|
|
Log in / Subscribe / Register

Fedora alert FEDORA-2026-00b5bf3150 (python-django5)



From:
              updates--- via package-announce <package-announce@lists.fedoraproject.org>


To:
              package-announce@lists.fedoraproject.org


Subject:
              [SECURITY] Fedora 42 Update: python-django5-5.2.11-1.fc42


Date:
              Sat, 28 Feb 2026 01:26:21 +0000


Message-ID:
              <20260228012621.C15937F043@bastion01.rdu3.fedoraproject.org>


Archive-link:
              Article


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-00b5bf3150
2026-02-28 01:23:52.457275+00:00
--------------------------------------------------------------------------------

Name        : python-django5
Product     : Fedora 42
Version     : 5.2.11
Release     : 1.fc42
URL         : https://www.djangoproject.com/
Summary     : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi
authentication handler
Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated
headers when using ASGI
Fixes CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
Fixes CVE-2026-1287: Potential SQL injection in column aliases via control
characters
Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
FilteredRelation
Fixed a bug in Django 5.2 where data exceeding max_length was silently truncated
by QuerySet.bulk_create() on PostgreSQL
Fixed a bug where management command colorized help (introduced in Python 3.14)
ignored the --no-color option and the DJANGO_COLORS setting
--------------------------------------------------------------------------------
ChangeLog:

* Thu Feb 19 2026 Michel Lind <salimma@fedoraproject.org> - 5.2.11-1
- Update to version 5.2.11; Resolves: RHBZ#2427483
- `python-django5` is now the alternate `python3-django5` on Fedora 44+,
  `python3-django` is now Django 6.x
- Fixes CVE-2025-13473: Username enumeration through timing difference in
  mod_wsgi authentication handler
- Fixes CVE-2025-14550: Potential denial-of-service vulnerability via
  repeated headers when using ASGI
- Fixes CVE-2026-1207: Potential SQL injection via raster lookups on
  PostGIS
- Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
  django.utils.text.Truncator HTML methods
- Fixes CVE-2026-1287: Potential SQL injection in column aliases via
  control characters
- Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
  FilteredRelation
- Fixed a bug in Django 5.2 where data exceeding max_length was silently
  truncated by QuerySet.bulk_create() on PostgreSQL
- Fixed a bug where management command colorized help (introduced in Python
  3.14) ignored the --no-color option and the DJANGO_COLORS setting
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2427483 - python-django5-5.2.11 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2427483
  [ 2 ] Bug #2436695 - CVE-2025-14550 python-django5: Django: Denial of Service via crafted request
with duplicate headers [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436695
  [ 3 ] Bug #2436699 - CVE-2026-1312 python-django5: Django: SQL injection via crafted column
aliases in QuerySet.order_by() [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436699
  [ 4 ] Bug #2436709 - CVE-2026-1285 python-django5: Django: Denial of Service via crafted HTML
inputs [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436709
  [ 5 ] Bug #2436714 - CVE-2026-1287 python-django5: Django: SQL Injection via crafted column
aliases [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436714
  [ 6 ] Bug #2436716 - CVE-2026-1207 python-django5: Django: SQL Injection via RasterField band
index parameter [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2436716
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-00b5bf3150' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgr...

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

-- 
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond...
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/package-ann...
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds