Your message dated Tue, 03 Mar 2026 18:40:11 +0000
with message-id <[email protected]>
and subject line Bug#1129595: fixed in python-django 3:4.2.29-1
has caused the Debian Bug report #1129595,
regarding python-django: CVE-2026-25673 CVE-2026-25674
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129595
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u12
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django via
https://www.djangoproject.com/weblog/2026/mar/03/security-releases/
CVE-2026-25673[0]:
| An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and
| 4.2 before 4.2.29. `URLField.to_python()` in Django calls
| `urllib.parse.urlsplit()`, which performs NFKC normalization on
| Windows that is disproportionately slow for certain Unicode
| characters, allowing a remote attacker to cause denial of service
| via large URL inputs containing these characters. Earlier,
| unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not
| evaluated and may also be affected. Django would like to thank
| Seokchan Yoon for reporting this issue.
CVE-2026-25674[1]:
| An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and
| 4.2 before 4.2.29. Race condition in file-system storage and file-
| based cache backends in Django allows an attacker to cause file
| system objects to be created with incorrect permissions via
| concurrent requests, where one thread's temporary `umask` change
| affects other threads in multi-threaded environments. Earlier,
| unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not
| evaluated and may also be affected. Django would like to thank Tarek
| Nakkouch for reporting this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25673
https://www.cve.org/CVERecord?id=CVE-2026-25673
[1] https://security-tracker.debian.org/tracker/CVE-2026-25674
https://www.cve.org/CVERecord?id=CVE-2026-25674
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:4.2.29-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Mar 2026 09:48:56 -0800
Source: python-django
Architecture: source
Version: 3:4.2.29-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1129595
Changes:
python-django (3:4.2.29-1) unstable; urgency=high
.
* New upstream sceurity release:
.
- CVE-2026-25674: Potential incorrect permissions on newly created file
system objects.
.
Django's file-system storage and file-based cache backends used the
process umask to control permissions when creating directories. In
multi-threaded environments, one thread's temporary umask change can
affect other threads' file and directory creation, resulting in file
system objects being created with unintended permissions. Django now
applies the requested permissions via os.chmod() after os.mkdir(),
removing the dependency on the process-wide umask.
.
- CVE-2026-25673: Potential denial-of-service vulnerability in URLField via
Unicode normalization on Windows.
.
The django.forms.URLField form field's to_python() method used
urllib.parse.urlsplit() to determine whether to prepend a URL scheme to
the submitted value. On Windows, urlsplit() performs NFKC normalization
(unicodedata.normalize), which can be disproportionately slow for large
inputs containing certain characters.
.
URLField.to_python() now uses a simplified scheme detection, avoiding
Unicode normalization entirely and deferring URL validation to the
appropriate layers. As a result, while leading and trailing whitespace is
still stripped by default, characters such as newlines, tabs, and other
control characters within the value are no longer handled by
URLField.to_python(). When using the default URLValidator, these values
will continue to raise ValidationError during validation, but if you rely
on custom validators, ensure they do not depend on the previous behavior
of URLField.to_python().
.
<https://www.djangoproject.com/weblog/2026/mar/03/security-releases/>
.
(Closes: #1129595)
Checksums-Sha1:
5ccf463a8f505df79cfcb208ebb32aac9cee43e0 2790 python-django_4.2.29-1.dsc
fa2d7682f482f2d86b10f4ce2b7c0a8b0d382cc0 10438980
python-django_4.2.29.orig.tar.gz
15d915240f6e16c78cc8d704ddd8134859991881 37852
python-django_4.2.29-1.debian.tar.xz
ad604ba01199f534ab5b30f118e7516558ae817d 6477
python-django_4.2.29-1_source.buildinfo
Checksums-Sha256:
8edc06eae6f9c4b330d58af3481c237423104d7c2d65e581236006e7d5686c4f 2790
python-django_4.2.29-1.dsc
86d91bc8086569c8d08f9c55888b583a921ac1f95ed3bdc7d5659d4709542014 10438980
python-django_4.2.29.orig.tar.gz
9d4588b2c11a7c219f2178c040dd5e9f20483d647203c37f21f273c03990a868 37852
python-django_4.2.29-1.debian.tar.xz
39faa56709746c87d9835ab0096f8658f1f1d3bfb236808e0b97115974c9b46f 6477
python-django_4.2.29-1_source.buildinfo
Files:
bd5913ac1054070cfbd507b8b748aa31 2790 python optional
python-django_4.2.29-1.dsc
8fa52c7ec011ebaa7fcf6fba78561346 10438980 python optional
python-django_4.2.29.orig.tar.gz
b46f7473cf08d84e1e0a353b26bfb88a 37852 python optional
python-django_4.2.29-1.debian.tar.xz
bfd04a88d1408a623130ef9aab53274c 6477 python optional
python-django_4.2.29-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmmnI6AACgkQHpU+J9Qx
Hli5OQ/+J+JMVUSOVIVrK3v5YXRs3H0QL5lE/2js61JY69gNAXgU3CCQijNpesaH
ZTdNSsUhmhVuknJDUbw0Gj6LZ1qsPTw0Of5WLzPGQTlsAnmgFGG9wzLgbHFpJg3+
mqcC8YF7DI31cxK+gKPX6hsFMO8I1CQdTFDEprEaKlKV9SzeTW2DAf5DVUm23PA4
sV22dTro8XZ67L0LxhE686Uo6D0B8G1h5kXiL4VgDRKTvxeaVcVMiBN29KnuabOP
HcyRn2oVOGj9/XNvNSclbd6Q10Gm2rO6CwwW92aEv2Uw+nQXtoRle4h2VSOi1LjX
frUj9sOym4ZDtHAdg7ATS3+RqIMuSDC0KvHm7+LwI3TT2R48eqnTXIlJAsmJR4Tu
lHO07X97nVpfsmVf7+kh+xM8VGgBLZhAtSRhPYhORPwPjEmjEFH5uzq/iTj+sVjT
YDeZLH6KAMdym9/j70QWGIDuOr/5tiH2sS6Cx/0pw32K5N2+No5ZtJu1QzQ577PL
tW5Qd+pLuFLcHEqrDxV7Ctkf63csV/+V9RtGO1R61fJ4b2WAVMU/qjdz5+ORw0op
PE9fMrxqjv+hrDOy47WYUjwR5ySQJcoiBYBIL+6pwM7etMQmKtXCbX0I5Uv9oVwe
8dZl/kOt7r9pHLjEDxMk/dI2PgYiqDbOMcGBULCSJmDoSTdyzAg=
=zpT5
-----END PGP SIGNATURE-----
pgp2FaaBeKb3P.pgp
Description: PGP signature
--- End Message ---
