[SECURITY] [DLA 4425-1] python-django security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4425-1] python-django security update
From: "Chris Lamb" <lamby@debian.org>
Date: Mon, 29 Dec 2025 16:03:27 -0800
Message-id: <[🔎] 176704519066.1366472.904180060718723544@bigcat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4425-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
December 29, 2025                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-django
Version        : 2:2.2.28-1~deb11u10
CVE IDs        : CVE-2025-64459 CVE-2025-64460
Debian Bug     : 1121788

It was discovered that there were two issues in Django, the
Python-based web development framework:

 * CVE-2025-64459: A potential SQL injection via _connector
   keyword argument in QuerySet/Q objects. The methods QuerySet
   filter(), exclude() and get() as well as the Q() class were
   subject to SQL injection when using a suitably crafted dictionary
   as the _connector argument.

 * CVE-2025-64460: A potential denial-of-service vulnerability in
   XML serializer text extraction. An algorithmic complexity issue in
   django.core.serializers.xml_serializer.getInnerText() allowed a
   remote attacker to cause a potential denial-of-service triggering
   CPU and memory exhaustion via a specially crafted XML input
   submitted to a service that invokes XML Deserializer. The
   vulnerability resulted from repeated string concatenation while
   recursively collecting text nodes, which produced superlinear
   computation.

For Debian 11 bullseye, these problems have been fixed in version
2:2.2.28-1~deb11u10.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmlS+EAACgkQHpU+J9Qx
HlhE/A/+NLVJFLu/a3I1nyzbT9AdV1wtCS9ET0m3q9dkS+HOpogUxt9ukeJvV4G5
vFH35O+QMvkLQgLnUwW5SratLrg3J2KQcxKOldM/Iz9sJZ0p6bUjpGs/Rq3j6yJW
GwXX8P2f91hwckr0j00ndL67dxbNZ3ZoIxL+rGN55erdDcSMkTUBKL1Lu5SQglfr
dvJWd+NrVOdjqKVOpmsHb2PBUo7Y/k9qMT9zD3NXWRg/mxNjBGXx7zusJ9ws60FW
r80A6Q1ARjCZ80P3uQQI/fs95Df22yZhTqHsEYkNMhnWwu0L7ER0KgzGVoJM37Ao
0qrtqzjszq4rSc9dm6jAiKtjshRqU268zIuAAiG5E5sQSw88AcWTOyOiBJCMbA3m
uNDu2JvgaidtCSp16QpYvcTyTlfSsgUEoeh7SdhogFjdot4ki30E3xePhDh1JYd+
dOyk9YzoAWtYIXonrCTpdHP1AV50yLW71LB5hx5doM67l2pLvS0LESUEiqfUD0fM
FzZdW99/t/sV13C76XPljX87VtEaFsTthty4ZZ5DmHQxMgsVmwtayFKTsTe9Ju1n
9MpbSm2kwI7++SkNLH49UIz55OwY12GySsVuqjoKCjFhaI5wBsW3oNNaJZyw0SzL
AMf7RsxMC+wB5blvR1cV5mRh4vBJVdsmKNA6IsbTo4N7px/aXuo=
=jrsD
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4424-1] openjpeg2 security update
Next by Date: [SECURITY] [DLA 4426-1] osslsigncode security update
Previous by thread: [SECURITY] [DLA 4424-1] openjpeg2 security update
Next by thread: [SECURITY] [DLA 4426-1] osslsigncode security update
Index(es):
- Date
- Thread