-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Dec 2025 11:34:10 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.27-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1121788
Changes:
python-django (3:4.2.27-1) unstable; urgency=medium
.
* New upstream security release.
<https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>
.
- CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
column aliases when using PostgreSQL. FilteredRelation was subject to SQL
injection in column aliases via a suitably crafted dictionary as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias().
.
- CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
XML serializer text extraction. An algorithmic complexity issue in
django.core.serializers.xml_serializer.getInnerText() allowed a remote
attacker to cause a potential denial-of-service triggering CPU and memory
exhaustion via a specially crafted XML input submitted to a service that
invokes XML Deserializer. The vulnerability resulted from repeated string
concatenation while recursively collecting text nodes, which produced
superlinear computation.
.
(Closes: #1121788))
.
* Mark that Python 3.14 is not supported yet.
Checksums-Sha1:
fd97107ab1b4038a43938f24e5908d61550c694b 2792 python-django_4.2.27-1.dsc
5c2da0b170d051f5e29bffd29e02a36e13068e22 10432781 python-django_4.2.27.orig.tar.gz
0cc6ee93d6d17b457894885e96e0fcd0df6ff245 35148 python-django_4.2.27-1.debian.tar.xz
fe971963fdbb828d69d6424f21f7f32165acf198 8046 python-django_4.2.27-1_amd64.buildinfo
Checksums-Sha256:
c9de75dc7874faee5197cc48fae4d8b5c84307b9d721e6ce1ea744502ee288eb 2792 python-django_4.2.27-1.dsc
b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92 10432781 python-django_4.2.27.orig.tar.gz
91592f782abaa1a6d40b19bea9c5af83dbdfa1bfdc99ea2abdd7a50d14e62b2e 35148 python-django_4.2.27-1.debian.tar.xz
4b606fabb0932f3894956be0833a75b4380ebaedff3e02a0dd68a26096f75fcd 8046 python-django_4.2.27-1_amd64.buildinfo
Files:
5605464303c4aa714a38822b23fe931a 2792 python optional python-django_4.2.27-1.dsc
45431b7954d12014c88cd9f66cfefb2c 10432781 python optional python-django_4.2.27.orig.tar.gz
df64921ec9ac50e8fbe6d63a25589b27 35148 python optional python-django_4.2.27-1.debian.tar.xz
954e52d81bf5db6d9e04cd9cb0fb1b64 8046 python optional python-django_4.2.27-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmkvSDgACgkQHpU+J9Qx
HlhY5A/+JVjavUxszhsCQOqucRMEcfrYH3aXXv4BJ15v/+f/VxR9/VJOaVaptw6e
MzCv5rMABLUZ96DZYoCtc+agzYm7RwYTN1tzpjsKpL4dyWTWDaiDHffAHi+NGGQW
wn/YhKjV05kIXaPnmCq7WI566jMFMSkluykAmiJnPps0r6eqKEKN5Y/1taFq2y6N
NBmz5JN6dPH3Hv41IvhvutTv8SRUET/7HoPIm0TefaaPSSy07+Dt7U1Izf1e/kUL
M60dmkOKptv3V4SGPEl7prPbSlgH0hx0R9bZo0eFHPnqAoY6japsukEqS6Dcpnqd
Kt3Ybo7hIvrjiDQc5Lh/BgSM2xUCkgUKtszk7vbiJ9XHoY/zCJMTpmLEkuyqTLcC
ES/h94v8cXSp7VnGhbvZmrOeIjVodvnzBvwu7qZXfAeIVkfjjU5vSKRzPSq0+6+u
lj/m7jgpNoPvqu8C7OeykWUBRd/5xMipWLw8pjSaqayjtyfgglCZ8IUGqulTQ/kG
Vd/9fPQghTSWDECcNccl9aajIxw3JFo/dv4yn4s3vbn9maqnyGvNWQZe+U3xCyfZ
6J5z9sNG39S69FVvC3C952XLXyqFIFaBhVddIOG7ZnQ7QDJBA8+pVS2OD2Gs73Jr
MTrsLdkGqYtM5b2vzWv0NLUdqs/yahbE4f5DX9rPmPlcsngsBgQ=
=W0CK
-----END PGP SIGNATURE-----
Attachment:
pgpk4ycggcz1f.pgp
Description: PGP signature