- Package:
- python-django
- Source:
- python-django
- Submitter:
- Chris Lamb
- Date:
- 2025-09-03 15:53:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for python-django. CVE-2025-57833[0]: Potential SQL injection in FilteredRelation column aliases FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-57833 https://www.cve.org/CVERecord?id=CVE-2025-57833 https://www.djangoproject.com/weblog/2025/sep/03/security-releases/ Regards,
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1113865@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 03 Sep 2025 07:46:59 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:5.2.6-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1113865
Changes:
python-django (3:5.2.6-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2025-57833: Potential SQL injection in FilteredRelation column
aliases. The FilteredRelation feature in Django was subject to a
potential SQL injection vulnerability in column aliases that was
exploitable via suitably crafted dictionary with dictionary expansion as
the **kwargs passed QuerySet.annotate() or QuerySet.alias().
(Closes: #1113865)
.
<https://www.djangoproject.com/weblog/2025/sep/03/security-releases/>
Checksums-Sha1:
d3e69f576579e8e3d927bd6d35303ce433668264 2785 python-django_5.2.6-1.dsc
ada4c057790d255039ac5fe3a31378e5fde0417a 10858861 python-django_5.2.6.orig.tar.gz
a24e50f772a1cf529a9e563edec6d5e7195c693b 30544 python-django_5.2.6-1.debian.tar.xz
bc4d3da10c1e6e55b637bb2dc017d735502b286e 8046 python-django_5.2.6-1_amd64.buildinfo
Checksums-Sha256:
c860ac6b7796d4ec3fc086f44b205b11de3b70b8fad71ffc955b24105f9725b5 2785 python-django_5.2.6-1.dsc
da5e00372763193d73cecbf71084a3848458cecf4cee36b9a1e8d318d114a87b 10858861 python-django_5.2.6.orig.tar.gz
1139a6358de44feaba29fb18f9f02f48e42db634dc3840422f3193327f6b50e3 30544 python-django_5.2.6-1.debian.tar.xz
e35f182c4fc7ce7d4be01379a96f628eba49a5daaa6180e4aa624355e554223c 8046 python-django_5.2.6-1_amd64.buildinfo
Files:
735b6c9801e32715353f3c5c40326ae6 2785 python optional python-django_5.2.6-1.dsc
1f0327293cc3768903ce8cd390ec3f47 10858861 python optional python-django_5.2.6.orig.tar.gz
9f88aea9e419eb0b68155ad578d0d433 30544 python optional python-django_5.2.6-1.debian.tar.xz
37212c748d598a01cd8592480a653e83 8046 python optional python-django_5.2.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmi4XYsACgkQHpU+J9Qx
HlheKhAAlLxEcAhi8J8fu92QuhESJpd9F1fC/eDdIq/qJGDUGfRgtTu9X3su9sAj
yU6lQM5e0oyinwe1ppUyAm8Jt2ILHdnnJww756MpWBoo2rJvcKFIdjzKql1aLuhz
jd1bVs1s6FpMquIoefI2CdHrLUPACf0DgCZ3gLY+6I2iSXSBJUvdCDvQxZIOrQYs
64vdHzWbXgPYIScV8wmI6GcbOG52fVF9Ad4NpkG/2z6JKLiVrT60rZORjDc75kLm
OcIXPbkL0iQ+c1heM1aLl52sQ3lyyYWV1S9sN8voPNwJMHLko4HJrAE5Ridf6BpZ
U2vCGTcf0VNJ42TlCqIbGs1ML2ZHiGihkFD+t58pLpgGiDCYZDlPnpV+iG0zybzo
u8h6kYz8J5fmEMQphwf+YqS9n+s7Kpvk6KcYWp9YIWeZHqiin4onf137h2NYvaRn
HQWRn4cu9wgIpt78ym012XLxpPHDK9q+eMxbcKFzoCTuoT7nrS8rudsNRRxhZPXY
z5/MK3u1NMk9YfKUsEv2X3b/voHx9AoAEQPmJf7Z4gGbyYBMBsi+3hneK/K3qkak
BQawDaGk7wgf1+4/4uciBiPT0U09Bm02RnEed81DN4j3V9VyjhZw24zfICuSVzrJ
MmXCdywagNzs5Fu6oCYl6y/6pxc5pbiBX6ixFjTEThQsXrkzBls=
=5Lct
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1113865@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 03 Sep 2025 08:28:19 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.24-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1113865
Changes:
python-django (3:4.2.24-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2025-57833: Potential SQL injection in FilteredRelation column
aliases. The FilteredRelation feature in Django was subject to a
potential SQL injection vulnerability in column aliases that was
exploitable via suitably crafted dictionary with dictionary expansion as
the **kwargs passed QuerySet.annotate() or QuerySet.alias().
