- Package:
- python-django
- Source:
- python-django
- Submitter:
- Chris Lamb
- Date:
- 2026-03-03 18:43:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for python-django via https://www.djangoproject.com/weblog/2026/mar/03/security-releases/ CVE-2026-25673[0]: | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and | 4.2 before 4.2.29. `URLField.to_python()` in Django calls | `urllib.parse.urlsplit()`, which performs NFKC normalization on | Windows that is disproportionately slow for certain Unicode | characters, allowing a remote attacker to cause denial of service | via large URL inputs containing these characters. Earlier, | unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not | evaluated and may also be affected. Django would like to thank | Seokchan Yoon for reporting this issue. CVE-2026-25674[1]: | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and | 4.2 before 4.2.29. Race condition in file-system storage and file- | based cache backends in Django allows an attacker to cause file | system objects to be created with incorrect permissions via | concurrent requests, where one thread's temporary `umask` change | affects other threads in multi-threaded environments. Earlier, | unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not | evaluated and may also be affected. Django would like to thank Tarek | Nakkouch for reporting this issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-25673 https://www.cve.org/CVERecord?id=CVE-2026-25673 [1] https://security-tracker.debian.org/tracker/CVE-2026-25674 https://www.cve.org/CVERecord?id=CVE-2026-25674 Regards,
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1129595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 03 Mar 2026 09:45:28 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:6.0.3-1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1129595
Changes:
python-django (3:6.0.3-1) experimental; urgency=high
.
* New upstream sceurity release:
.
- CVE-2026-25674: Potential incorrect permissions on newly created file
system objects.
.
Django's file-system storage and file-based cache backends used the
process umask to control permissions when creating directories. In
multi-threaded environments, one thread's temporary umask change can
affect other threads' file and directory creation, resulting in file
system objects being created with unintended permissions. Django now
applies the requested permissions via os.chmod() after os.mkdir(),
removing the dependency on the process-wide umask.
.
- CVE-2026-25673: Potential denial-of-service vulnerability in URLField via
Unicode normalization on Windows.
.
The django.forms.URLField form field's to_python() method used
urllib.parse.urlsplit() to determine whether to prepend a URL scheme to
the submitted value. On Windows, urlsplit() performs NFKC normalization
(unicodedata.normalize), which can be disproportionately slow for large
inputs containing certain characters.
.
URLField.to_python() now uses a simplified scheme detection, avoiding
Unicode normalization entirely and deferring URL validation to the
appropriate layers. As a result, while leading and trailing whitespace is
still stripped by default, characters such as newlines, tabs, and other
control characters within the value are no longer handled by
URLField.to_python(). When using the default URLValidator, these values
will continue to raise ValidationError during validation, but if you rely
on custom validators, ensure they do not depend on the previous behavior
of URLField.to_python().
.
<https://www.djangoproject.com/weblog/2026/mar/03/security-releases/>
.
(Closes: #1129595)
Checksums-Sha1:
932a0228c0e23895064a980d1fa7d87e4138b99c 2783 python-django_6.0.3-1.dsc
d8d4b3495ec33a794c7723819c2a40dbf58dcc84 10872701 python-django_6.0.3.orig.tar.gz
871c381c914518564c92dfe72c8650c63192f7d4 31604 python-django_6.0.3-1.debian.tar.xz
6379b09351901b0b1ac18bc45a5152466a4da659 8125 python-django_6.0.3-1_amd64.buildinfo
Checksums-Sha256:
b35ab601541e30ec6ba14eed70a6d068ae8bea14287f5701a43395461fed6f26 2783 python-django_6.0.3-1.dsc
90be765ee756af8a6cbd6693e56452404b5ad15294f4d5e40c0a55a0f4870fe1 10872701 python-django_6.0.3.orig.tar.gz
7aef537b0307ac2d7d8876e4d87a6cff82591f9e011d0548bfc2787535cd1e61 31604 python-django_6.0.3-1.debian.tar.xz
b6022f6524d487ee2c65a28a68429a282c4cb1676eadbbf717ca87c1cc3fc3a7 8125 python-django_6.0.3-1_amd64.buildinfo
Files:
5a17b8fa14d6f7327479314525c91fa2 2783 python optional python-django_6.0.3-1.dsc
0bb395b518e2f2f17e1a936deb7ba74c 10872701 python optional python-django_6.0.3.orig.tar.gz
f2b93e2c77d16fb25e2853212410b6cf 31604 python optional python-django_6.0.3-1.debian.tar.xz
6018efd57ccbf24a2fe1002ce3336a4a 8125 python optional python-django_6.0.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmnIR0ACgkQHpU+J9Qx
Hlg1MxAAhC0tpLFo0yepbIRtseYxzr2tFJC58emcBkuZp4kwhohqiUnd94oThb5K
306ePc3AmmJe/rB7JVWeZP42j9+/K2Mu7MpbIyiUv1pY7DyquMFHwhO7XfDLxwUr
lIcSlKU3vD5ilJ/8H54arWPB4a14EqXillWwV4MDpNKHtGdQO0wmOU09tKcct3Oc
phBTy/xEAW4YBc99uz8mQro/DxIFGrOMX4n4R2XFaGUQz798gPAkNtB1u4did8Gw
9oUED2am2O5I5ho8h2MQJiRh9EPct3bPSGjHqf/M6HSyw2j093JIyzN2esQmi6WV
2jHLmzt39+E5O2oPOmmzOetMi083jN+r1AgwLcFj5gQEajXqpvGexbVbAod/Gbli
5MBExtmVZTPgmUg6+U9ihBD/YLFQLN5AKuhwhDQBufvbTBLxhQOgk26DBb5I66wb
A51eXtsc0OEhbSXqeOn4ZhEAeTx2xdahMUN9O/CjiLkQ1h27A8GdAKaZQ35rdfg8
yOvZdMdsn4oEPiBNGrclq1nO4q+UiUvtk38GId7PAiUqhOwIGyy47Ys8kYD+HhfL
xGktvEqiWJVKbKNYo1Pz+zJ8g6rPXZq682rbq/nvLCfh3tgzPhNa05aC0Ei8UW9s
9wmai8qu3m5wlRBduO11gaCbAegdJfnmGMlaqMK8SHx6C0Tajo8=
=jEcx
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1129595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 03 Mar 2026 09:48:56 -0800
Source: python-django
Architecture: source
Version: 3:4.2.29-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1129595
Changes:
python-django (3:4.2.29-1) unstable; urgency=high
.
