Package "python3-django"

  python-django (3:5.2.4-1ubuntu2.3) questing-security; urgency=medium

  * SECURITY UPDATE: Username enumeration through timing difference in
    mod_wsgi authentication handler
    - debian/patches/CVE-2025-13473.patch: standardize timing of
      check_password() in mod_wsgi auth handler in
      django/contrib/auth/handlers/modwsgi.py,
      tests/auth_tests/test_handlers.py.
    - CVE-2025-13473
  * SECURITY UPDATE: Potential denial-of-service vulnerability via repeated
    headers when using ASGI
    - debian/patches/CVE-2025-14550.patch: optimize repeated header parsing
      in ASGI requests in django/core/handlers/asgi.py,
      tests/asgi/tests.py.
    - CVE-2025-14550
  * SECURITY UPDATE: Potential SQL injection via raster lookups on PostGIS
    - debian/patches/CVE-2026-1207.patch: prevent SQL injections in
      RasterField lookups via band index in
      django/contrib/gis/db/backends/postgis/operations.py,
      tests/gis_tests/rasterapp/test_rasterfield.py.
    - CVE-2026-1207
  * SECURITY UPDATE: Potential denial-of-service vulnerability in
    django.utils.text.Truncator HTML methods
    - debian/patches/CVE-2026-1285.patch: mitigate potential DoS in
      django.utils.text.Truncator for HTML input in django/utils/text.py,
      tests/utils_tests/test_text.py.
    - CVE-2026-1285
  * SECURITY UPDATE: Potential SQL injection in column aliases via control
    characters
    - debian/patches/CVE-2026-1287.patch: protect against SQL injection in
      column aliases via control characters in
      django/db/models/sql/query.py, tests/aggregation/tests.py,
      tests/annotations/tests.py, tests/queries/tests.py,
      tests/expressions/test_queryset_values.py.
    - CVE-2026-1287
  * SECURITY UPDATE: Potential SQL injection via QuerySet.order_by and
    FilteredRelation
    - debian/patches/CVE-2026-1312-1.patch: protect order_by() from SQL
      injection via aliases with periods in
      django/db/models/sql/compiler.py, tests/ordering/tests.py.
    - debian/patches/CVE-2026-1312-2.patch: raise ValueError when
      FilteredRelation aliases contain periods in
      django/db/models/sql/query.py, tests/filtered_relation/tests.py,
      tests/ordering/tests.py.
    - CVE-2026-1312

 -- Marc Deslauriers <email address hidden> Wed, 28 Jan 2026 07:48:21 -0500

  python-django (3:5.2.4-1ubuntu2.2) questing-security; urgency=medium

  * SECURITY UPDATE: SQL injection in FilteredRelation column aliases on
    PostgreSQL
    - debian/patches/CVE-2025-13372.patch: protect FilteredRelation against
      SQL injection in column aliases in
      django/db/backends/postgresql/compiler.py,
      tests/annotations/tests.py.
    - CVE-2025-13372
  * SECURITY UPDATE: DoS vulnerability in XML serializer text extraction
    - debian/patches/CVE-2025-64460.patch: corrected quadratic inner text
      accumulation in XML serializer in
      django/core/serializers/xml_serializer.py,
      docs/topics/serialization.txt,
      tests/serializers/test_deserialization.py.
    - CVE-2025-64460

 -- Marc Deslauriers <email address hidden> Wed, 26 Nov 2025 11:25:51 -0500

  python-django (3:5.2.4-1ubuntu2.1) questing-security; urgency=medium

  * SECURITY UPDATE: Potential SQL injection in QuerySet and Q objects
    - debian/patches/CVE-2025-62769-1.patch: Add connects and checks for them
      in django/db/models/query_utils.py.
    - debian/patches/CVE-2025-62769-2.patch: Add PROHIBITED_FILTER_KWARGS and
      check for them in django/db/models/query.py.
    - CVE-2025-62769

 -- Hlib Korzhynskyy <email address hidden> Thu, 30 Oct 2025 10:37:09 -0230