Your message dated Tue, 05 May 2026 17:06:13 +0000
with message-id <[email protected]>
and subject line Bug#1135755: fixed in python-django 3:5.2.14-1
has caused the Debian Bug report #1135755,
regarding python-django: CVE-2026-5766 CVE-2026-35192 CVE-2026-6907
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135755: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135755
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u12
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django:
https://www.djangoproject.com/weblog/2026/may/05/security-releases/
CVE-2026-5766[0]:
| An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
| ASGI requests with a missing or understated `Content-Length` header
| can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially
| loading large files into memory and causing service degradation.
| As a reminder, Django expects a limit to be configured at the web
| server level rather than solely relying on
| `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series
| (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
| affected. Django would like to thank Kyle Agronick for reporting
| this issue.
CVE-2026-35192[1]:
| An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
| Response headers do not vary on cookies if a session is not
| modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote
| attacker can steal a user's session after that user visits a cached
| public page. Earlier, unsupported Django series (such as 5.0.x,
| 4.1.x, and 3.2.x) were not evaluated and may also be affected.
| Django would like to thank Cantina for reporting this issue.
CVE-2026-6907[2]:
| An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
| `django.middleware.cache.UpdateCacheMiddleware` erroneously caches
| requests where the `Vary` header contained an asterisk (`'*'`). This
| can lead to private data being stored and served. Earlier,
| unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not
| evaluated and may also be affected. Django would like to thank Ahmad
| Sadeddin for reporting this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5766
https://www.cve.org/CVERecord?id=CVE-2026-5766
[1] https://security-tracker.debian.org/tracker/CVE-2026-35192
https://www.cve.org/CVERecord?id=CVE-2026-35192
[2] https://security-tracker.debian.org/tracker/CVE-2026-6907
https://www.cve.org/CVERecord?id=CVE-2026-6907
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:5.2.14-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 09:42:54 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:5.2.14-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1135755
Changes:
python-django (3:5.2.14-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2026-5766: Prevent a potential denial-of-service vulnerability in
ASGI requests via a file upload limit bypass. ASGI requests with a
missing or understated Content-Length header could bypass the
FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
memory and causing service degradation. As a reminder, Django expects a
limit to be configured at the web server level rather than solely
relying
on FILE_UPLOAD_MAX_MEMORY_SIZE.
.
- CVE-2026-35192: Address a session fixation issue via public cached pages
and SESSION_SAVE_EVERY_REQUEST. Response headers did not vary on cookies
if a session was not modified but SESSION_SAVE_EVERY_REQUEST was True. A
remote attacker could therefore steal a user's session after that user
visits a cached public page.
.
- CVE-2026-6907: Prevent a potential exposure of private data due to
incorrect
handling of "Vary: *" in UpdateCacheMiddleware. Previously,
django.middleware.cache.UpdateCacheMiddleware would erroneously cache
requests where the Vary header contained an asterisk ('*'). This could
lead to private data being stored and served.
.
(Closes: #1135755)
.
* Bump Standards-Version to 4.7.4.
Checksums-Sha1:
df3af7dbe2a10069c29a52f16b39d2ce4bb94e5f 2790 python-django_5.2.14-1.dsc
b1d57e4e3b6ccf5d8daac075d549a09126da78f3 10895118
python-django_5.2.14.orig.tar.gz
7f66766465c15d394dac7041999fbad5396ad36e 36252
python-django_5.2.14-1.debian.tar.xz
2c63a59e6803f3b94cbb6288b1d64523c404df57 8237
python-django_5.2.14-1_amd64.buildinfo
Checksums-Sha256:
f57e51504f571568a7ae139e4322b819ef3c7e923423eabb58a343d0ca45b765 2790
python-django_5.2.14-1.dsc
58a63ba841662e5c686b57ba1fec52ddd68c0b93bd96ac3029d55728f00bf8a2 10895118
python-django_5.2.14.orig.tar.gz
194b02f7e191bb5a1b5c40759ffb7d9758e2298916486cb795d9430129f79f18 36252
python-django_5.2.14-1.debian.tar.xz
35ff6aca29f53939cce165abe2d1a2e19c776fe63e8268876b6e070dfa1e51ae 8237
python-django_5.2.14-1_amd64.buildinfo
Files:
3c26d80e2679674f0a79ba382cba533f 2790 python optional
python-django_5.2.14-1.dsc
baec6c1729f0377f0c319ce8652a227a 10895118 python optional
python-django_5.2.14.orig.tar.gz
3f833c3985ad8b9ca004e2a0521a613c 36252 python optional
python-django_5.2.14-1.debian.tar.xz
c4beda9aa4cc7395ea29ef00b8286035 8237 python optional
python-django_5.2.14-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmn6IScACgkQHpU+J9Qx
HlgNow/+LyXwNjluXMkRqxoMl4ywxhwyBb34bB5OTmxz/pfNMYVrBT13knw9lM29
p+TS44yl/zQXAhd3V0b3EbHZL5rDgWlEmNH2uozdKv7itCmC50dpODjTRpfILdBk
3OpPMtu/vTEYbP6l8CuBI3z0JxHMr0h9+8ApG6CF3M/saE9CZCEYJGjDAk4mjukd
Wjj6r8AgY3t3P4OQwMHX9Airk0JtGgawEcecY3CzYM/Sy2IwTYDy4yAuIanjJpZ6
evc/92B/nQhbTK24QrWsp/8OgM//3RzT8GISTdbK4msGk7DitdeQdt3lNYuM+c3t
m0Ky6MqBnNQsVH1KR2ft9jfjKEkoNYUxB6L44mBFLkSrMCLzM/wcFyRd6a+D51n/
rrzsCBvlTp7lKacLqtb6NjyqoTFD/GcQLELjy+Mo3yYbB+MWds1sh+F+qW/uaXat
aCEH9o/y8QJTxFdFD33KQh8YskNrWtIMatIkpeWq3oWKJugp2knalKhWpu66iBp1
d6s3eteLDgMVWyA48W8l98/jAXjSwH1f1tGin9VwnyaA1YeHlewoYtWc5ecH98+p
x5KlaXBvSlQ4rBoEJA26svkHs4/hWsrouEGpZFiHrqx9fVOpWjrH06xefxniF0oK
n4NxOEhAdutv69760EXLNCgXPXv4KuwqeOLG5cK7yiEkb7ba01c=
=4RMs
-----END PGP SIGNATURE-----
pgprbuWUKrfu9.pgp
Description: PGP signature
--- End Message ---