* New upstream sceurity release:
.
- CVE-2026-25674: Potential incorrect permissions on newly created file
system objects.
.
Django's file-system storage and file-based cache backends used the
process umask to control permissions when creating directories. In
multi-threaded environments, one thread's temporary umask change can
affect other threads' file and directory creation, resulting in file
system objects being created with unintended permissions. Django now
applies the requested permissions via os.chmod() after os.mkdir(),
removing the dependency on the process-wide umask.
.
- CVE-2026-25673: Potential denial-of-service vulnerability in URLField via
Unicode normalization on Windows.
.
The django.forms.URLField form field's to_python() method used
urllib.parse.urlsplit() to determine whether to prepend a URL scheme to
the submitted value. On Windows, urlsplit() performs NFKC normalization
(unicodedata.normalize), which can be disproportionately slow for large
inputs containing certain characters.
.
URLField.to_python() now uses a simplified scheme detection, avoiding
Unicode normalization entirely and deferring URL validation to the
appropriate layers. As a result, while leading and trailing whitespace is
still stripped by default, characters such as newlines, tabs, and other
control characters within the value are no longer handled by
URLField.to_python(). When using the default URLValidator, these values
will continue to raise ValidationError during validation, but if you rely
on custom validators, ensure they do not depend on the previous behavior
of URLField.to_python().
.
<https://www.djangoproject.com/weblog/2026/mar/03/security-releases/>
.
(Closes: #1129595)
Checksums-Sha1:
5ccf463a8f505df79cfcb208ebb32aac9cee43e0 2790 python-django_4.2.29-1.dsc
fa2d7682f482f2d86b10f4ce2b7c0a8b0d382cc0 10438980 python-django_4.2.29.orig.tar.gz
15d915240f6e16c78cc8d704ddd8134859991881 37852 python-django_4.2.29-1.debian.tar.xz
ad604ba01199f534ab5b30f118e7516558ae817d 6477 python-django_4.2.29-1_source.buildinfo
Checksums-Sha256:
8edc06eae6f9c4b330d58af3481c237423104d7c2d65e581236006e7d5686c4f 2790 python-django_4.2.29-1.dsc
86d91bc8086569c8d08f9c55888b583a921ac1f95ed3bdc7d5659d4709542014 10438980 python-django_4.2.29.orig.tar.gz
9d4588b2c11a7c219f2178c040dd5e9f20483d647203c37f21f273c03990a868 37852 python-django_4.2.29-1.debian.tar.xz
39faa56709746c87d9835ab0096f8658f1f1d3bfb236808e0b97115974c9b46f 6477 python-django_4.2.29-1_source.buildinfo
Files:
bd5913ac1054070cfbd507b8b748aa31 2790 python optional python-django_4.2.29-1.dsc
8fa52c7ec011ebaa7fcf6fba78561346 10438980 python optional python-django_4.2.29.orig.tar.gz
b46f7473cf08d84e1e0a353b26bfb88a 37852 python optional python-django_4.2.29-1.debian.tar.xz
bfd04a88d1408a623130ef9aab53274c 6477 python optional python-django_4.2.29-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmnI6AACgkQHpU+J9Qx
Hli5OQ/+J+JMVUSOVIVrK3v5YXRs3H0QL5lE/2js61JY69gNAXgU3CCQijNpesaH
ZTdNSsUhmhVuknJDUbw0Gj6LZ1qsPTw0Of5WLzPGQTlsAnmgFGG9wzLgbHFpJg3+
mqcC8YF7DI31cxK+gKPX6hsFMO8I1CQdTFDEprEaKlKV9SzeTW2DAf5DVUm23PA4
sV22dTro8XZ67L0LxhE686Uo6D0B8G1h5kXiL4VgDRKTvxeaVcVMiBN29KnuabOP
HcyRn2oVOGj9/XNvNSclbd6Q10Gm2rO6CwwW92aEv2Uw+nQXtoRle4h2VSOi1LjX
frUj9sOym4ZDtHAdg7ATS3+RqIMuSDC0KvHm7+LwI3TT2R48eqnTXIlJAsmJR4Tu
lHO07X97nVpfsmVf7+kh+xM8VGgBLZhAtSRhPYhORPwPjEmjEFH5uzq/iTj+sVjT
YDeZLH6KAMdym9/j70QWGIDuOr/5tiH2sS6Cx/0pw32K5N2+No5ZtJu1QzQ577PL
tW5Qd+pLuFLcHEqrDxV7Ctkf63csV/+V9RtGO1R61fJ4b2WAVMU/qjdz5+ORw0op
PE9fMrxqjv+hrDOy47WYUjwR5ySQJcoiBYBIL+6pwM7etMQmKtXCbX0I5Uv9oVwe
8dZl/kOt7r9pHLjEDxMk/dI2PgYiqDbOMcGBULCSJmDoSTdyzAg=
=zpT5
-----END PGP SIGNATURE-----