Accepted python-django 3:6.0.4-1 (source) into experimental

Debian FTP Masters Tue, 07 Apr 2026 08:05:05 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Apr 2026 10:28:52 -0400
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:6.0.4-1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1132927
Changes:
 python-django (3:6.0.4-1) experimental; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation.
       ASGIRequest normalizes header names following WSGI conventions, mapping
       hyphens to underscores. As a result, even in configurations where reverse
       proxies carefully strip security-sensitive headers named with hyphens,
       such a header could be spoofed by supplying a header named with
       underscores. Under WSGI, it is the responsibility of the server or proxy
       to avoid ambiguous mappings. (Django's runserver was patched via
       CVE-2015-0219.) But under ASGI, there is not the same uniform
       expectation, even if many proxies protect against this under default
       configuration (including nginx via underscores_in_headers off;). Headers
       containing underscores are now ignored by ASGIRequest, matching the
       behavior of Daphne, the reference server for ASGI.
 .
     - CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin. Add
       permissions on inline model instances were not validated on submission of
       forged POST data in GenericInlineModelAdmin.
 .
     - CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable. Admin
       changelist forms using ModelAdmin.list_editable incorrectly allowed new
       instances to be created via forged POST data.
 .
     - CVE-2026-33033: Potential denial-of-service vulnerability in
       MultiPartParser via base64-encoded file upload. When using
       django.http.multipartparser.MultiPartParser, multipart uploads with
       Content-Transfer-Encoding: base64 that include excessive whitespace may
       trigger repeated memory copying, potentially degrading performance.
 .
     - CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
       requests via memory upload limit bypass. ASGI requests with a missing or
       understated Content-Length header could bypass the
       DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body,
       potentially loading an unbounded request body into memory and causing
       service degradation.
 .
     <https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>
 .
     (Closes: #1132927)
Checksums-Sha1:
 5fe0c80f330fc525ef53c1bd21eacfc78c9922db 2783 python-django_6.0.4-1.dsc
 89cd1b49c06b176b414138a5af1cfa3d340673a4 10907407 
python-django_6.0.4.orig.tar.gz
 3c5a6780ad0480f9b916cadda1c64999074111e2 32232 
python-django_6.0.4-1.debian.tar.xz
 3fd8921d7341e4d442e448b36c28fc0f03691bc8 8174 
python-django_6.0.4-1_amd64.buildinfo
Checksums-Sha256:
 9973cfee12f242d30eebcb42fb7027d01cfb5ae98a06f5bfd515a1e91753feee 2783 
python-django_6.0.4-1.dsc
 8cfa2572b3f2768b2e84983cf3c4811877a01edb64e817986ec5d60751c113ac 10907407 
python-django_6.0.4.orig.tar.gz
 e44c8d9fd6db272dd8f1f1298237e17c9505dcb1020e3a7dcfcc6708d1a34951 32232 
python-django_6.0.4-1.debian.tar.xz
 8626d479a2d7414ecf789375bfc07d8b820ebe40427ad5c61a8c865ac018ad11 8174 
python-django_6.0.4-1_amd64.buildinfo
Files:
 e87af5f3441fceba68149c486a2277f7 2783 python optional python-django_6.0.4-1.dsc
 9d429cbef8c8357a480d0b920dd9a956 10907407 python optional 
python-django_6.0.4.orig.tar.gz
 2e9858a2a3bd636c8bca6dcf684d40ca 32232 python optional 
python-django_6.0.4-1.debian.tar.xz
 497c58d26b70fce4554cc1d23f6138d4 8174 python optional 
python-django_6.0.4-1_amd64.buildinfo
pgpRli1MvQbzG.pgp
Description: PGP signature
Accepted python-django 3:6.0.4-1 (source) into experimental

Reply via email to
