Debian alert DLA-4484-1 (python-django)
| From: | Chris Lamb <lamby@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4484-1] python-django security update | |
| Date: | Thu, 19 Feb 2026 11:46:56 -0800 | |
| Message-ID: | <177152599425.3409050.2579193480867183963@bigcat> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4484-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb February 19, 2026 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : python-django Version : 2:2.2.28-1~deb11u12 CVE IDs : CVE-2025-13473 CVE-2026-1207 CVE-2026-1285 CVE-2026-1287 CVE-2026-1312 CVE-2025-6069 CVE-2025-57833 It was discovered that there were multiple vulnerabilities in Django, the Python-based web-development framework: - - CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack. - - CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter. - - CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. - - CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias(). - - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. In addition, the fix for CVE-2025-6069 in the python3.9 source package (released as part of a suite of updates in DLA 4445-1) modified Python's html.parser.HTMLParser class in such a way that changed the behaviour of Django's strip_tags() method in some edge cases that were tested by Django's testsuite. As a result of this regression, we have updated the testsuite for the new expected results. For Debian 11 bullseye, this problem has been fixed in version 2:2.2.28-1~deb11u12. We recommend that you upgrade your python-django packages. For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmXV2AACgkQHpU+J9Qx HlguOQ//QC6nsahcO73j10xxQnrpRwLcVD5EWKkPDSX835PO8eUF9OuqyhY4y7Cy 0b3UXkp3O9IaPq3GC9z3pYiM4VLmxbbPfkFlQcWVSt0NccI6/8E8aDaoYKos7cZt I69pnYrWsuuzNppuNWWXMTOLU9D1oUMmlW4aW4AVVyeT/Eq9/lwGpcdkNROWMCEp x5pZ7M8DOtzke2Cs+KGyRf1wxdQ6r5u/jC6VSdZ1OO1c9DsNPjgbPpOrpyUdmwL4 V+qdId3sd+kD2tJaDhaMF1D/ISGng2SnsV/hGApuqI9WQfruebGL4aoRGtDPhyvf OKRyHwzLCg8heefKzsNT51Qs8iSXp1yaJ83ASav0IzLGBcTY0fA/Nr7wYpvEbPr7 gvkCbNETTL2fsJoMPIAfjNITK8GlQXxxGvNpdUDhI1ykfw7nOZAZcKKPJhPmJ85O 06IviGWHLxSIZIhVYKhtfeGDBPbiFWDmqeRNMX7HdLsMUz/QzC8AQrN6Isk926kj 1bk4QIsPZIXKB/sdH86pb5lGWp3BpbZ6o5t41ur6NNT8maFK4tw/M6w74LneIFRM SD2rDoqVITgj41mFTLIXyF88iQBlPusw2SHFIw8LDA2R4z5Mg5BONenE23z2LC0g qB9hC2JCWNCnOsavSxZbI5NnxaxepDFDQHoDJfebs1xjsDQeThA= =BFFV -----END PGP SIGNATURE-----