-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Feb 2026 14:44:14 -0800 Source: python-django Binary: python-django-doc python3-django Architecture: all Version: 3:4.2.28-0+deb13u1 Distribution: trixie-security Urgency: high Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Chris Lamb Description: python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework Closes: 1126914 Changes: python-django (3:4.2.28-0+deb13u1) trixie-security; urgency=high . * New upstream security release: . - CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack. . - CVE-2025-14550: When receiving duplicates of a single header, ASGIRequest allowed a remote attacker to cause a potential denial-of-service via a specifically created request with multiple duplicate headers. The vulnerability resulted from repeated string concatenation while combining repeated headers, which produced super-linear computation resulting in service degradation or outage. . - CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter. . - CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. . - CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias(). . - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. . (Closes: #1126914) Checksums-Sha1: 9aec6d7528dc9ef318276a8b9b78353a1f0be79e 3614504 python-django-doc_4.2.28-0+deb13u1_all.deb a65e8de39bf33849efec735729a8f89757d0e3b2 16569 python-django_4.2.28-0+deb13u1_all-buildd.buildinfo fbc8d35709a77059a401e140cc86fb718ba664fa 2738736 python3-django_4.2.28-0+deb13u1_all.deb Checksums-Sha256: 8f993213a81d14b99577b6a3dc338be36b0d6fa81a91c9a7b3c2cb87dcc3eb34 3614504 python-django-doc_4.2.28-0+deb13u1_all.deb a474aa5b438e70bc3ed713f404faf440813dc4d2067bdf4bca495f98b01b5862 16569 python-django_4.2.28-0+deb13u1_all-buildd.buildinfo 4836e8f799885a51862c09b04abcdeefd32bbcda71dba3eed47feda75a0306b9 2738736 python3-django_4.2.28-0+deb13u1_all.deb Files: 5682aff780022ffe80e86aca50a3b804 3614504 doc optional python-django-doc_4.2.28-0+deb13u1_all.deb 5f23215325af66da179c736e9e8db8d3 16569 python optional python-django_4.2.28-0+deb13u1_all-buildd.buildinfo 296d09e488518d5cdefc67a34048d2a9 2738736 python optional python3-django_4.2.28-0+deb13u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEj4Fym5GgeZdPqKhrJm69HxMTN+oFAmmYrXcACgkQJm69HxMT N+qAwg/9FjFbO5ATznzYSNjaUug2JbeJ2EZW08n6MWmA8HXd7mk/rw1/zNaDnCXf sUtzGUVJKDb0w+W//PvxHgkiQLWbf5d1RT5k3EKtk6Rb3pUqnEtlS0LWUevwaG6A UweFtvYo7/loo0CciBxtDnFEJDAMSJGC3Arls9Fxfe/AYFZ5os0cAlUd6aEg1fmo /5buLVN/rqxmKPTBN9dPMHFiv0Vf/8GGgXXyL2VTEP+/9YJLwqQ8ti2ca19z31lO VD4OI3hYCXrmE5WFQjnZHVxaFu2Kib1G9bpAVKQpSPK5QNhXi3/Pcmdkl7dJ7JlD OkqZVT4uLjnClm8ZpYgUJN1kQnbGvLFdG5oPtWM+sRKSaLjgFMV8ZhXvEvVSX4Yz cmFQzMYz5A3dVG2c5ZY0UOMwws/GKpYVhf+OiiBDGMDyCcwXK/u0/6tjqW8onuht zQtM3cIvJg4g7LAp/CNZz+ykNGg4vHvAWRRONvfpm3LAbLD4tU+u23rFM1CW9WIB ugPH8ajbw1/eVQLgvdKupov8uhljxAQy/y2LXkC2fBGHHPJ139kK8YOWctVcOoA7 /TaM2/ZCosDoNAWSSakOe9w6TMrxAQvI84FBFShxZcvr1zOA/DoFRq5hDjAtGWUa 6x7oC1zSv65sYCmTED+D34EZmxglmL0w0MT738ToJ+eMB4a8f+g= =o9Gs -----END PGP SIGNATURE-----