Debian Quality Assurance

python-django (3:6.0.2-1) [PTS] [DDPO]

OLD: VCS is behind the version in the archive: 3:4.2.28-1 < 3:6.0.2-1.

• Git: https://salsa.debian.org/python-team/packages/python-django.git
• JSON
  Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
  For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
  The next upload will reset the information from the source package headers.
• Branch: debian/sid
• Path: debian/changelog
• Repo size: 13905920
• Browser: https://salsa.debian.org/python-team/packages/python-django
• Last scan: 2026-02-06 21:13:18+00
• Next scan: 2026-02-14 09:34:00+00
• CI pipeline status: success
• Debian changelog in Git:

  python-django (3:4.2.28-1) unstable; urgency=high
  
    * New upstream security release:
  
      - CVE-2025-13473: The check_password function in
        django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi
        allowed remote attackers to enumerate users via a timing attack.
  
      - CVE-2025-14550: ASGIRequest allowed a remote attacker to cause a
        potential denial-of-service via a crafted request with multiple duplicate
        headers.
  
      - CVE-2026-1207: Raster lookups on RasterField (only implemented on
        PostGIS) allowed remote attackers to inject SQL via the band index
        parameter.
  
      - CVE-2026-1285: The django.utils.text.Truncator.chars() and
        Truncator.words() methods (with html=True) and the truncatechars_html and
        truncatewords_html template filters allowed a remote attacker to cause a
        potential denial-of-service via crafted inputs containing a large number
        of unmatched HTML end tags.
  
      - CVE-2026-1287: FilteredRelation was subject to SQL injection in column
        aliases via control characters using a suitably crafted dictionary, with
        dictionary expansion, as the **kwargs passed to QuerySet methods
        annotate(), aggregate(), extra(), values(), values_list() and alias().
  
      - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column
        aliases containing periods when the same alias is, using a suitably
        crafted dictionary, with dictionary expansion, used in FilteredRelation.
  
      <https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>
  
      (Closes: #1126914)
  
    * Drop debian/patches/test-strip-tags-incomplete-entities.patch; applied upstream.
    * Refresh patches.
    * Bump Standards-Version to 4.7.3.
  
   -- Chris Lamb <lamby@debian.org>  Wed, 04 Feb 2026 07:50:22 -0800

• This branch is even with tag debian/3%4.2.28-1

Package: JSON [Main page]

---

Back to the Debian Project homepage.

---