|
|
Log in / Subscribe / Register

Fedora alert FEDORA-2026-ca3d81129a (python-django4.2)



From:
              updates--- via package-announce <package-announce@lists.fedoraproject.org>


To:
              package-announce@lists.fedoraproject.org


Subject:
              [SECURITY] Fedora 42 Update: python-django4.2-4.2.28-1.fc42


Date:
              Sun, 01 Mar 2026 16:58:43 +0000


Message-ID:
              <20260301165843.9CCB07663F@bastion01.rdu3.fedoraproject.org>


Archive-link:
              Article


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ca3d81129a
2026-03-01 16:57:37.779658+00:00
--------------------------------------------------------------------------------

Name        : python-django4.2
Product     : Fedora 42
Version     : 4.2.28
Release     : 1.fc42
URL         : https://www.djangoproject.com/
Summary     : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi
authentication handler
Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated
headers when using ASGI
Fixes CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
Fixes CVE-2026-1287: Potential SQL injection in column aliases via control
characters
Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
FilteredRelation
--------------------------------------------------------------------------------
ChangeLog:

* Thu Feb 19 2026 Michel Lind <salimma@fedoraproject.org> - 4.2.28-1
- Update to version 4.2.28
- Fixes CVE-2025-13473: Username enumeration through timing difference in
  mod_wsgi authentication handler
- Fixes CVE-2025-14550: Potential denial-of-service vulnerability via
  repeated headers when using ASGI
- Fixes CVE-2026-1207: Potential SQL injection via raster lookups on
  PostGIS
- Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
  django.utils.text.Truncator HTML methods
- Fixes CVE-2026-1287: Potential SQL injection in column aliases via
  control characters
- Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
  FilteredRelation
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2436703 - CVE-2026-1287 python-django4.2: Django: SQL Injection via crafted column
aliases [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436703
  [ 2 ] Bug #2436705 - CVE-2026-1312 python-django4.2: Django: SQL injection via crafted column
aliases in QuerySet.order_by() [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436705
  [ 3 ] Bug #2436711 - CVE-2026-1285 python-django4.2: Django: Denial of Service via crafted HTML
inputs [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436711
  [ 4 ] Bug #2436720 - CVE-2025-14550 python-django4.2: Django: Denial of Service via crafted
request with duplicate headers [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436720
  [ 5 ] Bug #2436722 - CVE-2026-1207 python-django4.2: Django: SQL Injection via RasterField band
index parameter [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436722
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ca3d81129a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgr...

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

-- 
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond...
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/package-ann...
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds