[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 4484-1] python-django security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4484-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
February 19, 2026                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-django
Version        : 2:2.2.28-1~deb11u12
CVE IDs        : CVE-2025-13473 CVE-2026-1207 CVE-2026-1285 CVE-2026-1287 CVE-2026-1312 CVE-2025-6069 CVE-2025-57833

It was discovered that there were multiple vulnerabilities in Django,
the Python-based web-development framework:

- - CVE-2025-13473: The check_password function in
  django.contrib.auth.handlers.modwsgi for authentication via
  mod_wsgi allowed remote attackers to enumerate users via a timing
  attack.

- - CVE-2026-1207: Raster lookups on RasterField (only implemented on
  PostGIS) allowed remote attackers to inject SQL via the band index
  parameter.

- - CVE-2026-1285: The django.utils.text.Truncator.chars() and
  Truncator.words() methods (with html=True) and the
  truncatechars_html and truncatewords_html template filters allowed
  a remote attacker to cause a potential denial-of-service via
  crafted inputs containing a large number of unmatched HTML end
  tags.

- - CVE-2026-1287: FilteredRelation was subject to SQL injection in
  column aliases via control characters using a suitably crafted
  dictionary, with dictionary expansion, as the **kwargs passed to
  QuerySet methods annotate(), aggregate(), extra(), values(),
  values_list() and alias().

- - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection
  in column aliases containing periods when the same alias is, using
  a suitably crafted dictionary, with dictionary expansion, used in
  FilteredRelation.

In addition, the fix for CVE-2025-6069 in the python3.9 source
package (released as part of a suite of updates in DLA 4445-1)
modified Python's html.parser.HTMLParser class in such a way that
changed the behaviour of Django's strip_tags() method in some edge
cases that were tested by Django's testsuite. As a result of this
regression, we have updated the testsuite for the new expected
results.

For Debian 11 bullseye, this problem has been fixed in version
2:2.2.28-1~deb11u12.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmXV2AACgkQHpU+J9Qx
HlguOQ//QC6nsahcO73j10xxQnrpRwLcVD5EWKkPDSX835PO8eUF9OuqyhY4y7Cy
0b3UXkp3O9IaPq3GC9z3pYiM4VLmxbbPfkFlQcWVSt0NccI6/8E8aDaoYKos7cZt
I69pnYrWsuuzNppuNWWXMTOLU9D1oUMmlW4aW4AVVyeT/Eq9/lwGpcdkNROWMCEp
x5pZ7M8DOtzke2Cs+KGyRf1wxdQ6r5u/jC6VSdZ1OO1c9DsNPjgbPpOrpyUdmwL4
V+qdId3sd+kD2tJaDhaMF1D/ISGng2SnsV/hGApuqI9WQfruebGL4aoRGtDPhyvf
OKRyHwzLCg8heefKzsNT51Qs8iSXp1yaJ83ASav0IzLGBcTY0fA/Nr7wYpvEbPr7
gvkCbNETTL2fsJoMPIAfjNITK8GlQXxxGvNpdUDhI1ykfw7nOZAZcKKPJhPmJ85O
06IviGWHLxSIZIhVYKhtfeGDBPbiFWDmqeRNMX7HdLsMUz/QzC8AQrN6Isk926kj
1bk4QIsPZIXKB/sdH86pb5lGWp3BpbZ6o5t41ur6NNT8maFK4tw/M6w74LneIFRM
SD2rDoqVITgj41mFTLIXyF88iQBlPusw2SHFIw8LDA2R4z5Mg5BONenE23z2LC0g
qB9hC2JCWNCnOsavSxZbI5NnxaxepDFDQHoDJfebs1xjsDQeThA=
=BFFV
-----END PGP SIGNATURE-----
Reply to: