python-django (3:6.0-1) [PTS] [DDPO]

OLD: VCS is behind the version in the archive: 3:4.2.27-1 < 3:6.0-1.

Git: https://salsa.debian.org/python-team/packages/python-django.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: debian/sid
Path: debian/changelog
Repo size: 9736192
Browser: https://salsa.debian.org/python-team/packages/python-django
Last scan: 2025-12-08 22:50:02+00
Next scan: 2025-12-16 22:32:00+00
CI pipeline status: failed

Debian changelog in Git:

python-django (3:4.2.27-1) unstable; urgency=medium

  * New upstream security release.
    <https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>

    - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
      column aliases when using PostgreSQL. FilteredRelation was subject to SQL
      injection in column aliases via a suitably crafted dictionary as the
      **kwargs passed to QuerySet.annotate() or QuerySet.alias().

    - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
      XML serializer text extraction. An algorithmic complexity issue in
      django.core.serializers.xml_serializer.getInnerText() allowed a remote
      attacker to cause a potential denial-of-service triggering CPU and memory
      exhaustion via a specially crafted XML input submitted to a service that
      invokes XML Deserializer. The vulnerability resulted from repeated string
      concatenation while recursively collecting text nodes, which produced
      superlinear computation.

    (Closes: #1121788))

  * Mark that Python 3.14 is not supported yet.

 -- Chris Lamb <lamby@debian.org>  Tue, 02 Dec 2025 11:34:10 -0800

This branch is even with tag debian/3%4.2.27-1