-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 27 Jan 2026 11:16:59 -0800
Source: python-django
Binary: python-django-doc python3-django
Architecture: all
Version: 3:3.2.25-0+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework
Closes: 1051226 1099682 1113865
Changes:
 python-django (3:3.2.25-0+deb12u1) bookworm-security; urgency=high
 .
   * Update to upstream's last 3.2 series release:
 .
     - CVE-2023-41164: Potential denial of service vulnerability in
       django.utils.encoding.uri_to_iri().
 .
       This method was subject to potential denial of service attack via certain
       inputs with a very large number of Unicode characters. This fix was
       released in Django 3.2.21. (Closes: #1051226)
 .
     - CVE-2023-43665: Address a denial-of-service possibility in
       django.utils.text.Truncator.
 .
       Following the fix for CVE-2019-14232, the regular expressions used in the
       implementation of django.utils.text.Truncator’s chars() and words()
       methods (with html=True) were revised and improved. However, these
       regular expressions still exhibited linear backtracking complexity, so
       when given a very long, potentially malformed HTML input, the evaluation
       would still be slow, leading to a potential denial of service
       vulnerability.
 .
       The chars() and words() methods are used to implement the
       truncatechars_html and truncatewords_html template filters, which were
       thus also vulnerable.
 .
       The input processed by Truncator, when operating in HTML mode, has been
       limited to the first five million characters in order to avoid potential
       performance and memory issues. This fix was included in Django 3.2.22.
 .
     - CVE-2024-24680: Potential denial-of-service in intcomma template filter.
       The intcomma template filter was subject to a potential denial-of-service
       attack when used with very long strings. This fix was included in Django
       3.2.24.
 .
     - CVE-2024-27351: Fix a potential regular expression denial-of-service
       (ReDoS) attack in django.utils.text.Truncator.words. This method
       (with html=True) and the truncatewords_html template filter were subject
       to a potential regular expression denial-of-service attack via a suitably
       crafted string. This is, in part, a follow up to CVE-2019-14232 and
       CVE-2023-43665, and was included in Django 3.2.25.
 .
   * Drop debian/patches/CVE-2023-36053.patch now that we include the fix
     directly via 3.2.20.
 .
   * CVE-2024-39329: Avoid a username enumeration vulnerability through timing
     difference for users with unusable password. The authenticate method of
     django.contrib.auth.backends.ModelBackend method allowed remote attackers
     to enumerate users via a timing attack involving login requests for users
     with unusable passwords.
 .
   * CVE-2024-39330: Address a potential directory-traversal in
     django.core.files.storage.Storage.save. Derived classes of this method's
     base class which override generate_filename without replicating the file
     path validations existing in the parent class allowed for potential
     directory-traversal via certain inputs when calling save(). Built-in
     Storage sub-classes were not affected by this vulnerability.
 .
   * CVE-2024-39614: Fix a potential denial-of-service in
     django.utils.translation.get_supported_language_variant. This method was
     subject to a potential DoS attack when used with very long strings
     containing specific characters. To mitigate this vulnerability, the
     language code provided to get_supported_language_variant is now parsed up
     to a maximum length of 500 characters.
 .
   * CVE-2024-41989: Memory exhaustion in django.utils.numberformat. The
     floatformat template filter is subject to significant memory consumption
     when given a string representation of a number in scientific notation with
     a large exponent.
 .
   * CVE-2024-41991: Potential denial-of-service vulnerability in
     django.utils.html.urlize() and AdminURLFieldWidget. The urlize and
     urlizetrunc template filters, and the AdminURLFieldWidget widget, are
     subject to a potential denial-of-service attack via certain inputs with a
     very large number of Unicode characters.
 .
   * CVE-2024-42005: Potential SQL injection in QuerySet.values() and
     values_list(). QuerySet.values() and values_list() methods on models with a
     JSONField are subject to SQL injection in column aliases via a crafted JSON
     object key as a passed *arg.
 .
   * CVE-2024-45231: Potential user email enumeration via response status on
     password reset. Due to unhandled email sending failures, the
     django.contrib.auth.forms.PasswordResetForm class allowed remote attackers
     to enumerate user emails by issuing password reset requests and observing
     the outcomes. To mitigate this risk, exceptions occurring during password
     reset email sending are now handled and logged using the
     django.contrib.auth logger.
 .
   * CVE-2024-53907: Potential DoS in django.utils.html.strip_tags.
     The strip_tags() method and striptags template filter were subject to a
     potential denial-of-service attack via certain inputs containing large
     sequences of nested incomplete HTML entities.
 .
   * CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
     validation. A lack of upper bound limit enforcement in strings passed when
     performing IPv6 validation could have led to a potential denial-of-service
     (DoS) attack. The undocumented and private functions clean_ipv6_address and
     is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField
     form field, which has now been updated to define a max_length of 39
     characters. The GenericIPAddressField model field was not affected.
 .
   * CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
     column aliases when using PostgreSQL. FilteredRelation was subject to SQL
     injection in column aliases via a suitably crafted dictionary as the
     **kwargs passed to QuerySet.annotate() or QuerySet.alias().
 .
   * CVE-2025-26699: Address a potential denial-of-service in
     django.utils.text.wrap. The wrap() method and wordwrap template filter were
     subject to a potential denial-of-service attack when used with very long
     strings. (Closes: #1099682)
 .
   * CVE-2025-32873: Denial-of-service possibility in strip_tags()
     django.utils.html.strip_tags() would be slow to evaluate certain inputs
     containing large sequences of incomplete HTML tags. This function is used
     to implement the striptags template filter, which was therefore also
     vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
     encounters an unusually large number of unclosed opening tags.
