#1102743 python3-django: Is it possible it deliver Django 5.2 instead of Django 4.2 in Trixie? #1102743
- Package:
- python3-django
- Source:
- python3-django
- Submitter:
- Salman Mohammadi
- Date:
- 2026-06-03 21:53:02 UTC
- Severity:
- normal
Dear Maintainers, The default Python 3 version on Debian Trixie is set to be 3.13, while Django 4.2 is currently planned for inclusion. The issue is that, according to the official Django documentation, Django 4.2 is only supported on Python versions 3.8, 3.9, 3.10, 3.11, and 3.12 (with 3.12 being added in version 4.2.8) [1]. Additionally, the end-of-life (EOL) for Django 4.2 does not align with the EOL for Debian Trixie, which could result in a short support lifespan for Django 4.2 within this release. Therefore, would it be possible to package Django 5.2 in Debian Trixie instead of Django 4.2? [1] https://docs.djangoproject.com/en/dev/faq/install/#faq-python-version- support
Fine with this if we get release-team signoff
Hi Salman, (Grr, I'm somehow not getting emails about new python-django bugs again…) Like Luke, I think I would be fine with this as well. However, I stopped thinking through of the possible negative consequences because the trixie soft freeze is tomorrow [0] and it would be unlikely to get approval now. If it helps, once trixie is released, 5.2 can enter unstable and thus be shortly available in trixie-backports. [0] https://release.debian.org/testing/freeze_policy.html Regards,
Hi, I have working packaging for Django 5.2, but I cannot upload it to unstable yet due as there are, at the time of writing, 14 autopkgtest regressions: * debusine/0.14.6 * django-axes/5.39.0-6 * djangorestframework-filters/1.0.0.dev2-3 * hyperkitty/1.3.12-4 * postorius/1.3.13-1 * python-crispy-bootstrap3/2024.1-1 * python-django-contrib-comments/2.2.0-2 * python-django-crispy-forms/2.6-1 * python-django-crum/0.7.9-6 * python-django-dynamic-fixture/4.0.1-1 * python-django-extra-views/0.14.0-4 * python-django-postgres-extra/2.0.9-1 * python-django-waffle/4.2.0-1 * python-djangorestframework-yaml/3.0.1-3 There are also 5 packages that fail in both the candidate and control. It would be nice to fix these for the 5.2 upload but not essential. * django-ldapdb/2.0.0-1 * lava/2026.02-2 * pyinstaller/6.18.0+ds-3 * python-django-tasks-rq/0.12.0-2 * python-django-timescaledb/0.2.13-4 171 other packages pass fine. Regards,
Chris Lamb wrote:
I've just uploaded python-django-waffle/4.2.0-2, leaving 13:
* debusine/0.14.6
* django-axes/5.39.0-6
* djangorestframework-filters/1.0.0.dev2-3
* hyperkitty/1.3.12-4
* postorius/1.3.13-1
* python-crispy-bootstrap3/2024.1-1
* python-django-contrib-comments/2.2.0-2
* python-django-crispy-forms/2.6-1
* python-django-crum/0.7.9-6
* python-django-dynamic-fixture/4.0.1-1
* python-django-extra-views/0.14.0-4
* python-django-postgres-extra/2.0.9-1
* python-djangorestframework-yaml/3.0.1-3
Running this through dd-list:
Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>
hyperkitty
postorius
Debian Python Team <team+python@tracker.debian.org>
djangorestframework-filters
python-crispy-bootstrap3
python-django-contrib-comments
python-django-crispy-forms
python-django-crum
python-django-dynamic-fixture
python-django-extra-views
python-django-postgres-extra
python-djangorestframework-yaml
FreedomBox packaging team <freedombox-pkg-team@lists.alioth.debian.org>
django-axes
Raphaël Hertzog <raphael@freexian.com>
debusine
Regards,
Chris Lamb wrote:
python-django-extra-views/0.14.0-5 and python-django-crum/0.7.9-7
uploaded, leaving 12:
* debusine/0.14.6
* django-axes/5.39.0-6
* djangorestframework-filters/1.0.0.dev2-3
* hyperkitty/1.3.12-4
* postorius/1.3.13-1
* python-crispy-bootstrap3/2024.1-1
* python-django-contrib-comments/2.2.0-2
* python-django-crispy-forms/2.6-1
* python-django-dynamic-fixture/4.0.1-1
* python-django-postgres-extra/2.0.9-1
* python-djangorestframework-yaml/3.0.1-3
Running this through dd-list:
Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>
hyperkitty
postorius
Debian Python Team <team+python@tracker.debian.org>
djangorestframework-filters
python-crispy-bootstrap3
python-django-contrib-comments
python-django-crispy-forms
python-django-dynamic-fixture
python-django-postgres-extra
python-djangorestframework-yaml
FreedomBox packaging team <freedombox-pkg-team@lists.alioth.debian.org>
django-axes
