Debian Quality Assurance

python-django (3:6.0.3-1) [PTS] [DDPO]

OLD: VCS is behind the version in the archive: 3:4.2.29-1 < 3:6.0.3-1.

• Git: https://salsa.debian.org/python-team/packages/python-django.git
• JSON
  Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
  For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
  The next upload will reset the information from the source package headers.
• Branch: debian/sid
• Path: debian/changelog
• Repo size: 7299072
• Browser: https://salsa.debian.org/python-team/packages/python-django
• Last scan: 2026-03-17 08:43:05+00
• Next scan: 2026-03-22 11:53:00+00
• CI pipeline status: success
• Debian changelog in Git:

  python-django (3:4.2.29-1) unstable; urgency=high
  
    * New upstream sceurity release:
  
      - CVE-2026-25674: Potential incorrect permissions on newly created file
        system objects.
  
        Django's file-system storage and file-based cache backends used the
        process umask to control permissions when creating directories. In
        multi-threaded environments, one thread's temporary umask change can
        affect other threads' file and directory creation, resulting in file
        system objects being created with unintended permissions. Django now
        applies the requested permissions via os.chmod() after os.mkdir(),
        removing the dependency on the process-wide umask.
  
      - CVE-2026-25673: Potential denial-of-service vulnerability in URLField via
        Unicode normalization on Windows.
  
        The django.forms.URLField form field's to_python() method used
        urllib.parse.urlsplit() to determine whether to prepend a URL scheme to
        the submitted value. On Windows, urlsplit() performs NFKC normalization
        (unicodedata.normalize), which can be disproportionately slow for large
        inputs containing certain characters.
  
        URLField.to_python() now uses a simplified scheme detection, avoiding
        Unicode normalization entirely and deferring URL validation to the
        appropriate layers. As a result, while leading and trailing whitespace is
        still stripped by default, characters such as newlines, tabs, and other
        control characters within the value are no longer handled by
        URLField.to_python(). When using the default URLValidator, these values
        will continue to raise ValidationError during validation, but if you rely
        on custom validators, ensure they do not depend on the previous behavior
        of URLField.to_python().
  
      <https://www.djangoproject.com/weblog/2026/mar/03/security-releases/>
  
      (Closes: #1129595)
  
   -- Chris Lamb <lamby@debian.org>  Tue, 03 Mar 2026 09:48:56 -0800

• This branch is even with tag debian/3%4.2.29-1

Package: JSON [Main page]

---

Back to the Debian Project homepage.

---