Your message dated Tue, 05 May 2026 16:50:09 +0000
with message-id <[email protected]>
and subject line Bug#1135755: fixed in python-django 3:6.0.5-1
has caused the Debian Bug report #1135755,
regarding python-django: CVE-2026-5766 CVE-2026-35192 CVE-2026-6907
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135755: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135755
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u12
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django:
https://www.djangoproject.com/weblog/2026/may/05/security-releases/
CVE-2026-5766[0]:
| An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
| ASGI requests with a missing or understated `Content-Length` header
| can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially
| loading large files into memory and causing service degradation.
| As a reminder, Django expects a limit to be configured at the web
| server level rather than solely relying on
| `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series
| (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Kyle Agronick for reporting
| this issue.
CVE-2026-35192[1]:
| An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
| Response headers do not vary on cookies if a session is not
| modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote
| attacker can steal a user's session after that user visits a cached
| public page. Earlier, unsupported Django series (such as 5.0.x,
| 4.1.x, and 3.2.x) were not evaluated and may also be affected.
| Django would like to thank Cantina for reporting this issue.
CVE-2026-6907[2]:
| An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
| `django.middleware.cache.UpdateCacheMiddleware` erroneously caches
| requests where the `Vary` header contained an asterisk (`'*'`). This
| can lead to private data being stored and served. Earlier,
| unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not
| evaluated and may also be affected. Django would like to thank Ahmad
| Sadeddin for reporting this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5766
https://www.cve.org/CVERecord?id=CVE-2026-5766
[1] https://security-tracker.debian.org/tracker/CVE-2026-35192
https://www.cve.org/CVERecord?id=CVE-2026-35192
[2] https://security-tracker.debian.org/tracker/CVE-2026-6907
https://www.cve.org/CVERecord?id=CVE-2026-6907
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:6.0.5-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 08:03:16 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:6.0.5-1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1135755
Changes:
python-django (3:6.0.5-1) experimental; urgency=high
.
* New upstream security release:
.
- CVE-2026-5766: Prevent a potential denial-of-service vulnerability in
ASGI requests via a file upload limit bypass. ASGI requests with a
missing or understated Content-Length header could bypass the
FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
memory and causing service degradation. As a reminder, Django expects a
limit to be configured at the web server level rather than solely relying
on FILE_UPLOAD_MAX_MEMORY_SIZE.
.
- CVE-2026-35192: Address a session fixation issue via public cached pages
and SESSION_SAVE_EVERY_REQUEST. Response headers did not vary on cookies
if a session was not modified but SESSION_SAVE_EVERY_REQUEST was True. A
remote attacker could therefore steal a user's session after that user
visits a cached public page.
.
- CVE-2026-6907: Prevent a potential exposure of private data due to
incorrect
handling of "Vary: *" in UpdateCacheMiddleware. Previously,
django.middleware.cache.UpdateCacheMiddleware would erroneously cache
requests where the Vary header contained an asterisk ('*'). This could
lead to private data being stored and served.
.
(Closes: #1135755)
.
* Bump Standards-Version to 4.7.4.
Checksums-Sha1:
043c11cfc0fce20bb61de3468d6093955b958ce7 2783 python-django_6.0.5-1.dsc
b9f5649872874dd17cf1c9d7cc25617cb23c5b7c 10924131
python-django_6.0.5.orig.tar.gz
a485087ffbc602c8d9622dc4ae71a32e830a77d8 32564
python-django_6.0.5-1.debian.tar.xz
de6e7b5695af6bc843a776929c6332054c59bee1 8227
python-django_6.0.5-1_amd64.buildinfo
Checksums-Sha256:
86550e52d69e3a46f04c1c4b4b96b6b68f295061ee486432ec9479ac8a52ad1d 2783
python-django_6.0.5-1.dsc
bc6d6872e98a2864c836e42edd644b362db311147dd5aa8d5b82ba7a032f5269 10924131
python-django_6.0.5.orig.tar.gz
e22b9310019e71a79dbbd99bb2f4a246bafa64376461d752e9df07539c1623ce 32564
python-django_6.0.5-1.debian.tar.xz
9222ac9c24c375c0b87ffa528705a5fc1e80cc87896fd22ac032721fd963fa25 8227
python-django_6.0.5-1_amd64.buildinfo
Files:
f4b5d6158f823c8fb374578ed01d4a60 2783 python optional python-django_6.0.5-1.dsc
44c18a8f264c1326e6fe4f1053fea5fc 10924131 python optional
python-django_6.0.5.orig.tar.gz
c40740e19763dfc64b246607bf9c7fc5 32564 python optional
python-django_6.0.5-1.debian.tar.xz
167bdb4e05103c9d3e363f147087d33b 8227 python optional
python-django_6.0.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmn6HfwACgkQHpU+J9Qx
HlgJhA/+IRljCV6x1Z1YcD8hp1ehHXZNzpAKrBiVCLTta2bRxVtIKQwbvvUtdyGm
Vyyz8MzzyRh0SatFH5ykiPHhUZsjYNd0+5cpKdl4qBYNRf6lGgWk9M9+fdZ7rCaZ
Boyak6Gpmf8sIwS6hrkHiLpW6XBSkvlsEQmZN9bDOpzqI0XHcw6Ima7B/fiiKMOW
SzLpHxSLGHh3hpkr0KwmgjkuV2dZKs4GCrYlTQcCHWm4W0W1SmPpld4lZ1uQACb0
T/dxU4SHRptoHxBue5c3ATBjIV/Q+2h3l6phWCAOgGeNhVqWsAZR/DX2brxeWVD3
fGrIG63cPwmFay25KFuliM5Jfu5lRrroWXwhtrcb09nMDQlgnB5qg7cZ4B5n2mhu
vUy9m3M30QCptkmUVHHD7C3d5orY+XsdQBP4Iq5E0UPfxMqC/XIdEh1X903n9Nwm
EaJDxjnBZri+vQIcxS+l6EQMlpUCMI7pxmfYKmUuv8u3LXiWMpPeVm7LrmGC/b6N
wn13sss7pIZDVI/bIAFLCqBiIyEk2priyuKcXYF4wDTig3Ywi3y+DkNNWQnaKk8c
/sAer++3Lx7BwPQ9hbtSVHHl27y9rbucDU+081EBLwJUG1d4AoGbI766dG2aJT31
VnXiNWKUXPxCme+D0CcFaCg29+rJqzKRGvUKmtNzssrzGfK8qhA=
=PsYa
-----END PGP SIGNATURE-----
pgptArAFi9cyu.pgp
Description: PGP signature
--- End Message ---
