-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 23 Jan 2026 10:43:29 -0800
Source: python-django
Architecture: source
Version: 3:4.2.27-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1113865 1121788
Changes:
 python-django (3:4.2.27-0+deb13u1) trixie-security; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
       column aliases when using PostgreSQL. FilteredRelation was subject to SQL
       injection in column aliases via a suitably crafted dictionary as the
       **kwargs passed to QuerySet.annotate() or QuerySet.alias().
 .
     - CVE-2025-57833: Potential SQL injection in FilteredRelation column
       aliases. The FilteredRelation feature in Django was subject to a
       potential SQL injection vulnerability in column aliases that was
       exploitable via suitably crafted dictionary with dictionary expansion as
       the **kwargs passed QuerySet.annotate() or QuerySet.alias(). This CVE
       was fixed in Django 4.2.24. (Closes: #1113865)
 .
     - CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
       aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
       QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
       subject to SQL injection in column aliases, using a suitably crafted
       dictionary with dictionary expansion as the **kwargs passed to these
       methods on MySQL and MariaDB. This CVE was fixed in Django 4.2.25.
 .
     - CVE-2025-59682: Potential partial directory-traversal via
       archive.extract(). The django.utils.archive.extract() function, used by
       startapp --template and startproject --template allowed partial
       directory-traversal via an archive with file paths sharing a common
       prefix with the target directory. This CVE was fixed in Django 4.2.25.
 .
     - CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
       argument in QuerySet/Q objects. The methods QuerySet.filter(),
       QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
       SQL injection when using a suitably crafted dictionary (with dictionary
       expansion) as the _connector argument. This CVE was fixed in Django
       4.2.26.
 .
     - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
       XML serializer text extraction. An algorithmic complexity issue in
       django.core.serializers.xml_serializer.getInnerText() allowed a remote
       attacker to cause a potential denial-of-service triggering CPU and memory
       exhaustion via a specially crafted XML input submitted to a service that
       invokes XML Deserializer. The vulnerability resulted from repeated string
       concatenation while recursively collecting text nodes, which produced
       superlinear computation. (Closes: #1121788)
 .
     <https://docs.djangoproject.com/en/4.2/releases/4.2.27/>
Checksums-Sha1:
 d7cd44c3435586ed234c7bdc2de401e7f16fab57 2820 python-django_4.2.27-0+deb13u1.dsc
 5c2da0b170d051f5e29bffd29e02a36e13068e22 10432781 python-django_4.2.27.orig.tar.gz
 016b80631e29a449d340c9a1272b92498f5f8003 34568 python-django_4.2.27-0+deb13u1.debian.tar.xz
 5a0cf54854a252acab00d29580fa4213f67db3fe 6650 python-django_4.2.27-0+deb13u1_source.buildinfo
Checksums-Sha256:
 ab6201bad936a3b80d918af888f61d753ea92f45b006a301b3e7e0c7d599799d 2820 python-django_4.2.27-0+deb13u1.dsc
 b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92 10432781 python-django_4.2.27.orig.tar.gz
 838781ea900d83036923b905c8b7635fbbb00393d2490d4893c1dea6f19d7da8 34568 python-django_4.2.27-0+deb13u1.debian.tar.xz
 5fa47de9981ed7b3b0421e42fbcd4f9288f0422f409b214112a00737947db3e2 6650 python-django_4.2.27-0+deb13u1_source.buildinfo
Files:
 63dcf66da338e3c05dbc37d1bb280619 2820 python optional python-django_4.2.27-0+deb13u1.dsc
 45431b7954d12014c88cd9f66cfefb2c 10432781 python optional python-django_4.2.27.orig.tar.gz
 1cf33ec9777a550acf2b190d112ade7e 34568 python optional python-django_4.2.27-0+deb13u1.debian.tar.xz
 1ff6eb62da6275d66762685d608c47f3 6650 python optional python-django_4.2.27-0+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIyBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAml6akgACgkQHpU+J9Qx
Hli60g/4sgxg04GnK3ohvKZzl0F9qjvvMpGSfFKzJeY/S30sc/aSGpw9nP/n0FUd
ZTz2YtTc/9IXumVOKQvQfxmk72bS8lnDOkJF7luQvFIfjjuP4ucqbxLTzSVTuZIi
rFavmQs6TqI1y6LROoz9SFZl5v1jqUd4UrCnzphsk1MAvA7+FxH6ed11VBFPJb+o
QWcoj1NrON/qc0jjEoFC65ZDJWJsMp1npHZKq2DQCjcGzqvhfHJ1B52OqVf6roFu
xKqdSuk55/+2r3ECTbXSUFRAOCSd1jjaQb5ofTpddokzToxSo3jDL2E8LpVN4caz
ECed+4GSIbafxvZjAX1sjwWIwJyz36YONigWizRzGdTpKKCBcN+/J5DEpKHvkk5e
HMbUStYqCF6e+u2hp5s9OCkVBlZZe0vPn7D4Nq56HDhp0QEiMxrzxlHT3m4k124J
g/bANVXP99VV0YL/NHKjiJe/qgrBY3hGxzKUsLh3LdChPfdjhAGnEQsyMLHSvwbb
V7cjjdcijFXBb6M+uT+4DZCKjt0aD2WRJ0rlH59bimtFPHWgWRJbMfBXpE/comm0
iCaMTz5i8c2cz3D6Yq6MZzEEWmhzE91FnOjDObsYhOiL2yVKhp+wxCs2wwwVdD2s
C1zz+FEmucPyn16aeG8DXiQb9PmYo1MBM3QeAx/jMVsKRK+LSg==
=4CMr
-----END PGP SIGNATURE-----