-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Feb 2026 15:32:59 -0800 Source: python-django Binary: python-django-doc python3-django Architecture: all Version: 3:3.2.25-0+deb12u2 Distribution: bookworm-security Urgency: high Maintainer: all Build Daemon (x86-csail-02) Changed-By: Chris Lamb Description: python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework Changes: python-django (3:3.2.25-0+deb12u2) bookworm-security; urgency=high . * CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack. * CVE-2025-14550: ASGIRequest allowed a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. * CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter. * CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. * CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias(). * CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. Checksums-Sha1: ea4c8c326de85f1d10e5d915c81d2647db84ccd2 3491972 python-django-doc_3.2.25-0+deb12u2_all.deb bf6c053c34c72be8b1b6988ae21e8f1dd4359240 14581 python-django_3.2.25-0+deb12u2_all-buildd.buildinfo 6031d9a683a44086255c39195c10b6df5e3fb48a 2831748 python3-django_3.2.25-0+deb12u2_all.deb Checksums-Sha256: e54294783a44bd796898639f49d9f0001c4bba3bf5f840f29ba1ccdf7ff499a3 3491972 python-django-doc_3.2.25-0+deb12u2_all.deb bbbc182227695fe030ece41554c181264812e602f39ac385018e695d61f99915 14581 python-django_3.2.25-0+deb12u2_all-buildd.buildinfo 829d97dfab849e97f46ad4714ee0b6e250bffba8c4bafa7bc74e4f1395ddafeb 2831748 python3-django_3.2.25-0+deb12u2_all.deb Files: 474ff0f12f88eff809fd7ed4d317d132 3491972 doc optional python-django-doc_3.2.25-0+deb12u2_all.deb d150115b04ba4c9bd1cd2b906a4e4a10 14581 python optional python-django_3.2.25-0+deb12u2_all-buildd.buildinfo 9fcc2948da15e8435e425ba09979b8d6 2831748 python optional python3-django_3.2.25-0+deb12u2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEELusn8jY95Sf7obGlx30Wh8LXl/YFAmmd3KcACgkQx30Wh8LX l/broxAA5gQZ7yLj5yWe+Gr62REDCRT17V3hJORu5HvBceDlEIWwok9HNiRsycT5 8yT7xYJDpjb1WEeHkvXy1X4uNphCPBdTUBRfV7T/TWcpIrQs8SzuR3e6z6JfQOgB GQy0mVUE6XKcd/SovudMdwvt2XT7lKXXSeVFCz2UlDhyOJNychoXhwrGQd7gVMMU ZeNqPP2bG46dL9GZCrcAiVTlbaJPGpEYbpQvqCFRBhzJLVhgOGPtu49VZSpSStEN GP5X8u38zzy83IZuGrgpcHbsRxNZmB0YJ9zY3telDYdeB87aMLOnlDGrf+CoBElj C504fGz7u6pOzzZBEOguJEMZNI44jx9m5mw0QC7WAMXPQMXJcsSjsL6JCW+Rq5ZD VQouLIZoqJw0SodzXvfHKKC8/VfuANIglCsf7G01sEPlfC/IcHtOWF5192RBPKU+ YNDcj6l2Dssqg6KEfi4pOgslJk0LJwPEvl/+GjtfUuWMM9jB72NhWYAhTtfsZilk ADB/qDiEUhOygeU9+kUVlaHcGCbnKSW8xePQRwZH3++eJ+hWSOF/HFI8Tcx3hY/5 SvKf4DG7xWQ03beyA//KF1yI1fltfUIHVotaq7iaY5+dM/4uOdunU8r8XzIoVGOv /WCvyIBk5CF0d2/AJflShixY5SEK07Cy3pzsoWKut3Psh+Z3O00= =tuJv -----END PGP SIGNATURE-----