Package: release.debian.org
Severity: normal
Tags: oldstable-proposed-updates
User: [email protected]
Usertags: pu
Dear stable release managers,
Please consider python-django (3:3.2.25-0+deb12u3) for
oldstable-proposed-updates:
python-django (3:3.2.25-0+deb12u3) oldstable-proposed-updates; urgency=medium
.
* The fix for CVE-2025-6069 in the python3.11 source package (released
as part of a suite of updates in 3.11.2-6+deb12u7) modified the
html.parser.HTMLParser class in such a way that changed the behaviour of
Django's strip_tags() method. As a result of this change, we update the
testsuite here for the newly expected results in order to prevent a build
failure. (Closes: #1137039)
The full diff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
diff --git debian/changelog debian/changelog
index 9acbd14c0..7840cadbc 100644
--- debian/changelog
+++ debian/changelog
@@ -1,3 +1,14 @@
+python-django (3:3.2.25-0+deb12u3) oldstable-proposed-updates; urgency=medium
+
+ * The fix for CVE-2025-6069 in the python3.11 source package (released
+ as part of a suite of updates in 3.11.2-6+deb12u7) modified the
+ html.parser.HTMLParser class in such a way that changed the behaviour of
+ Django's strip_tags() method. As a result of this change, we update the
+ testsuite here for the newly expected results in order to prevent a build
+ failure. (Closes: #1137039)
+
+ -- Chris Lamb <[email protected]> Tue, 26 May 2026 14:32:47 -0700
+
python-django (3:3.2.25-0+deb12u2) bookworm-security; urgency=high
* CVE-2025-13473: The check_password function in
diff --git debian/patches/Workaround-changes-in-CVE-2025-6069.patch
debian/patches/Workaround-changes-in-CVE-2025-6069.patch
new file mode 100644
index 000000000..62e8bc9b0
--- /dev/null
+++ debian/patches/Workaround-changes-in-CVE-2025-6069.patch
@@ -0,0 +1,27 @@
+From: Chris Lamb <[email protected]>
+Date: Mon, 26 Jan 2026 13:22:33 -0800
+Subject: Workaround changes in CVE-2025-6069
+
+The changes to the html.parser.HTMLParser to fix CVE-2025-6069 caused a change
+of behaviour that affected Django's strip_tags.
+---
+ tests/utils_tests/test_html.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 5321341b2001..d4f1c6ae573c 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -89,10 +89,10 @@ class TestUtilsHtml(SimpleTestCase):
+ ('&gotcha&#;<>', '&gotcha&#;<>'),
+ ('<sc<!-- -->ript>test<<!-- -->/script>', 'ript>test'),
+ ('<script>alert()</script>&h', 'alert()h'),
+- ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
++ ('><!' + ('&' * 16000) + 'D', '>'),
+ ('X<<<<br>br>br>br>X', 'XX'),
+ ("<" * 50 + "a>" * 50, ""),
+- (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
++ (">" + "<a" * 500 + "a", '>'),
+ ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
+ ("<" + "a" * 1_002, "<" + "a" * 1_002),
+ )
diff --git debian/patches/series debian/patches/series
index adc9a5cdb..9df8e7c32 100644
--- debian/patches/series
+++ debian/patches/series
@@ -35,3 +35,4 @@
0037-CVE-2026-1285.patch
0038-CVE-2026-1287.patch
0039-CVE-2026-1312.patch
+Workaround-changes-in-CVE-2025-6069.patch