(Closes: #1113865)
.
<https://www.djangoproject.com/weblog/2025/sep/03/security-releases/>
Checksums-Sha1:
2a06701c0d9224da663c6e0f14aa270ad520cd93 2792 python-django_4.2.24-1.dsc
f43cdbf9274935cde2a630cd447e93a94fb3e3f3 10452798 python-django_4.2.24.orig.tar.gz
a46400b28e2e73439a6466d5476403ba8d279a36 34108 python-django_4.2.24-1.debian.tar.xz
035bd145add7428a15a71406810d469207ccb6d5 8056 python-django_4.2.24-1_amd64.buildinfo
Checksums-Sha256:
e68e1b3d96276aaea7c738a7d2dc2f35062c93b21e01fdcf9e3f70deb0b35581 2792 python-django_4.2.24-1.dsc
40cd7d3f53bc6cd1902eadce23c337e97200888df41e4a73b42d682f23e71d80 10452798 python-django_4.2.24.orig.tar.gz
9012aa426ae27bc10e1953f75dfb2b7aef548ad616c4887ade35ed9d5a30f927 34108 python-django_4.2.24-1.debian.tar.xz
b82b8f991ed554544ae01e543b5cdc78d8ce1f91a8d04ede9292df1caed3b4cc 8056 python-django_4.2.24-1_amd64.buildinfo
Files:
0b95b3a45d6ffef747e6dfc8846dcae3 2792 python optional python-django_4.2.24-1.dsc
ec583b38346957b87ac7d8b0d917e1f4 10452798 python optional python-django_4.2.24.orig.tar.gz
443610bb146e6c18a203edd0c698a287 34108 python optional python-django_4.2.24-1.debian.tar.xz
96b8252de717b519df271057cd9db621 8056 python optional python-django_4.2.24-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmi4YDYACgkQHpU+J9Qx
Hlja/Q/+NgwapHLT94TYFK1MHQCuzKHlK55brf37Aze7fvzzTmwoSXJR5l91fEc/
OfCVV1g5EKSGRjILfd/iRNVKBVFkorVD1kDVADNIQge6m/VCL3eupnJ049sw2ItL
KRHLsURm5tMv7W1f8G2AvUKyjonMUnwhAG31YTOUs6mf/btYSzGKd+jrk2WZAf3N
He7BUmTIvzgRsNBtqQ5jfk7yZl6ZUjsYF/U/HKNFlADOH0qmBxbu9Qo77pqtSZEr
zrkTSU0WVSbV+cXkXMHpVZYZTa8jX4BsGfN4JWgJNf7AaCLJaq6RGPRqoPs21apg
Qd7HSa1uivOzbIATshQ9nHP+968pcZ65hrrdJ3WTpo0iAKzgs50OmycIQ1R0Vdgm
U/UKGZMmyVkIfGLlUe092SEgq1fxrhmB5YEMiRaAyBTaKaASWJ5/vtOLu+zsE54q
7qcT2+cbB7sZcFMIGSTQMcgyS+rDiI/Us0srtTSi49QRqzoHAZ8+Fwp0v69+HlB6
toIvGTC1Q1EGjhJPNrtb0Vm4SoxWwVG7ethF1+NpCg0KkNp6zQPVsG+3/Z1WAW5x
riEIdi6Qa1r+7ecMzNY5CNEeIOR9lVxzjMfL2OX4VQJ6YmVH6xcHmuPx2IefbHFr
7+q1DOcLYDk5w8kN/6oVTnBxZczgNpAQcYn2Ln6WArwKvvSTOsM=
=DKrF
-----END PGP SIGNATURE-----