Bug#1113865: marked as done (python-django: CVE-2025-57833)

Debian Bug Tracking System Wed, 03 Sep 2025 08:41:17 -0700

Your message dated Wed, 03 Sep 2025 15:40:13 +0000
with message-id <[email protected]>
and subject line Bug#1113865: fixed in python-django 3:5.2.6-1
has caused the Debian Bug report #1113865,
regarding python-django: CVE-2025-57833
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1113865: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113865
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: python-django
Version: 2:2.2.28-1~deb11u7
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-django.

CVE-2025-57833[0]: Potential SQL injection in FilteredRelation
 column aliases FilteredRelation was subject to SQL injection in
 column aliases, using a suitably crafted dictionary, with
 dictionary expansion, as the **kwargs passed QuerySet.annotate()
 or QuerySet.alias().


For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-57833
    https://www.cve.org/CVERecord?id=CVE-2025-57833
    https://www.djangoproject.com/weblog/2025/sep/03/security-releases/


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [email protected] / chris-lamb.co.uk
       `-

--- End Message ---

--- Begin Message ---

Source: python-django
Source-Version: 3:5.2.6-1
Done: Chris Lamb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 03 Sep 2025 07:46:59 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:5.2.6-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1113865
Changes:
 python-django (3:5.2.6-1) experimental; urgency=medium
 .
   * New upstream security release:
 .
     - CVE-2025-57833: Potential SQL injection in FilteredRelation column
       aliases. The FilteredRelation feature in Django was subject to a
       potential SQL injection vulnerability in column aliases that was
       exploitable via suitably crafted dictionary with dictionary expansion as
       the **kwargs passed QuerySet.annotate() or QuerySet.alias().
       (Closes: #1113865)
 .
     <https://www.djangoproject.com/weblog/2025/sep/03/security-releases/>
Checksums-Sha1:
 d3e69f576579e8e3d927bd6d35303ce433668264 2785 python-django_5.2.6-1.dsc
 ada4c057790d255039ac5fe3a31378e5fde0417a 10858861 
python-django_5.2.6.orig.tar.gz
 a24e50f772a1cf529a9e563edec6d5e7195c693b 30544 
python-django_5.2.6-1.debian.tar.xz
 bc4d3da10c1e6e55b637bb2dc017d735502b286e 8046 
python-django_5.2.6-1_amd64.buildinfo
Checksums-Sha256:
 c860ac6b7796d4ec3fc086f44b205b11de3b70b8fad71ffc955b24105f9725b5 2785 
python-django_5.2.6-1.dsc
 da5e00372763193d73cecbf71084a3848458cecf4cee36b9a1e8d318d114a87b 10858861 
python-django_5.2.6.orig.tar.gz
 1139a6358de44feaba29fb18f9f02f48e42db634dc3840422f3193327f6b50e3 30544 
python-django_5.2.6-1.debian.tar.xz
 e35f182c4fc7ce7d4be01379a96f628eba49a5daaa6180e4aa624355e554223c 8046 
python-django_5.2.6-1_amd64.buildinfo
Files:
 735b6c9801e32715353f3c5c40326ae6 2785 python optional python-django_5.2.6-1.dsc
 1f0327293cc3768903ce8cd390ec3f47 10858861 python optional 
python-django_5.2.6.orig.tar.gz
 9f88aea9e419eb0b68155ad578d0d433 30544 python optional 
python-django_5.2.6-1.debian.tar.xz
 37212c748d598a01cd8592480a653e83 8046 python optional 
python-django_5.2.6-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmi4XYsACgkQHpU+J9Qx
HlheKhAAlLxEcAhi8J8fu92QuhESJpd9F1fC/eDdIq/qJGDUGfRgtTu9X3su9sAj
yU6lQM5e0oyinwe1ppUyAm8Jt2ILHdnnJww756MpWBoo2rJvcKFIdjzKql1aLuhz
jd1bVs1s6FpMquIoefI2CdHrLUPACf0DgCZ3gLY+6I2iSXSBJUvdCDvQxZIOrQYs
64vdHzWbXgPYIScV8wmI6GcbOG52fVF9Ad4NpkG/2z6JKLiVrT60rZORjDc75kLm
OcIXPbkL0iQ+c1heM1aLl52sQ3lyyYWV1S9sN8voPNwJMHLko4HJrAE5Ridf6BpZ
U2vCGTcf0VNJ42TlCqIbGs1ML2ZHiGihkFD+t58pLpgGiDCYZDlPnpV+iG0zybzo
u8h6kYz8J5fmEMQphwf+YqS9n+s7Kpvk6KcYWp9YIWeZHqiin4onf137h2NYvaRn
HQWRn4cu9wgIpt78ym012XLxpPHDK9q+eMxbcKFzoCTuoT7nrS8rudsNRRxhZPXY
z5/MK3u1NMk9YfKUsEv2X3b/voHx9AoAEQPmJf7Z4gGbyYBMBsi+3hneK/K3qkak
BQawDaGk7wgf1+4/4uciBiPT0U09Bm02RnEed81DN4j3V9VyjhZw24zfICuSVzrJ
MmXCdywagNzs5Fu6oCYl6y/6pxc5pbiBX6ixFjTEThQsXrkzBls=
=5Lct
-----END PGP SIGNATURE-----

pgpESKPYmOskC.pgp
Description: PGP signature

--- End Message ---

Bug#1113865: marked as done (python-django: CVE-2025-57833)

Reply via email to