We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1099682@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 27 Jan 2026 11:16:59 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:3.2.25-0+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1051226 1099682 1113865
Changes:
python-django (3:3.2.25-0+deb12u1) bookworm-security; urgency=high
.
* Update to upstream's last 3.2 series release:
.
- CVE-2023-41164: Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri().
.
This method was subject to potential denial of service attack via certain
inputs with a very large number of Unicode characters. This fix was
released in Django 3.2.21. (Closes: #1051226)
.
- CVE-2023-43665: Address a denial-of-service possibility in
django.utils.text.Truncator.
.
Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator’s chars() and words()
methods (with html=True) were revised and improved. However, these
regular expressions still exhibited linear backtracking complexity, so
when given a very long, potentially malformed HTML input, the evaluation
would still be slow, leading to a potential denial of service
vulnerability.
.
The chars() and words() methods are used to implement the
truncatechars_html and truncatewords_html template filters, which were
thus also vulnerable.
.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues. This fix was included in Django 3.2.22.
.
- CVE-2024-24680: Potential denial-of-service in intcomma template filter.
The intcomma template filter was subject to a potential denial-of-service
attack when used with very long strings. This fix was included in Django
3.2.24.
.
- CVE-2024-27351: Fix a potential regular expression denial-of-service
(ReDoS) attack in django.utils.text.Truncator.words. This method
(with html=True) and the truncatewords_html template filter were subject
to a potential regular expression denial-of-service attack via a suitably
crafted string. This is, in part, a follow up to CVE-2019-14232 and
CVE-2023-43665, and was included in Django 3.2.25.
.
* Drop debian/patches/CVE-2023-36053.patch now that we include the fix
directly via 3.2.20.
.
* CVE-2024-39329: Avoid a username enumeration vulnerability through timing
difference for users with unusable password. The authenticate method of
django.contrib.auth.backends.ModelBackend method allowed remote attackers
to enumerate users via a timing attack involving login requests for users
with unusable passwords.
.
* CVE-2024-39330: Address a potential directory-traversal in
django.core.files.storage.Storage.save. Derived classes of this method's
base class which override generate_filename without replicating the file
path validations existing in the parent class allowed for potential
directory-traversal via certain inputs when calling save(). Built-in
Storage sub-classes were not affected by this vulnerability.
.
* CVE-2024-39614: Fix a potential denial-of-service in
django.utils.translation.get_supported_language_variant. This method was
subject to a potential DoS attack when used with very long strings
containing specific characters. To mitigate this vulnerability, the
language code provided to get_supported_language_variant is now parsed up
to a maximum length of 500 characters.
.
* CVE-2024-41989: Memory exhaustion in django.utils.numberformat. The
floatformat template filter is subject to significant memory consumption
when given a string representation of a number in scientific notation with
a large exponent.
.
* CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget. The urlize and
urlizetrunc template filters, and the AdminURLFieldWidget widget, are
subject to a potential denial-of-service attack via certain inputs with a
very large number of Unicode characters.
.
* CVE-2024-42005: Potential SQL injection in QuerySet.values() and
values_list(). QuerySet.values() and values_list() methods on models with a
JSONField are subject to SQL injection in column aliases via a crafted JSON
object key as a passed *arg.
.
* CVE-2024-45231: Potential user email enumeration via response status on
password reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote attackers
to enumerate user emails by issuing password reset requests and observing
the outcomes. To mitigate this risk, exceptions occurring during password
reset email sending are now handled and logged using the
django.contrib.auth logger.
.
* CVE-2024-53907: Potential DoS in django.utils.html.strip_tags.
The strip_tags() method and striptags template filter were subject to a
potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
.
* CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
validation. A lack of upper bound limit enforcement in strings passed when
performing IPv6 validation could have led to a potential denial-of-service
(DoS) attack. The undocumented and private functions clean_ipv6_address and
is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField
form field, which has now been updated to define a max_length of 39
characters. The GenericIPAddressField model field was not affected.
.
* CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
column aliases when using PostgreSQL. FilteredRelation was subject to SQL
injection in column aliases via a suitably crafted dictionary as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias().
.
* CVE-2025-26699: Address a potential denial-of-service in
django.utils.text.wrap. The wrap() method and wordwrap template filter were
subject to a potential denial-of-service attack when used with very long
strings. (Closes: #1099682)
.
* CVE-2025-32873: Denial-of-service possibility in strip_tags()
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used
to implement the striptags template filter, which was therefore also
vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
encounters an unusually large number of unclosed opening tags.
.
* CVE-2025-48432: Potential log injection via unescaped request path.
Django's internal HTTP response logging used request.path directly,
allowing control characters (e.g. newlines or ANSI escape sequences) to be
written unescaped into logs. This could enable log injection or forgery,
letting attackers manipulate log appearance or structure, especially in
logs processed by external systems or viewed in terminals. Although this
does not directly impact Django's security model, it poses risks when logs
are consumed or interpreted by other tools. To fix this, the internal
django.utils.log.log_response() function now escapes all positional
formatting arguments using a safe encoding.
