python-django (3:6.0~alpha1-1) [PTS] [DDPO]

OLD: VCS is behind the version in the archive: 3:4.2.25-1 < 3:6.0~alpha1-1.

Git: https://salsa.debian.org/python-team/packages/python-django.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: debian/sid
Path: debian/changelog
Repo size: 14225408
Browser: https://salsa.debian.org/python-team/packages/python-django
Last scan: 2025-10-08 19:57:14+00
Next scan: 2025-10-17 00:56:00+00
CI pipeline status: success

Debian changelog in Git:

python-django (3:4.2.25-1) unstable; urgency=high

  * New upstream security release (Closes: #1116979):

    - CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
      aggregate() and extra() on MySQL and MariaDB.

      QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate() and
      QuerySet.extra() methods were subject to SQL injection in column aliases,
      using a suitably crafted dictionary with dictionary expansion as the
      **kwargs passed to these methods on MySQL and MariaDB.

    - CVE-2025-59682: Potential partial directory-traversal via
      archive.extract()

      The django.utils.archive.extract() function, used by startapp --template
      and startproject --template allowed partial directory-traversal via an
      archive with file paths sharing a common prefix with the target
      directory.

    <https://www.djangoproject.com/weblog/2025/oct/01/security-releases/>

 -- Chris Lamb <lamby@debian.org>  Wed, 01 Oct 2025 11:17:18 -0700

This branch is even with tag debian/3%4.2.25-1