2.2-1.dsc
782577f532efab32f8119a7071f55d04 10827542 python optional python-django_5.2.2.orig.tar.gz
31d4346e1799fe6f92083ef22897b2bd 30388 python optional python-django_5.2.2-1.debian.tar.xz
98954cff19eda941bed8eecc2df2d82c 9397 python optional python-django_5.2.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmhAZeIACgkQHpU+J9Qx
Hlioew/9GDMF7wTM+mXz+nhjrCnNGLzHxhWfrhxr2Hj3i24GxwgwMxAT006d9WYR
uvkyE+PZe6sY2yX9+f0M+sjM6S34P1ox4WhORGi69oBH7la6s0I+HuWt4ZO59O95
I/2WochAWuiQzwS+feZxHCgbKhOIj/TRns+s/IoMrb3ffxpKghiuob8C6sFWjJWV
lRkeafGZPvBzseEqFB2/HCxVf/VwVlCPebMTWQvYsjykM6wkdMjFNcv/xouX7ocr
Tk1vVLQkSKOkFk2xu49hwB3T3MG3wU23qheyx9o2Ngp/+Jp1kVtzE9z0uEPcYYk+
dCQCVIHSVFSra4xFEfNE7uFaV2kI83+JS61Ler9YVrwJ6qd/y0yBFX5x/fytzYbf
srE+8C9itk24PmT34rBEWXORsSxE94lNwR5FDaR0GcmNJscrrvJf30sWJJQBs1P1
mFpOYws5gxf8F9YDDQ4Krlj0FdJ+C8psV3HNrwo7cekk7KKCKXSYdRzuUB0z8/VJ
dcOUF6XScNxWUvcTrHLy03arCRLqDGnSshCqzV8L5NrOmyovjb44miFfjs+2rN+O
W+I8bIHQXGZii4jdPx5WoaU/IfC/0M6iLxn/cH3ecdxzWX0jx4s8U1XMDRyO2b30
XequL+2q/sB+SYC4MjeK5PqcEGz1tSLKwgzrlpONauq5zfhb33I=
=pKPO
-----END PGP SIGNATURE-----
Attachment:
pgp8rqrslgPts.pgp
Description: PGP signature