Package "python-django"
| Name: |
python-django
|
Description: |
This package is just an umbrella for a group of other packages,
it has no description.
Description samples from packages in group:
- High-level Python web development framework (documentation)
- High-level Python web development framework
|
| Latest version: |
3:4.2.11-1ubuntu1.15 |
| Release: |
noble (24.04) |
| Level: |
security |
| Repository: |
main |
Links
Other versions of "python-django" in Noble
Packages in group
Deleted packages are displayed in grey.
Changelog
|
python-django (3:4.2.11-1ubuntu1.15) noble-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
- debian/patches/CVE-2026-33033.patch: mitigate potential DoS in
MultiPartParser in django/http/multipartparser.py,
tests/requests_tests/tests.py.
- CVE-2026-33033
* SECURITY UPDATE: Potential denial-of-service vulnerability in ASGI
requests via memory upload limit bypass
- debian/patches/CVE-2026-33034.patch: enforce
DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ASGI requests in
django/http/request.py, tests/asgi/tests.py.
- CVE-2026-33034
* SECURITY UPDATE: ASGI header spoofing via underscore/hyphen conflation
- debian/patches/CVE-2026-3902.patch: ignore headers with underscores
in ASGIRequest in django/core/handlers/asgi.py,
django/test/client.py, tests/asgi/tests.py.
- CVE-2026-3902
* SECURITY UPDATE: Privilege abuse in GenericInlineModelAdmin
- debian/patches/CVE-2026-4277.patch: Check add permissions in
GenericInlineModelAdmin in django/contrib/contenttypes/admin.py,
tests/generic_inline_admin/tests.py.
- CVE-2026-4277
* SECURITY UPDATE: Privilege abuse in ModelAdmin.list_editable
- debian/patches/CVE-2026-4292.patch: Disallow instance creation via
ModelAdmin.list_editable in django/contrib/admin/options.py,
tests/admin_views/admin.py, tests/admin_views/tests.py.
- CVE-2026-4292
-- Marc Deslauriers <email address hidden> Wed, 01 Apr 2026 10:22:16 -0400
|
| Source diff to previous version |
| CVE-2026-33033 |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4. ... |
| CVE-2026-33034 |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4. ... |
| CVE-2026-3902 |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4. ... |
| CVE-2026-4277 |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4. ... |
| CVE-2026-4292 |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4. ... |
|
|
python-django (3:4.2.11-1ubuntu1.14) noble-security; urgency=medium
* SECURITY UPDATE: Username enumeration through timing difference in
mod_wsgi authentication handler
- debian/patches/CVE-2025-13473.patch: standardize timing of
check_password() in mod_wsgi auth handler in
django/contrib/auth/handlers/modwsgi.py,
tests/auth_tests/test_handlers.py.
- CVE-2025-13473
* SECURITY UPDATE: Potential denial-of-service vulnerability via repeated
headers when using ASGI
- debian/patches/CVE-2025-14550.patch: optimize repeated header parsing
in ASGI requests in django/core/handlers/asgi.py,
tests/asgi/tests.py.
- CVE-2025-14550
* SECURITY UPDATE: Potential SQL injection via raster lookups on PostGIS
- debian/patches/CVE-2026-1207.patch: prevent SQL injections in
RasterField lookups via band index in
django/contrib/gis/db/backends/postgis/operations.py,
tests/gis_tests/rasterapp/test_rasterfield.py.
- CVE-2026-1207
* SECURITY UPDATE: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
- debian/patches/CVE-2026-1285.patch: mitigate potential DoS in
django.utils.text.Truncator for HTML input in django/utils/text.py,
tests/utils_tests/test_text.py.
- CVE-2026-1285
* SECURITY UPDATE: Potential SQL injection in column aliases via control
characters
- debian/patches/CVE-2026-1287.patch: protect against SQL injection in
column aliases via control characters in
django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2026-1287
* SECURITY UPDATE: Potential SQL injection via QuerySet.order_by and
FilteredRelation
- debian/patches/CVE-2026-1312-1.patch: protect order_by() from SQL
injection via aliases with periods in
django/db/models/sql/compiler.py, tests/ordering/tests.py.
- debian/patches/CVE-2026-1312-2.patch: raise ValueError when
FilteredRelation aliases contain periods in
django/db/models/sql/query.py, tests/filtered_relation/tests.py,
tests/ordering/tests.py.
- CVE-2026-1312
-- Marc Deslauriers <email address hidden> Wed, 28 Jan 2026 08:02:13 -0500
|
| Source diff to previous version |
| CVE-2025-13473 |
Username enumeration through timing difference in mod_wsgi authentication handler |
| CVE-2025-14550 |
Potential denial-of-service vulnerability via repeated headers when using ASGI |
| CVE-2026-1207 |
Potential SQL injection via raster lookups on PostGIS |
| CVE-2026-1285 |
Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods |
| CVE-2026-1287 |
Potential SQL injection in column aliases via control characters |
| CVE-2026-1312 |
Potential SQL injection via QuerySet.order_by and FilteredRelation |
|
|
python-django (3:4.2.11-1ubuntu1.13) noble-security; urgency=medium
* SECURITY UPDATE: SQL injection in FilteredRelation column aliases on
PostgreSQL
- debian/patches/CVE-2025-13372.patch: protect FilteredRelation against
SQL injection in column aliases in
django/db/backends/postgresql/compiler.py,
django/db/backends/postgresql/operations.py,
tests/annotations/tests.py.
- CVE-2025-13372
* SECURITY UPDATE: DoS vulnerability in XML serializer text extraction
- debian/patches/CVE-2025-64460.patch: corrected quadratic inner text
accumulation in XML serializer in
django/core/serializers/xml_serializer.py,
docs/topics/serialization.txt,
tests/serializers/test_xml.py.
- CVE-2025-64460
-- Marc Deslauriers <email address hidden> Wed, 26 Nov 2025 11:32:26 -0500
|
| Source diff to previous version |
|
python-django (3:4.2.11-1ubuntu1.12) noble-security; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet and Q objects
- debian/patches/CVE-2025-62769-1.patch: Add connects and checks for them
in django/db/models/query_utils.py.
- debian/patches/CVE-2025-62769-2.patch: Add PROHIBITED_FILTER_KWARGS and
check for them in django/db/models/query.py.
- CVE-2025-62769
-- Hlib Korzhynskyy <email address hidden> Thu, 30 Oct 2025 11:35:52 -0230
|
| Source diff to previous version |
|
python-django (3:4.2.11-1ubuntu1.11) noble-security; urgency=medium
* SECURITY UPDATE: Potential SQL injection
- debian/patches/CVE-2025-59681.patch: protect against SQL injection in
django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py,
tests/expressions/test_queryset_values.py, tests/queries/tests.py.
- CVE-2025-59681
* SECURITY UPDATE: Potential partial directory-traversal
- debian/patches/CVE-2025-59682.patch: validate path in
django/utils/archive.py, tests/utils_tests/test_archive.py.
- CVE-2025-59682
-- Marc Deslauriers <email address hidden> Wed, 24 Sep 2025 12:27:58 -0400
|
| CVE-2025-59681 |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggrega |
| CVE-2025-59682 |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by th |
|
About
-
Send Feedback to @ubuntu_updates