 .
   * CVE-2025-48432: Potential log injection via unescaped request path.
     Django's internal HTTP response logging used request.path directly,
     allowing control characters (e.g. newlines or ANSI escape sequences) to be
     written unescaped into logs. This could enable log injection or forgery,
     letting attackers manipulate log appearance or structure, especially in
     logs processed by external systems or viewed in terminals.  Although this
     does not directly impact Django's security model, it poses risks when logs
     are consumed or interpreted by other tools. To fix this, the internal
     django.utils.log.log_response() function now escapes all positional
     formatting arguments using a safe encoding.
 .
   * CVE-2025-57833: Potential SQL injection in FilteredRelation column
     aliases. The FilteredRelation feature in Django was subject to a potential
     SQL injection vulnerability in column aliases that was exploitable via
     suitably crafted dictionary with dictionary expansion as the **kwargs
     passed QuerySet.annotate() or QuerySet.alias(). (Closes: #1113865)
 .
   * CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
     aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
     QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
     subject to SQL injection in column aliases, using a suitably crafted
     dictionary with dictionary expansion as the **kwargs passed to these
     methods on MySQL and MariaDB.
 .
   * CVE-2025-59682: Potential partial directory-traversal via
     archive.extract(). The django.utils.archive.extract() function, used by
     startapp --template and startproject --template allowed partial
     directory-traversal via an archive with file paths sharing a common prefix
     with the target directory.
 .
   * CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
     argument in QuerySet/Q objects. The methods QuerySet.filter(),
     QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
     SQL injection when using a suitably crafted dictionary (with dictionary
     expansion) as the _connector argument.
 .
   * CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
     XML serializer text extraction. An algorithmic complexity issue in
     django.core.serializers.xml_serializer.getInnerText() allowed a remote
     attacker to cause a potential denial-of-service triggering CPU and memory
     exhaustion via a specially crafted XML input submitted to a service that
     invokes XML Deserializer. The vulnerability resulted from repeated string
     concatenation while recursively collecting text nodes, which produced
     superlinear computation.
Checksums-Sha1:
 c18f9ed7caa649dcfb8ca6195041ee4a49b7ce8f 3491500 python-django-doc_3.2.25-0+deb12u1_all.deb
 d0cd98813d74630cc15da07f87845a88b0d2bb46 14581 python-django_3.2.25-0+deb12u1_all-buildd.buildinfo
 ad198546f49d426c7d930c60b05a82f5cd450f9a 2831648 python3-django_3.2.25-0+deb12u1_all.deb
Checksums-Sha256:
 5dab12c6b3bd9b8e0c2a6f105187c1e865a5bc16910943b028e2ab8fbf224c3c 3491500 python-django-doc_3.2.25-0+deb12u1_all.deb
 e491bae63955029544ae0cbf9d36081c1f2abbb7881c28e6c0b64ad4a7181445 14581 python-django_3.2.25-0+deb12u1_all-buildd.buildinfo
 d311d9749c06768b715215e38dfda3e2eb929d379db8037607b5770b60aac452 2831648 python3-django_3.2.25-0+deb12u1_all.deb
Files:
 3beba8aba92133450ef1b2d3960a8eef 3491500 doc optional python-django-doc_3.2.25-0+deb12u1_all.deb
 7da70b21acc454365a44fde55c2f2b61 14581 python optional python-django_3.2.25-0+deb12u1_all-buildd.buildinfo
 33a034f688b950a8cb5f48f61db561d3 2831648 python optional python3-django_3.2.25-0+deb12u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErwLLVsiCiGZggzpHJuP6X4A0XeIFAmmOLT0ACgkQJuP6X4A0
XeLQSA//Y8y6jDjjgteL+83FDYN8vPkmvp4GGibbd2gZUNhsACtuXD7B5WPhjPOh
aeue0lleNxvIeNlYeqt2Tj66l9XO/Vb7tW2C2GMEwZiAQcwizEi4LvjuaV1gkKbR
YlOg82LZ8i3eynixQxWbvvONczHn1CpnJracQI32yXBYnE/a5dTx0s8/O49L8vNf
rIRzWC9Cl0Ryz54nX/zXQtI4V4pbVd+3B9ypPMRBT7lPcgpwkFbn2q8MzXIgZi/+
L1Bp0RzesaoD530qaIKrF13Lpcub3gkZWOERCtsqHZZsCo31P7bZnYf0azXL8t25
m1WubaQ+XAVL1LrPEW+tuigyxfr2gbcACvkvUGrudbTN20BhxJfZemf9uSHQB6GA
IlTMnAdbNdaBBw+zeWNIeigoAtgwRYv5OLj0aJarpdklxO/de2qVWNJuLfRKyb+5
KyqYyFBV04QzYWZucUR6qqNzsM55GdmfnoIsBora/RfL5KcgY9JUt+lspMoOSZQi
l477ygmVfEj0icAKWSuPDnpG8g5ydCm8C2oyUp+XEDep3hZKSawTGuJu3NjZ0ncI
b9CLl/NfJtY4go1fgSOrStSagCeI3MAv9wJl0DFacRWBF9aWDAOLVh2G9Zbrr9Vs
OwwYc8MJlQ3t1qqNYKqHiuT4Xf1uO2bpEQQrt6SZ6Qt6sR/iYtQ=
=KNDU
-----END PGP SIGNATURE-----