Raphaël Hertzog <raphael@freexian.com>
debusine
Chris Lamb wrote:
python-django-dynamic-fixture (4.0.1-3) just uploaded, leaving 11:
* debusine/0.14.6
* django-axes/5.39.0-6
* djangorestframework-filters/1.0.0.dev2-3
* hyperkitty/1.3.12-4
* postorius/1.3.13-1
* python-crispy-bootstrap3/2024.1-1
* python-django-contrib-comments/2.2.0-2
* python-django-crispy-forms/2.6-1
* python-django-postgres-extra/2.0.9-1
* python-djangorestframework-yaml/3.0.1-3
Running this through dd-list:
Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>
hyperkitty
postorius
Debian Python Team <team+python@tracker.debian.org>
djangorestframework-filters
python-crispy-bootstrap3
python-django-contrib-comments
python-django-crispy-forms
python-django-postgres-extra
python-djangorestframework-yaml
FreedomBox packaging team <freedombox-pkg-team@lists.alioth.debian.org>
django-axes
Raphaël Hertzog <raphael@freexian.com>
debusine
Chris Lamb wrote:
python-django-crispy-forms/2.6-1 and python-django-contrib-comments/2.2.0-3
just uploaded, leaving 8:
* debusine/0.14.6
* django-axes/5.39.0-6
* djangorestframework-filters/1.0.0.dev2-3
* hyperkitty/1.3.12-4
* postorius/1.3.13-1
* python-crispy-bootstrap3/2024.1-1
* python-django-postgres-extra/2.0.9-1
* python-djangorestframework-yaml/3.0.1-3
Running this through dd-list:
Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>
hyperkitty
postorius
Debian Python Team <team+python@tracker.debian.org>
djangorestframework-filters
python-crispy-bootstrap3
python-django-postgres-extra
python-djangorestframework-yaml
FreedomBox packaging team <freedombox-pkg-team@lists.alioth.debian.org>
django-axes
Raphaël Hertzog <raphael@freexian.com>
debusine
Chris Lamb wrote:
djangorestframework-filters (1.0.0.dev2-4) and python-crispy-bootstrap3
(2024.1-2) uploaded, now leaving 6:
* debusine/0.14.6
* django-axes/5.39.0-6
* hyperkitty/1.3.12-4
* postorius/1.3.13-1
* python-django-postgres-extra/2.0.9-1
* python-djangorestframework-yaml/3.0.1-3
Running this through dd-list:
Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>
hyperkitty
postorius
Debian Python Team <team+python@tracker.debian.org>
python-django-postgres-extra
python-djangorestframework-yaml
FreedomBox packaging team <freedombox-pkg-team@lists.alioth.debian.org>
django-axes
Raphaël Hertzog <raphael@freexian.com>
debusine
block 1102743 1134826
thanks
Chris Lamb wrote:
python-djangorestframework-yaml (3.0.1-4) uploaded just now, and I've
filed a bug with a patch for django-axes (#1134826).
This leaves 4 packages, although I can't reproduce the failure of
python-django-postgres-extra locally right now:
* debusine/0.14.6
* hyperkitty/1.3.12-4
* postorius/1.3.13-1
* python-django-postgres-extra/2.0.9-1
Running this through dd-list:
Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>
hyperkitty
postorius
Debian Python Team <team+python@tracker.debian.org>
python-django-postgres-extra
Raphaël Hertzog <raphael@freexian.com>
debusine
block 1102743 by 1134838 thanks Chris Lamb wrote: I've also just filed a bug with a patch for hyperkitty (#1134838). This leaves the following to investigate: * debusine/0.14.6 * postorius/1.3.13-1 [Restrictive binary Depends field implicitly rejects 5.2] * python-django-postgres-extra/2.0.9-1 [Can't reproduce locally]
Chris Lamb wrote: I managed to reproduce the issues in python-django-postgres-extra/2.0.9-1, and I think I've addressed all of the issues. It is difficult to be 100% sure, however, as the testbed for the autopkgtests is slightly different locally. This leaves just two packages of interest: * postorius/1.3.13-1 — Restrictive binary Depends field implicitly rejects 5.2 * debusine/0.14.6 — I think the error is this [0] [0] https://debusine.debian.net/debian/developers/artifact/3674847/file/integration-tests-workflow-debian-pipeline-stdout
For this specific failure, I have opened this MR: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/2989 And https://salsa.debian.org/freexian-team/debusine/-/work_items/1453 is the generic issue for Django 5.2 support. Cheers,
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1102743@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 28 Apr 2026 09:58:21 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:5.2.13-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1102743 1132927
Changes:
python-django (3:5.2.13-1) unstable; urgency=medium
.
