Debian Bug report logs - #1121788
python-django: CVE-2025-13372 CVE-2025-64460

version graph

Package: python-django; Maintainer for python-django is Debian Python Team <team+python@tracker.debian.org>;

Reported by: "Chris Lamb" <lamby@debian.org>

Date: Tue, 2 Dec 2025 19:09:02 UTC

Severity: grave

Tags: security, upstream

Found in versions 3:4.2.26-1, 3:4.2.23-1, 3:3.2.19-1+deb12u1

Fixed in version python-django/3:4.2.27-1

Done: Chris Lamb <lamby@debian.org>

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Python Team <team+python@tracker.debian.org> (python-django for {1121788}), team@security.debian.org (additional cc recipient for {1121788}):
Bug#1121788; Package python-django. (Tue, 02 Dec 2025 19:09:02 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, team+python@tracker.debian.org. (Tue, 02 Dec 2025 19:09:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: submit@bugs.debian.org
Subject: python-django: CVE-2025-13372 CVE-2025-64460
Date: Tue, 02 Dec 2025 11:06:14 -0800
Package: python-django
Version: 3:3.2.19-1+deb12u1
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for python-django.

    - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation                            
      column aliases when using PostgreSQL. FilteredRelation was subject to SQL                           
      injection in column aliases via a suitably crafted dictionary as the                                
      **kwargs passed to QuerySet.annotate() or QuerySet.alias().                                         
                                                                                                          
    - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in                              
      XML serializer text extraction. An algorithmic complexity issue in                                  
      django.core.serializers.xml_serializer.getInnerText() allowed a remote                              
      attacker to cause a potential denial-of-service triggering CPU and memory                           
      exhaustion via a specially crafted XML input submitted to a service that                            
      invokes XML Deserializer. The vulnerability resulted from repeated string                           
      concatenation while recursively collecting text nodes, which produced                               
      superlinear computation.

  <https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>

Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 02 Dec 2025 19:41:03 GMT) (full text, mbox, link).

Marked as found in versions 3:4.2.23-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 02 Dec 2025 19:41:03 GMT) (full text, mbox, link).

Marked as found in versions 3:4.2.26-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 02 Dec 2025 19:43:01 GMT) (full text, mbox, link).

Reply sent to Chris Lamb <lamby@debian.org>:
You have taken responsibility. (Tue, 02 Dec 2025 21:11:02 GMT) (full text, mbox, link).

Notification sent to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer. (Tue, 02 Dec 2025 21:11:02 GMT) (full text, mbox, link).

Message #16 received at 1121788-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1121788-close@bugs.debian.org
Subject: Bug#1121788: fixed in python-django 3:4.2.27-1
Date: Tue, 02 Dec 2025 21:09:15 +0000
[Message part 1 (text/plain, inline)]
Source: python-django
Source-Version: 3:4.2.27-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1121788@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Dec 2025 11:34:10 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.27-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1121788
Changes:
 python-django (3:4.2.27-1) unstable; urgency=medium
 .
   * New upstream security release.
     <https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>
 .
     - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
       column aliases when using PostgreSQL. FilteredRelation was subject to SQL
       injection in column aliases via a suitably crafted dictionary as the
       **kwargs passed to QuerySet.annotate() or QuerySet.alias().
 .
     - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
       XML serializer text extraction. An algorithmic complexity issue in
       django.core.serializers.xml_serializer.getInnerText() allowed a remote
       attacker to cause a potential denial-of-service triggering CPU and memory
       exhaustion via a specially crafted XML input submitted to a service that
       invokes XML Deserializer. The vulnerability resulted from repeated string
       concatenation while recursively collecting text nodes, which produced
       superlinear computation.
 .
     (Closes: #1121788))
 .
   * Mark that Python 3.14 is not supported yet.
Checksums-Sha1:
 fd97107ab1b4038a43938f24e5908d61550c694b 2792 python-django_4.2.27-1.dsc
 5c2da0b170d051f5e29bffd29e02a36e13068e22 10432781 python-django_4.2.27.orig.tar.gz
 0cc6ee93d6d17b457894885e96e0fcd0df6ff245 35148 python-django_4.2.27-1.debian.tar.xz
 fe971963fdbb828d69d6424f21f7f32165acf198 8046 python-django_4.2.27-1_amd64.buildinfo
Checksums-Sha256:
 c9de75dc7874faee5197cc48fae4d8b5c84307b9d721e6ce1ea744502ee288eb 2792 python-django_4.2.27-1.dsc
 b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92 10432781 python-django_4.2.27.orig.tar.gz
 91592f782abaa1a6d40b19bea9c5af83dbdfa1bfdc99ea2abdd7a50d14e62b2e 35148 python-django_4.2.27-1.debian.tar.xz
 4b606fabb0932f3894956be0833a75b4380ebaedff3e02a0dd68a26096f75fcd 8046 python-django_4.2.27-1_amd64.buildinfo
Files:
 5605464303c4aa714a38822b23fe931a 2792 python optional python-django_4.2.27-1.dsc
 45431b7954d12014c88cd9f66cfefb2c 10432781 python optional python-django_4.2.27.orig.tar.gz
 df64921ec9ac50e8fbe6d63a25589b27 35148 python optional python-django_4.2.27-1.debian.tar.xz
 954e52d81bf5db6d9e04cd9cb0fb1b64 8046 python optional python-django_4.2.27-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmkvSDgACgkQHpU+J9Qx
HlhY5A/+JVjavUxszhsCQOqucRMEcfrYH3aXXv4BJ15v/+f/VxR9/VJOaVaptw6e
MzCv5rMABLUZ96DZYoCtc+agzYm7RwYTN1tzpjsKpL4dyWTWDaiDHffAHi+NGGQW
wn/YhKjV05kIXaPnmCq7WI566jMFMSkluykAmiJnPps0r6eqKEKN5Y/1taFq2y6N
NBmz5JN6dPH3Hv41IvhvutTv8SRUET/7HoPIm0TefaaPSSy07+Dt7U1Izf1e/kUL
M60dmkOKptv3V4SGPEl7prPbSlgH0hx0R9bZo0eFHPnqAoY6japsukEqS6Dcpnqd
Kt3Ybo7hIvrjiDQc5Lh/BgSM2xUCkgUKtszk7vbiJ9XHoY/zCJMTpmLEkuyqTLcC
ES/h94v8cXSp7VnGhbvZmrOeIjVodvnzBvwu7qZXfAeIVkfjjU5vSKRzPSq0+6+u
lj/m7jgpNoPvqu8C7OeykWUBRd/5xMipWLw8pjSaqayjtyfgglCZ8IUGqulTQ/kG
Vd/9fPQghTSWDECcNccl9aajIxw3JFo/dv4yn4s3vbn9maqnyGvNWQZe+U3xCyfZ
6J5z9sNG39S69FVvC3C952XLXyqFIFaBhVddIOG7ZnQ7QDJBA8+pVS2OD2Gs73Jr
MTrsLdkGqYtM5b2vzWv0NLUdqs/yahbE4f5DX9rPmPlcsngsBgQ=
=W0CK
-----END PGP SIGNATURE-----


[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jan 25 20:45:28 2026; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.