Package: release.debian.org
Severity: normal
Tags: stable-proposed-updates
User: [email protected]
Usertags: pu
Dear stable release managers,
Please consider python-django (3:4.2.28-0+deb13u2) for stable-proposed-updates:
python-django (3:4.2.28-0+deb13u2) stable-proposed-updates; urgency=medium
.
* The fix for CVE-2025-6069 in the python3.13 source package (released
as part of a suite of updates in 3.13.5-2+deb13u2) modified Python's
html.parser.HTMLParser class in such a way that changed the behaviour of
Django's strip_tags() method. As a result of this change, we update the
testsuite here for the newly expected results in order to prevent a build
failure. (Closes: #1137039)
The full diff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
diff --git debian/changelog debian/changelog
index 5247a7def..96941a9dd 100644
--- debian/changelog
+++ debian/changelog
@@ -1,3 +1,14 @@
+python-django (3:4.2.28-0+deb13u2) stable-proposed-updates; urgency=medium
+
+ * The fix for CVE-2025-6069 in the python3.13 source package (released
+ as part of a suite of updates in 3.13.5-2+deb13u2) modified Python's
+ html.parser.HTMLParser class in such a way that changed the behaviour of
+ Django's strip_tags() method. As a result of this change, we update the
+ testsuite here for the newly expected results in order to prevent a build
+ failure. (Closes: #1137039)
+
+ -- Chris Lamb <[email protected]> Tue, 26 May 2026 14:35:49 -0700
+
python-django (3:4.2.28-0+deb13u1) trixie-security; urgency=high
* New upstream security release:
diff --git debian/patches/0006-Workaround-changes-in-CVE-2025-6069.patch
debian/patches/0006-Workaround-changes-in-CVE-2025-6069.patch
new file mode 100644
index 000000000..a3fe4577b
--- /dev/null
+++ debian/patches/0006-Workaround-changes-in-CVE-2025-6069.patch
@@ -0,0 +1,23 @@
+From: Chris Lamb <[email protected]>
+Date: Fri, 22 May 2026 11:20:52 -0700
+Subject: Workaround changes in CVE-2025-6069
+
+---
+ tests/utils_tests/test_html.py | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index a5acc582f7b4..9c5f5e7ecc6f 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -116,9 +116,7 @@ class TestUtilsHtml(SimpleTestCase):
+ (3, 8): (3, 8, math.inf),
+ }
+ major_version = sys.version_info[:2]
+- htmlparser_fixed_security = sys.version_info >=
min_fixed_security.get(
+- major_version, major_version
+- )
++ htmlparser_fixed_security = True
+ htmlparser_fixed_incomplete_entities = (
+ sys.version_info
+ >= min_fixed_incomplete_entities.get(major_version, major_version)
diff --git debian/patches/series debian/patches/series
index 0e8a07b38..936ff0a3f 100644
--- debian/patches/series
+++ debian/patches/series
@@ -3,3 +3,4 @@
0004-Use-locally-installed-documentation-sources.patch
0004-Set-the-default-shebang-to-new-projects-to-use-Pytho.patch
py313-test-help-default-options-with-custom-arguments.patch
+0006-Workaround-changes-in-CVE-2025-6069.patch