* Upload of 5.2 branch to unstable. (Closes: #1102743)
* New upstream security release:
.
- CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation.
ASGIRequest normalizes header names following WSGI conventions, mapping
hyphens to underscores. As a result, even in configurations where reverse
proxies carefully strip security-sensitive headers named with hyphens,
such a header could be spoofed by supplying a header named with
underscores. Under WSGI, it is the responsibility of the server or proxy
to avoid ambiguous mappings. (Django's runserver was patched via
CVE-2015-0219.) But under ASGI, there is not the same uniform
expectation, even if many proxies protect against this under default
configuration (including nginx via underscores_in_headers off;). Headers
containing underscores are now ignored by ASGIRequest, matching the
behavior of Daphne, the reference server for ASGI.
.
- CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin. Add
permissions on inline model instances were not validated on submission of
forged POST data in GenericInlineModelAdmin.
.
- CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable. Admin
changelist forms using ModelAdmin.list_editable incorrectly allowed new
instances to be created via forged POST data.
.
- CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload. When using
django.http.multipartparser.MultiPartParser, multipart uploads with
Content-Transfer-Encoding: base64 that include excessive whitespace may
trigger repeated memory copying, potentially degrading performance.
.
- CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
requests via memory upload limit bypass. ASGI requests with a missing or
understated Content-Length header could bypass the
DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body,
potentially loading an unbounded request body into memory and causing
service degradation.
.
<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>
.
(Closes: #1132927)
.
* Don't test Sphinx/GitHub interlinks during autopkgtests. These tests are
essentially hardcoded to rely on the "django" Python package to
reside adjacent to the tests in the directory tree. In the context of an
autopkgtest, however, the "django" package must exist an installed
package (ie. via the .deb) under /usr/lib/python3, etc.
* Refresh patches.
.
python-django (3:5.2.12-1) unstable; urgency=medium
.
* New upstream 5.2.x release.
Checksums-Sha1:
90c8e2f78efa0f1498fa8b5d32091072e7877fc9 2790 python-django_5.2.13-1.dsc
87eb3824b2a0369275def77599ff4530690941bc 10890368 python-django_5.2.13.orig.tar.gz
6d3e29cb26fe7da7e8ea7ebeebb00fd0a0085aa3 35916 python-django_5.2.13-1.debian.tar.xz
7b9154bebcbab97951bbd490cab354cd8da9d6df 8227 python-django_5.2.13-1_amd64.buildinfo
Checksums-Sha256:
2d86734fc37fe0425085ab4bd6066f268daf813cf94fb29e6952ddf82b30bd15 2790 python-django_5.2.13-1.dsc
a31589db5188d074c63f0945c3888fad104627dfcc236fb2b97f71f89da33bc4 10890368 python-django_5.2.13.orig.tar.gz
cb3e336e29510b2af7a91bb6fa08cb5baaaca35f65700ae40327b3d82f05e3b9 35916 python-django_5.2.13-1.debian.tar.xz
534bebb87a5c3c39e0a2b5e48b36a5934a36b386731ec5ef9c6249d7d0b54d58 8227 python-django_5.2.13-1_amd64.buildinfo
Files:
bda9d8e1e53371a6ebfcb0c4101cc111 2790 python optional python-django_5.2.13-1.dsc
4af55cc09a3d1a828259ad0c05330e6b 10890368 python optional python-django_5.2.13.orig.tar.gz
104bb9c9702212eee1da0785a2f5812a 35916 python optional python-django_5.2.13-1.debian.tar.xz
168ab11467fb32b51e48cff31e0729a3 8227 python optional python-django_5.2.13-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmnw6IkACgkQHpU+J9Qx
Hlj6Rg/9HPJGAafKdAkGFYD516XbV9W50Ei1QVa4ZtOzzSW6e7X8+eL3KxsFJbL8
