python-django (3:6.0~rc1-1) [PTS] [DDPO]

OLD: VCS is behind the version in the archive: 3:4.2.26-1 < 3:6.0~rc1-1.

Git: https://salsa.debian.org/python-team/packages/python-django.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: debian/sid
Path: debian/changelog
Repo size: 7606272
Browser: https://salsa.debian.org/python-team/packages/python-django
Last scan: 2025-11-21 03:01:04+00
Next scan: 2025-11-28 03:26:00+00
CI pipeline status: success

Debian changelog in Git:

python-django (3:4.2.26-1) unstable; urgency=high

  * New upstream security release.
    <https://www.djangoproject.com/weblog/2025/nov/05/security-releases/>

    - CVE-2025-64458: Fix a potential denial-of-service vulnerability in
      HttpResponseRedirect and HttpResponsePermanentRedirect. NFKC
      normalization in Python is slow on Windows; as a consequence,
      HttpResponseRedirect, HttpResponsePermanentRedirect and redirect were
      subject to a potential denial-of-service attack via certain inputs with
      a very large number of Unicode characters.

    - CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
      argument in QuerySet/Q objects. The methods QuerySet.filter(),
      QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
      SQL injection when using a suitably crafted dictionary (with dictionary
      expansion) as the _connector argument.

  * Refresh patches.

 -- Chris Lamb <lamby@debian.org>  Wed, 05 Nov 2025 08:36:26 -0800

This branch is even with tag debian/3%4.2.26-1