.
* CVE-2025-57833: Potential SQL injection in FilteredRelation column
aliases. The FilteredRelation feature in Django was subject to a potential
SQL injection vulnerability in column aliases that was exploitable via
suitably crafted dictionary with dictionary expansion as the **kwargs
passed QuerySet.annotate() or QuerySet.alias(). (Closes: #1113865)
.
* CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
subject to SQL injection in column aliases, using a suitably crafted
dictionary with dictionary expansion as the **kwargs passed to these
methods on MySQL and MariaDB.
.
* CVE-2025-59682: Potential partial directory-traversal via
archive.extract(). The django.utils.archive.extract() function, used by
startapp --template and startproject --template allowed partial
directory-traversal via an archive with file paths sharing a common prefix
with the target directory.
.
* CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
argument in QuerySet/Q objects. The methods QuerySet.filter(),
QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
SQL injection when using a suitably crafted dictionary (with dictionary
expansion) as the _connector argument.
.
* CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
XML serializer text extraction. An algorithmic complexity issue in
django.core.serializers.xml_serializer.getInnerText() allowed a remote
attacker to cause a potential denial-of-service triggering CPU and memory
exhaustion via a specially crafted XML input submitted to a service that
invokes XML Deserializer. The vulnerability resulted from repeated string
concatenation while recursively collecting text nodes, which produced
superlinear computation.
Checksums-Sha1:
d72a19cf720cc19ae1d6f3c91baee611235525f8 2839 python-django_3.2.25-0+deb12u1.dsc
a706db3607e3cc567ea4a172589f1360a614a6c6 9836336 python-django_3.2.25.orig.tar.gz
862d8e6cff78ff225cdf2a18845a3344ba9091f6 59692 python-django_3.2.25-0+deb12u1.debian.tar.xz
571ba182b124914be62097c3964347d25858def1 8575 python-django_3.2.25-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
17be5d5817085e73622e0f0561ecfd5d2f86a5f66cfa07c40892a7f9a978c067 2839 python-django_3.2.25-0+deb12u1.dsc
7ca38a78654aee72378594d63e51636c04b8e28574f5505dff630895b5472777 9836336 python-django_3.2.25.orig.tar.gz
389a8b7335db0c1633083ecb1973309e057d043665b215ca2283ad6056eb76b4 59692 python-django_3.2.25-0+deb12u1.debian.tar.xz
1e56efd9ab7ca8844978f707c0292274f4eb2db5b5d8900986bb59e98a3d9140 8575 python-django_3.2.25-0+deb12u1_amd64.buildinfo
Files:
38e4967b7933a9db365dd895d2adf59d 2839 python optional python-django_3.2.25-0+deb12u1.dsc
a16a8c39121acf9a84433bf0c616d575 9836336 python optional python-django_3.2.25.orig.tar.gz
7fae93c1a04d1a0bf0af05e58e61662d 59692 python optional python-django_3.2.25-0+deb12u1.debian.tar.xz
b9b3dc1aa5bf65bf233ebfba7b996e0e 8575 python optional python-django_3.2.25-0+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmOKV0ACgkQHpU+J9Qx
HlhHFBAAi18+4evUCoO964oTRV1jPLv4a2poQTLr7NtMFJXPSvH5BYJz1RY4KNyx
uTF8bUy2MMpJO2o5uj2S1/GN2e76O8lEmKeTveM8GNmwUOc8gh6LoiZe+tPOARj7
+3uE8yGYchrEHXBeynn+zu94zbx0ykGC3/mhVGpE0HLfqmebR2411Ejuf572URiC
ESY4qKKqG1bIli7rKJLfNrS10KYrX+E7nlkkRWZtBPfMVBtE74QZJVQFH/VqUtXk
0UBy8fdju9KVUGc6D0mtk7MX+OuhDX6WyY8EIUz6s/G7WBEJEA+pKLuc5g9bJeGF
EuqLLqfDF1d3UbVMOHkDtyCwipcC7dOla/ieL0NfcpOjdynhMzdsR3eBx0CSjRoX
1o2EnrLXKwalL+4GX5vfKU5GFeI3KyV1T3IrBJR7bKVpfUdoaXe8uFcT1RnI6c5R
uxaaFOTXUqolO6wjuRElFniLGB8teGBGkPXuyarhfMkq0j8aRkW28ZkskBQC+gaW
ArfYJmNatMYeRofsKSwo0GHJPcMfWHh1GLKjz5QLJ+EJWRbwEhqFS/vhRn6hYNgE
YfbB/W+HO0OnyaYyfSEzVy16d6RBH9KTsUkwv+Vbp3+YFiBC5yByrj8BAXkZZaB8
wZeUEYiNaFcTW0Z8z2NJpFJApVtCuWsqJrXa0OawV+YcAyimyoc=
=e+u2
-----END PGP SIGNATURE-----