Accepted python-django 3:4.2.25-1 (source) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted python-django 3:4.2.25-1 (source) into unstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 01 Oct 2025 20:44:28 +0000
Message-id: <[🔎] E1v43ga-00ArfT-0D@fasolo.debian.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 Oct 2025 11:17:18 -0700
Source: python-django
Architecture: source
Version: 3:4.2.25-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1116979
Changes:
 python-django (3:4.2.25-1) unstable; urgency=high
 .
   * New upstream security release (Closes: #1116979):
 .
     - CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
       aggregate() and extra() on MySQL and MariaDB.
 .
       QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate() and
       QuerySet.extra() methods were subject to SQL injection in column aliases,
       using a suitably crafted dictionary with dictionary expansion as the
       **kwargs passed to these methods on MySQL and MariaDB.
 .
     - CVE-2025-59682: Potential partial directory-traversal via
       archive.extract()
 .
       The django.utils.archive.extract() function, used by startapp --template
       and startproject --template allowed partial directory-traversal via an
       archive with file paths sharing a common prefix with the target
       directory.
 .
     <https://www.djangoproject.com/weblog/2025/oct/01/security-releases/>
Checksums-Sha1:
 ef44cc7498958a6d7ab9711d66d6fba44c231b29 2792 python-django_4.2.25-1.dsc
 48139ef1b0b54d03568d5ef0e465bb8b45a2e52f 10456257 python-django_4.2.25.orig.tar.gz
 0af5a4bdc2124209e6c96f019ecf8ffb823d147f 34236 python-django_4.2.25-1.debian.tar.xz
 6cd9960560b189bf02088da00118e0bd1402d04a 6358 python-django_4.2.25-1_source.buildinfo
Checksums-Sha256:
 1a4a67d69a885f29d692c0883be10cff1681f1b85b2a49284c7d766357c1ce25 2792 python-django_4.2.25-1.dsc
 2391ab3d78191caaae2c963c19fd70b99e9751008da22a0adcc667c5a4f8d311 10456257 python-django_4.2.25.orig.tar.gz
 46a7f278d459b00d25359d0549da8d0af34257508c2bf549651b2bdc53f6686c 34236 python-django_4.2.25-1.debian.tar.xz
 bf6790aebcb0739bcb7877c5c7084e57c67bfb7b2844f4d3bc2e404a295dbdda 6358 python-django_4.2.25-1_source.buildinfo
Files:
 abc2dbc87ade688ce5f3e70de83fbc28 2792 python optional python-django_4.2.25-1.dsc
 ce41aa87dfd60ccc571c29b45af92239 10456257 python optional python-django_4.2.25.orig.tar.gz
 99a6a211b6cf4045bbba698d202c0ea2 34236 python optional python-django_4.2.25-1.debian.tar.xz
 6d9c9d3ed40700cbf53edef39b1c7aa4 6358 python optional python-django_4.2.25-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmjdhRgACgkQHpU+J9Qx
HlijZA/+L7P9aVxvj8RXzFPjKKffOlzFrmlV0bsIMkFZWBPf40MIvmabf66L2Dff
3uRXz3K5leTMjGfpFv8mKj8ca+OG5kVXb6wCETLVB9Kr7hNgCUlRgFVx7RNiuZK7
4nrqe08XoJKvAkABoO3xtOpnwNQXO7Dj42rwVHHJrhBs6elHcO0K1fINa8W4V0l7
BhAjC/HIMzF2MJI8PQkkxJjtV6UsTc0kqyqbl4mdgU2zSX2K1GW1lRBLUhxdo79q
fOu8JHLyY5xI7psVQsxudD+ReIL4ogeNxfGGVq6aBtZkmPphKrbGvAev9VBNNLJn
RNDPQ4ZRUAojP7YXHiCip5hiSMpZ3uer63G3nlVqx+waaIRL6iRaPj36keQLMkDw
Ih3ijWUHLYs6f5rEQxQzGsAmMh7T06l85XCtwtJMDGP3yeXY7/c8NpI80yVEjw7+
CAeYgnah2mdvDYYyjHhyw7GB9XxaYmxxTq+SI5dTnYbTDNdF5hkY9mTYQ0cO7Qld
Ws9kQ42eCNcFBxUGx+ZS3IcD2amN9hteTV0SVR7V3tcsZ7a0m6ZytvJKBxWco4sn
RrDJbJTKVLnnp90ixzCNrBSRaK4CU3Rf3BBblXvoDtCLTE3DQeqlrXQu0KNnlnMv
MJwa76IqtnO2U1CO3ooVmgGovz0C8K6Y2s+OGi821YBK/zrEdbQ=
=/mgS
-----END PGP SIGNATURE-----

Attachment: pgpJ0xFvGGeDv.pgp
Description: PGP signature

Reply to:

Prev by Date: Accepted octavia 17.0.0-1 (source) into unstable
Next by Date: Accepted python-syrupy 5.0.0-1 (source) into unstable
Previous by thread: Accepted octavia 17.0.0-1 (source) into unstable
Next by thread: Accepted python-syrupy 5.0.0-1 (source) into unstable
Index(es):
- Date
- Thread