Package: python-django Version: 2:2.2.28-1~deb11u12 X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for python-django. https://www.djangoproject.com/weblog/2026/jul/07/security-releases/ CVE-2026-48588[0]: | An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before | 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator | cache responses that vary on cookies when the incoming request | carries unrelated cookies, which allows remote attackers to read | private data from the shared cache. Earlier, unsupported Django | series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may | also be affected. Django would like to thank Chris Whyland for | reporting this issue. CVE-2026-53877[1]: | An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before | 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in- | memory buffer when constructed from a bytes object, which can | disclose adjacent memory or cause service degradation via a | potential segmentation fault when the `vsi_buffer` property is | accessed. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, | and 3.2.x) were not evaluated and may also be affected. Django would | like to thank Bence Nagy for reporting this issue. CVE-2026-53878[2]: | An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before | 5.2.16. `DomainNameValidator` does not prohibit newlines in domain | names (unless used via a form field, since `CharField` strips | newlines). If an application uses values with newlines in an HTTP | response, header injection can occur. Django itself is unaffected | because `HttpResponse` prohibits newlines in HTTP headers. Earlier, | unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not | evaluated and may also be affected. Django would like to thank Bence | Nagy for reporting this issue. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48588 https://www.cve.org/CVERecord?id=CVE-2026-48588 [1] https://security-tracker.debian.org/tracker/CVE-2026-53877 https://www.cve.org/CVERecord?id=CVE-2026-53877 [2] https://security-tracker.debian.org/tracker/CVE-2026-53878 https://www.cve.org/CVERecord?id=CVE-2026-53878 Regards, -- ,''`. : :' : Chris Lamb `. `'` [email protected] / chris-lamb.co.uk `-

