Your message dated Fri, 27 Feb 2026 21:17:17 +0000
with message-id <[email protected]>
and subject line Bug#1126914: fixed in python-django 3:4.2.28-0+deb13u1
has caused the Debian Bug report #1126914,
regarding python-django: CVE-2025-13473 CVE-2025-14550 CVE-2026-1207
CVE-2026-1285 CVE-2026-1287 CVE-2026-1312
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126914: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-django
Version: 3:4.2.27-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3:4.2.27-0+deb13u1
Hi,
The following vulnerabilities were published for python-django.
CVE-2025-13473[0]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. The
| `django.contrib.auth.handlers.modwsgi.check_password()` function for
| authentication via `mod_wsgi` allows remote attackers to enumerate
| users via a timing attack. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Stackered for reporting this
| issue.
CVE-2025-14550[1]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a
| potential denial-of-service via a crafted request with multiple
| duplicate headers. Earlier, unsupported Django series (such as
| 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Jiyong Yang for reporting this
| issue.
CVE-2026-1207[2]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only
| implemented on PostGIS) allows remote attackers to inject SQL via
| the band index parameter. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Tarek Nakkouch for reporting
| this issue.
CVE-2026-1285[3]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and
| `Truncator.words()` methods (with `html=True`) and the
| `truncatechars_html` and `truncatewords_html` template filters allow
| a remote attacker to cause a potential denial-of-service via crafted
| inputs containing a large number of unmatched HTML end tags.
| Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x)
| were not evaluated and may also be affected. Django would like to
| thank Seokchan Yoon for reporting this issue.
CVE-2026-1287[4]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in
| column aliases via control characters, using a suitably crafted
| dictionary, with dictionary expansion, as the `**kwargs` passed to
| `QuerySet` methods `annotate()`, `aggregate()`, `extra()`,
| `values()`, `values_list()`, and `alias()`. Earlier, unsupported
| Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated
| and may also be affected. Django would like to thank Solomon Kebede
| for reporting this issue.
CVE-2026-1312[5]:
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
| 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL
| injection in column aliases containing periods when the same alias
| is, using a suitably crafted dictionary, with dictionary expansion,
| used in `FilteredRelation`. Earlier, unsupported Django series (such
| as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Solomon Kebede for reporting
| this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13473
https://www.cve.org/CVERecord?id=CVE-2025-13473
[1] https://security-tracker.debian.org/tracker/CVE-2025-14550
https://www.cve.org/CVERecord?id=CVE-2025-14550
[2] https://security-tracker.debian.org/tracker/CVE-2026-1207
https://www.cve.org/CVERecord?id=CVE-2026-1207
[3] https://security-tracker.debian.org/tracker/CVE-2026-1285
https://www.cve.org/CVERecord?id=CVE-2026-1285
[4] https://security-tracker.debian.org/tracker/CVE-2026-1287
https://www.cve.org/CVERecord?id=CVE-2026-1287
[5] https://security-tracker.debian.org/tracker/CVE-2026-1312
https://www.cve.org/CVERecord?id=CVE-2026-1312
[6] https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:4.2.28-0+deb13u1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Feb 2026 14:44:14 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.28-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1126914
Changes:
python-django (3:4.2.28-0+deb13u1) trixie-security; urgency=high
.
* New upstream security release:
.
- CVE-2025-13473: The check_password function in
django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi
allowed remote attackers to enumerate users via a timing attack.
.
- CVE-2025-14550: When receiving duplicates of a single header, ASGIRequest
allowed a remote attacker to cause a potential denial-of-service via a
specifically created request with multiple duplicate headers. The
vulnerability resulted from repeated string concatenation while combining
repeated headers, which produced super-linear computation resulting in
service degradation or outage.
.
- CVE-2026-1207: Raster lookups on RasterField (only implemented on
PostGIS) allowed remote attackers to inject SQL via the band index
parameter.
.
- CVE-2026-1285: The django.utils.text.Truncator.chars() and
Truncator.words() methods (with html=True) and the truncatechars_html and
truncatewords_html template filters allowed a remote attacker to cause a
potential denial-of-service via crafted inputs containing a large number
of unmatched HTML end tags.
