Package: python-django Version: 2:2.2.28-1~deb11u12 X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for python-django via https://www.djangoproject.com/weblog/2026/mar/03/security-releases/ CVE-2026-25673[0]: | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and | 4.2 before 4.2.29. `URLField.to_python()` in Django calls | `urllib.parse.urlsplit()`, which performs NFKC normalization on | Windows that is disproportionately slow for certain Unicode | characters, allowing a remote attacker to cause denial of service | via large URL inputs containing these characters. Earlier, | unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not | evaluated and may also be affected. Django would like to thank | Seokchan Yoon for reporting this issue. CVE-2026-25674[1]: | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and | 4.2 before 4.2.29. Race condition in file-system storage and file- | based cache backends in Django allows an attacker to cause file | system objects to be created with incorrect permissions via | concurrent requests, where one thread's temporary `umask` change | affects other threads in multi-threaded environments. Earlier, | unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not | evaluated and may also be affected. Django would like to thank Tarek | Nakkouch for reporting this issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-25673 https://www.cve.org/CVERecord?id=CVE-2026-25673 [1] https://security-tracker.debian.org/tracker/CVE-2026-25674 https://www.cve.org/CVERecord?id=CVE-2026-25674 Regards, -- ,''`. : :' : Chris Lamb `. `'` [email protected] / chris-lamb.co.uk `-
