-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 23 Jan 2026 10:43:29 -0800
Source: python-django
Binary: python-django-doc python3-django
Architecture: all
Version: 3:4.2.27-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework
Closes: 1113865 1121788
Changes:
 python-django (3:4.2.27-0+deb13u1) trixie-security; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
       column aliases when using PostgreSQL. FilteredRelation was subject to SQL
       injection in column aliases via a suitably crafted dictionary as the
       **kwargs passed to QuerySet.annotate() or QuerySet.alias().
 .
     - CVE-2025-57833: Potential SQL injection in FilteredRelation column
       aliases. The FilteredRelation feature in Django was subject to a
       potential SQL injection vulnerability in column aliases that was
       exploitable via suitably crafted dictionary with dictionary expansion as
       the **kwargs passed QuerySet.annotate() or QuerySet.alias(). This CVE
       was fixed in Django 4.2.24. (Closes: #1113865)
 .
     - CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
       aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
       QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
       subject to SQL injection in column aliases, using a suitably crafted
       dictionary with dictionary expansion as the **kwargs passed to these
       methods on MySQL and MariaDB. This CVE was fixed in Django 4.2.25.
 .
     - CVE-2025-59682: Potential partial directory-traversal via
       archive.extract(). The django.utils.archive.extract() function, used by
       startapp --template and startproject --template allowed partial
       directory-traversal via an archive with file paths sharing a common
       prefix with the target directory. This CVE was fixed in Django 4.2.25.
 .
     - CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
       argument in QuerySet/Q objects. The methods QuerySet.filter(),
       QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
       SQL injection when using a suitably crafted dictionary (with dictionary
       expansion) as the _connector argument. This CVE was fixed in Django
       4.2.26.
 .
     - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
       XML serializer text extraction. An algorithmic complexity issue in
       django.core.serializers.xml_serializer.getInnerText() allowed a remote
       attacker to cause a potential denial-of-service triggering CPU and memory
       exhaustion via a specially crafted XML input submitted to a service that
       invokes XML Deserializer. The vulnerability resulted from repeated string
       concatenation while recursively collecting text nodes, which produced
       superlinear computation. (Closes: #1121788)
 .
     <https://docs.djangoproject.com/en/4.2/releases/4.2.27/>
Checksums-Sha1:
 cd411353da17d42d224cfb26b77043afa36196e3 3612744 python-django-doc_4.2.27-0+deb13u1_all.deb
 95671d35eba797534ecd1d5f2eda40bb7cfdd476 16564 python-django_4.2.27-0+deb13u1_all-buildd.buildinfo
 0af25ecaab1fdf2ba1186504111917a23f09e453 2737704 python3-django_4.2.27-0+deb13u1_all.deb
Checksums-Sha256:
 2c6bce8edae5229af7712a36b20d2903e87590f88484265107c32d1281abe96b 3612744 python-django-doc_4.2.27-0+deb13u1_all.deb
 232808cb01062bfc39d4d76c85fd40f6f386297beb9a822c6c3978d71ba7b7fb 16564 python-django_4.2.27-0+deb13u1_all-buildd.buildinfo
 69f83366528ba2690b57f7e5424399a235a0a765b14c91877bd2db4790965328 2737704 python3-django_4.2.27-0+deb13u1_all.deb
Files:
 ff4c918a1fc1cfb8fba6767a2e804a11 3612744 doc optional python-django-doc_4.2.27-0+deb13u1_all.deb
 e943169c68d671221594991d10d7eaa0 16564 python optional python-django_4.2.27-0+deb13u1_all-buildd.buildinfo
 510a909ae67d4b1fb04a7f1ce9c68922 2737704 python optional python3-django_4.2.27-0+deb13u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEj4Fym5GgeZdPqKhrJm69HxMTN+oFAml6b9IACgkQJm69HxMT
N+oMHhAAi6Exuk5gPQ9EuusI9SesepI+90zO2DnysF6n54H4FtPOkCibFTCCnd6C
Ux4GT2OLFK2+DhBPYFzafyU1eajsuiCWc7jJUjyWhQ131nQy0Kybajqw9nP9Eh2S
v8tcah1sADs5k6SCtOOXAI7rXzq8JS+z0H2OAGu3b2/yCmCCBJTl9Bf+1kBMcNBV
LMXC9Nl/mvk+QYgVettxkRF3VJvT6c7VXRVWvy4XuZ9tFmnzGHRJH0WHg9BJ0iS9
JZaClf884zLEmAzECW/p7lD3JRtQDcEkQW92/FdukmlLLYKb+ZhgpxV7HfrnwJJV
FV/uAlYFYS3YLyv/lXRx4W+2ASoHH+YLOY4jvEpxiv46S2to6yswi5+Ih82qbEsu
v5pHWmbgg3LjlbUsiYo+t1UJ0xiR104O3DarLc5bzpsMII3NKu/GUq0q8vHTq7UX
JbQxuMqAFxJnnIF8Lqa6p/8rS756CN1z/U2BgUHCJYL/QH9a+Rne3Uux7KHsAJ6W
JoT8VLod9IqD4L85BnvR3suSgAZN51mNF03OciUistmeWlYGFLzneHZKGxkxWlCg
HjX2xNwkwFC/34NObkEcGE+dWJ5hHB3P/CoqFKrCfcl00rQunZC/mVVWfBf12CDy
KVJ2trZwRDJMT0Bo6crG03dF7eV4ocpebxSr1HgNEZGgaNNucx8=
=fAnD
-----END PGP SIGNATURE-----