Package: python-django Version: 2:2.2.28-1~deb11u12 X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for python-django: https://www.djangoproject.com/weblog/2026/may/05/security-releases/ CVE-2026-5766[0]: | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. | ASGI requests with a missing or understated `Content-Length` header | can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially | loading large files into memory and causing service degradation. | As a reminder, Django expects a limit to be configured at the web | server level rather than solely relying on | `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series | (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be | affected. Django would like to thank Kyle Agronick for reporting | this issue. CVE-2026-35192[1]: | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. | Response headers do not vary on cookies if a session is not | modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote | attacker can steal a user's session after that user visits a cached | public page. Earlier, unsupported Django series (such as 5.0.x, | 4.1.x, and 3.2.x) were not evaluated and may also be affected. | Django would like to thank Cantina for reporting this issue. CVE-2026-6907[2]: | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. | `django.middleware.cache.UpdateCacheMiddleware` erroneously caches | requests where the `Vary` header contained an asterisk (`'*'`). This | can lead to private data being stored and served. Earlier, | unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not | evaluated and may also be affected. Django would like to thank Ahmad | Sadeddin for reporting this issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-5766 https://www.cve.org/CVERecord?id=CVE-2026-5766 [1] https://security-tracker.debian.org/tracker/CVE-2026-35192 https://www.cve.org/CVERecord?id=CVE-2026-35192 [2] https://security-tracker.debian.org/tracker/CVE-2026-6907 https://www.cve.org/CVERecord?id=CVE-2026-6907 Regards, -- ,''`. : :' : Chris Lamb `. `'` [email protected] / chris-lamb.co.uk `-