.
- CVE-2026-1287: FilteredRelation was subject to SQL injection in column
aliases via control characters using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to QuerySet methods
annotate(), aggregate(), extra(), values(), values_list() and alias().
.
- CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column
aliases containing periods when the same alias is, using a suitably
crafted dictionary, with dictionary expansion, used in FilteredRelation.
.
<https://docs.djangoproject.com/en/dev/releases/4.2.28/> (Closes: #1126914)
Checksums-Sha1:
47dd07f4da32720edf7cdc2fab454f49814a984f 2822
python-django_4.2.28-0+deb13u1.dsc
e0a589cf92e1887d55cd2b02071aa0383615cc2c 10464933
python-django_4.2.28.orig.tar.gz
89a4eadabd051781962a6132c2998b8f9d0137df 34912
python-django_4.2.28-0+deb13u1.debian.tar.xz
81b0457f606b5bb25f0b2422a2bbca17dd750e09 8219
python-django_4.2.28-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
412809afa692ce92d6dd16dd1c0ce3b1e21a63deccf1f7cac8029b48d8db4c94 2822
python-django_4.2.28-0+deb13u1.dsc
a4b9cd881991add394cafa8bb3b11ad1742d1e1470ba99c3ef53dc540316ccfe 10464933
python-django_4.2.28.orig.tar.gz
ab401b922c1dc56718a0901c379e9a2a2015c5fee79302f70f72868ef2b6026f 34912
python-django_4.2.28-0+deb13u1.debian.tar.xz
d05b20f088c463074ab5fb1ea8c628d1753b37ca0e3841e34e8f438d3535b93a 8219
python-django_4.2.28-0+deb13u1_amd64.buildinfo
Files:
202e38d78d1227b18cdf1d4661f7e456 2822 python optional
python-django_4.2.28-0+deb13u1.dsc
7c9bf3734061c4b22bdf4d922308fe62 10464933 python optional
python-django_4.2.28.orig.tar.gz
36dec15d615e0cfd41ba89161ba11092 34912 python optional
python-django_4.2.28-0+deb13u1.debian.tar.xz
64c5ad2013cdbc42329b29c37b9956c1 8219 python optional
python-django_4.2.28-0+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmYp5cACgkQHpU+J9Qx
HlgQ0w//f0uDpVuCkiSp7EHlwxZ53iQGLuqlv6+ei8sZgXIW28TwR2+myTpvpFI0
T7LEQOpI9WCdmWFO5NsNMg1avPSDF4TP3ET1W1uZ/0PyISXn9kv6DOfyfANm8vRz
N/ufuHpfvoWK6Ewp9gDpJDiMJ8Q90Zy1XnR8lpNe3OaW993w8SU0nJIK0OwvYHX2
uvzhwIf7FJup0b7FIqFlGgZx0CSqqqiKObMk0yAUGWGB+UAPYYsDHdr9uBmL/R8/
WAzFCNC7fkCr+1pW6LEWNkpkD/UAKYVe37g3Lq52tDlG6LRi/Qg7SoraYb00c87K
leF2MNPk7E9BEZjUhkRELb52WYbzuLmPuK17fZ6om3kENQAo32T9h3eVdOh2aoW/
+UfYIhpYimz82eYA3E4cqLlApXLMRo1ViuJnHco/r+/78lyr+AZ9PtYP8H+26Lr3
XZ9acdx66s3ia3fHIvftAmSnNj/ha2l5apbHslOUh1DC0xA253pHAlKBm58uE2/o
1AViNrLl6bug8IPNBGsn3RCeG36sOHELheyInBQbnWEcXEW8V9cYb57S4LAte9L5
V5mo+VEbwShAKZCotGqHS7BIvcpn0JjTgLZUfs7BJMpuRbl9lZ2a4aApU8cdndQM
2Idpre4DDIS1/mw8wiQMTzTKtkOmqzPrQbzxldEtxLkll9SeM60=
=5BUz
-----END PGP SIGNATURE-----
pgpWik8D7loR5.pgp
Description: PGP signature
--- End Message ---
