-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Feb 2026 14:44:14 -0800 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 3:4.2.28-0+deb13u1 Distribution: trixie-security Urgency: high Maintainer: Debian Python Team Changed-By: Chris Lamb Closes: 1126914 Changes: python-django (3:4.2.28-0+deb13u1) trixie-security; urgency=high . * New upstream security release: . - CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack. . - CVE-2025-14550: When receiving duplicates of a single header, ASGIRequest allowed a remote attacker to cause a potential denial-of-service via a specifically created request with multiple duplicate headers. The vulnerability resulted from repeated string concatenation while combining repeated headers, which produced super-linear computation resulting in service degradation or outage. . - CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter. . - CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. . - CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias(). . - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. . (Closes: #1126914) Checksums-Sha1: 47dd07f4da32720edf7cdc2fab454f49814a984f 2822 python-django_4.2.28-0+deb13u1.dsc e0a589cf92e1887d55cd2b02071aa0383615cc2c 10464933 python-django_4.2.28.orig.tar.gz 89a4eadabd051781962a6132c2998b8f9d0137df 34912 python-django_4.2.28-0+deb13u1.debian.tar.xz 81b0457f606b5bb25f0b2422a2bbca17dd750e09 8219 python-django_4.2.28-0+deb13u1_amd64.buildinfo Checksums-Sha256: 412809afa692ce92d6dd16dd1c0ce3b1e21a63deccf1f7cac8029b48d8db4c94 2822 python-django_4.2.28-0+deb13u1.dsc a4b9cd881991add394cafa8bb3b11ad1742d1e1470ba99c3ef53dc540316ccfe 10464933 python-django_4.2.28.orig.tar.gz ab401b922c1dc56718a0901c379e9a2a2015c5fee79302f70f72868ef2b6026f 34912 python-django_4.2.28-0+deb13u1.debian.tar.xz d05b20f088c463074ab5fb1ea8c628d1753b37ca0e3841e34e8f438d3535b93a 8219 python-django_4.2.28-0+deb13u1_amd64.buildinfo Files: 202e38d78d1227b18cdf1d4661f7e456 2822 python optional python-django_4.2.28-0+deb13u1.dsc 7c9bf3734061c4b22bdf4d922308fe62 10464933 python optional python-django_4.2.28.orig.tar.gz 36dec15d615e0cfd41ba89161ba11092 34912 python optional python-django_4.2.28-0+deb13u1.debian.tar.xz 64c5ad2013cdbc42329b29c37b9956c1 8219 python optional python-django_4.2.28-0+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmYp5cACgkQHpU+J9Qx HlgQ0w//f0uDpVuCkiSp7EHlwxZ53iQGLuqlv6+ei8sZgXIW28TwR2+myTpvpFI0 T7LEQOpI9WCdmWFO5NsNMg1avPSDF4TP3ET1W1uZ/0PyISXn9kv6DOfyfANm8vRz N/ufuHpfvoWK6Ewp9gDpJDiMJ8Q90Zy1XnR8lpNe3OaW993w8SU0nJIK0OwvYHX2 uvzhwIf7FJup0b7FIqFlGgZx0CSqqqiKObMk0yAUGWGB+UAPYYsDHdr9uBmL/R8/ WAzFCNC7fkCr+1pW6LEWNkpkD/UAKYVe37g3Lq52tDlG6LRi/Qg7SoraYb00c87K leF2MNPk7E9BEZjUhkRELb52WYbzuLmPuK17fZ6om3kENQAo32T9h3eVdOh2aoW/ +UfYIhpYimz82eYA3E4cqLlApXLMRo1ViuJnHco/r+/78lyr+AZ9PtYP8H+26Lr3 XZ9acdx66s3ia3fHIvftAmSnNj/ha2l5apbHslOUh1DC0xA253pHAlKBm58uE2/o 1AViNrLl6bug8IPNBGsn3RCeG36sOHELheyInBQbnWEcXEW8V9cYb57S4LAte9L5 V5mo+VEbwShAKZCotGqHS7BIvcpn0JjTgLZUfs7BJMpuRbl9lZ2a4aApU8cdndQM 2Idpre4DDIS1/mw8wiQMTzTKtkOmqzPrQbzxldEtxLkll9SeM60= =5BUz -----END PGP SIGNATURE-----