tT5c/rk+zSdNs3+eFK5ThZancwXeeE5DeKj4lowRGYJ7iIIdx3EKfEq1ex4u49Tz
76vq/kENDARI0oFJu+ebARYw/UYHYuwkysQvUyzrj8jucVM9V25zXUezLktvRxZV
aMDLEa/JFslK5y4QVSHoaAUhSdEeD/KMq550tzx/j9mRurR//TQKqdv/sPeRafVd
BSRzd2rINpYKaGrwlSpj/tJ1nQx0ziBbHKSBPxBsZhcyBGFcwFiBNrY9xoi7XVkk
XCmRUEdXz2eV9rYTopRRETTlOGQ303LgQki7qdsotAorIEiXdukqTp9Sj8xRtLAG
zik4IBhLdati0gIpja1cxD7yD8czzGbMv6S4fuQSHXfvSWGfnSqcH3t0ESONyoh5
2huzS4S6A+1WMzVZmy48BeAYIw+E55cdiOIi8EJqYvjuvS/DzUq6t7QTbMLyDGCm
E8uWRDrQ7MJl27CSAQ6v+zqcIKzU/kg6kFTFOvpiYHWFYJuqGCEH2xAFtxKg+w8g
TqhgjsC/EFGmRh0JrKoQHkNIN8h1BgRKiJ4BHE3lRbN9bU3FcOR5EKdX97667ecU
eeINDi9PD655TBcZRmOurdboj9YNqv6wIOIH28FcsHz+8Zhii0I=
=hN6h
-----END PGP SIGNATURE-----
Chris Lamb wrote: Parsing the important things from the package tracker [0], I think the following things are preventing migration to testing: 1. python3-django-postorius is uninstallable due to a binary Depends of "python3-django (<< 3:4.3)". As it happens, this package is set to be autoremoved from testing in 16 days for a different issue. Nevertheless, I have filed this as: #1135698 2. django-axes has been fixed (via #1134826) by the maintainer (thanks!) but the package tracker doesn't see that yet. 3. debusine fails an integration test. This is being tracked here: https://salsa.debian.org/freexian-team/debusine/-/work_items/1453 4. hyperkitty has a failing test. This was filed as #1134838 and is still outstanding. It is the same maintainer (Mailman Team) as python3-django-postorius. 5. lava has a regression. I previously thought it was failing in both the baseline and candidate version (debusine claimed so anyway), but clearly not: https://ci.debian.net/packages/l/lava/testing/amd64/70769443/ This needs investigation. 6. Similarly, pydevd needs investigation: https://ci.debian.net/packages/p/pydevd/testing/amd64/70769444/ 7. Despite some fixes, python-django-postgres-extra has a (single) failing test: https://ci.debian.net/packages/p/python-django-postgres-extra/testing/amd64/70769445/ The test of the issues are things like "awaiting s390x test" AFAICT. [0] https://tracker.debian.org/pkg/python-django
Chris Lamb wrote: I've filed a patch in #1135703. I've just uploaded pydevd 3.5.0+ds-2 with a fix. Regards,
Chris Lamb wrote:
* Still having issues with python-django-postgres-extra. Am working
on this, trying to add further debugging. It's a strange issue.
* There is now an src:slm regression.
* A number of issues are filed with their maintainers, eg. #1134838,
#1135698, #1135703.
* I am assuming the debusine maintainers will take care of debusine.
Regards,
Chris Lamb wrote: Now just blocking on the Mailman team (to fix postorius and hyperkitty) as well as for a new upload of Debusine. Regards,
Hey PEB, I'm trying to update Django in testing from 4.2 to 5.2. However, the package is blocked from migrating due to two issues in Mailman packages, #1134838 & #1135698. Do you happen to have an ETA for when you or one of the Mailman team will get to these? :) Best wishes,
Hi Chris, "Chris Lamb" <lamby@debian.org> wrote on 29/05/2026 at 20:28:17+0200: I'm sorry to have missed your initial mails on the matter. Thanks for the patch and NMU, you can upload without delay. If you need me to look into something specific, I can, now. Bests,
Hey PEB, No problem at all, and thank you very much for the offer. As it happens, I needed to do another upload of Django to unstable earlier today to fix 5 or so CVEs, so more than happy to wait until the DELAYED timer expires; as a result of this upload, reuploading to DELAYED/0 right now might not actually save much time at all. Please do feel free to look over the patches of course, just in case there is some issue. Thanks again. :) Best wishes,