python-django (3:6.0.6-1) [PTS] [DDPO]

OLD: VCS is behind the version in the archive: 3:5.2.15-1 < 3:6.0.6-1.

Git: https://salsa.debian.org/python-team/packages/python-django.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: debian/sid
Path: debian/changelog
Repo size: 8343552
Browser: https://salsa.debian.org/python-team/packages/python-django
Last scan: 2026-06-03 20:31:34+00
Next scan: 2026-06-11 14:28:00+00
CI pipeline status: failed

Debian changelog in Git:

python-django (3:5.2.15-1) unstable; urgency=high

  * New upstream security release:

    - CVE-2026-6873: Signed cookie salt namespace collision in
      django.http.HttpRequest.get_signed_cookie

      get_signed_cookie derived the signing salt by concatenating the cookie
      name (key) and salt arguments. When distinct name and salt pairs produced
      the same concatenation, cookies could be accepted in a context different
      from the one where they were signed.

      Cookies are now signed with an unambiguous salt derivation. For backwards
      compatibility, cookies signed by older Django versions are accepted until
      Django 7.0.

    - CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in
      the SMTP backend

      When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a
      partially-initialized connection that would subsequently be reused for
      sending email without encryption. This can occur with fail_silently=True,
      as used by send_mail and BrokenLinkEmailsMiddleware among others.
      Connections configured with EMAIL_USE_SSL are not affected.

    - CVE-2026-8404: Potential exposure of private data via case-sensitive
      Cache-Control directives in UpdateCacheMiddleware

      django.middleware.cache.UpdateCacheMiddleware and
      django.views.decorators.cache.cache_page decorator incorrectly cached
      responses marked with private Cache-Control directives when using mixed
      or uppercase values (e.g. Private).

      The django.views.decorators.cache.cache_control decorator and
      django.utils.cache.patch_cache_control function were not affected
      since they normalize directives to lowercase. This issue only affects
      responses where Cache-Control is set manually.

    - CVE-2026-35193: Potential exposure of private data via missing Vary:
      Authorization in UpdateCacheMiddleware

      django.middleware.cache.UpdateCacheMiddleware and
      django.views.decorators.cache.cache_page decorator allowed responses to
      requests bearing an Authorization header (and without Cache-Control:
      public) to be cached. To conform with the existing mechanism for
      constructing cache keys, responses to these requests will now vary on
      Authorization.

    - CVE-2026-48587: Potential exposure of private data via whitespace padding
      in Vary header

      django.middleware.cache.UpdateCacheMiddleware incorrectly cached
      responses whose Vary header values contained leading or trailing
      whitespace. Because has_vary_header failed to strip that whitespace, a
      response with a "Vary: * "  header (note the trailing space) was not
      recognized as containing the wildcard, causing it to be stored and
      potentially served from the cache when it should not have been.

    <https://www.djangoproject.com/weblog/2026/jun/03/security-releases/>

    (Closes: #1138775)

 -- Chris Lamb <lamby@debian.org>  Wed, 03 Jun 2026 08:17:20 -0700

This branch is even with tag debian/3%5.2.15-1