-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4425-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb December 29, 2025 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : python-django Version : 2:2.2.28-1~deb11u10 CVE IDs : CVE-2025-64459 CVE-2025-64460 Debian Bug : 1121788 It was discovered that there were two issues in Django, the Python-based web development framework: * CVE-2025-64459: A potential SQL injection via _connector keyword argument in QuerySet/Q objects. The methods QuerySet filter(), exclude() and get() as well as the Q() class were subject to SQL injection when using a suitably crafted dictionary as the _connector argument. * CVE-2025-64460: A potential denial-of-service vulnerability in XML serializer text extraction. An algorithmic complexity issue in django.core.serializers.xml_serializer.getInnerText() allowed a remote attacker to cause a potential denial-of-service triggering CPU and memory exhaustion via a specially crafted XML input submitted to a service that invokes XML Deserializer. The vulnerability resulted from repeated string concatenation while recursively collecting text nodes, which produced superlinear computation. For Debian 11 bullseye, these problems have been fixed in version 2:2.2.28-1~deb11u10. We recommend that you upgrade your python-django packages. For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmlS+EAACgkQHpU+J9Qx HlhE/A/+NLVJFLu/a3I1nyzbT9AdV1wtCS9ET0m3q9dkS+HOpogUxt9ukeJvV4G5 vFH35O+QMvkLQgLnUwW5SratLrg3J2KQcxKOldM/Iz9sJZ0p6bUjpGs/Rq3j6yJW GwXX8P2f91hwckr0j00ndL67dxbNZ3ZoIxL+rGN55erdDcSMkTUBKL1Lu5SQglfr dvJWd+NrVOdjqKVOpmsHb2PBUo7Y/k9qMT9zD3NXWRg/mxNjBGXx7zusJ9ws60FW r80A6Q1ARjCZ80P3uQQI/fs95Df22yZhTqHsEYkNMhnWwu0L7ER0KgzGVoJM37Ao 0qrtqzjszq4rSc9dm6jAiKtjshRqU268zIuAAiG5E5sQSw88AcWTOyOiBJCMbA3m uNDu2JvgaidtCSp16QpYvcTyTlfSsgUEoeh7SdhogFjdot4ki30E3xePhDh1JYd+ dOyk9YzoAWtYIXonrCTpdHP1AV50yLW71LB5hx5doM67l2pLvS0LESUEiqfUD0fM FzZdW99/t/sV13C76XPljX87VtEaFsTthty4ZZ5DmHQxMgsVmwtayFKTsTe9Ju1n 9MpbSm2kwI7++SkNLH49UIz55OwY12GySsVuqjoKCjFhaI5wBsW3oNNaJZyw0SzL AMf7RsxMC+wB5blvR1cV5mRh4vBJVdsmKNA6IsbTo4N7px/aXuo= =jrsD -----END PGP SIGNATURE-----
