From fae13248f78af7d50a5f0eaf178c777e0ce1c500143004e4d3b92bac1189f3b4 Mon Sep 17 00:00:00 2001 From: Robert Frohl Date: Wed, 4 Feb 2026 12:54:31 +0100 Subject: [PATCH 1/2] Update submodules from pool/python-Django#4 and create patchinfo.20260204115012215375.93181000773252/_patchinfo --- .../_patchinfo | 30 +++++++++++++++++++ python-Django | 2 +- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 patchinfo.20260204115012215375.93181000773252/_patchinfo diff --git a/patchinfo.20260204115012215375.93181000773252/_patchinfo b/patchinfo.20260204115012215375.93181000773252/_patchinfo new file mode 100644 index 0000000..9f1039d --- /dev/null +++ b/patchinfo.20260204115012215375.93181000773252/_patchinfo @@ -0,0 +1,30 @@ + + VUL-0: CVE-2025-14550: python-Django,python3-Django,python-Django6: Potential denial-of-service vulnerability via repeated headers when using ASGI + VUL-0: CVE-2026-1285: python-Django,python3-Django,python-Django6: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods + VUL-0: CVE-2026-1207: python-Django,python3-Django,python-Django6: Potential SQL injection via raster lookups on PostGIS + + + + VUL-0: CVE-2026-1287: python-Django,python3-Django,python-Django6: Potential SQL injection in column aliases via control characters + + VUL-0: CVE-2025-13473: python-Django,python3-Django,python-Django6: Username enumeration through timing difference in mod_wsgi authentication handler + VUL-0: CVE-2026-1312: python-Django,python3-Django,python-Django6: Potential SQL injection via QuerySet.order_by and FilteredRelation + + + mcalabkova + important + security + Security update for python-Django + This update for python-Django fixes the following issues: + +Changes in python-Django: + +- CVE-2026-1312: Fixed potential SQL injection via QuerySet.order_by and FilteredRelation (bsc#1257408). +- CVE-2026-1287: Fixed potential SQL injection in column aliases via control characters (bsc#1257407). +- CVE-2026-1207: Fixed potential SQL injection via raster lookups on PostGIS (bsc#1257405). +- CVE-2026-1285: Fixed potential denial-of-service in django.utils.text.Truncator HTML methods (bsc#1257406). +- CVE-2025-13473: Fixed username enumeration through timing difference in mod_wsgi authentication handler (bsc#1257401). +- CVE-2025-14550: Fixed potential denial-of-service via repeated headers when using ASGI (bsc#1257403). + + python-Django + diff --git a/python-Django b/python-Django index 58adc28..239aa42 160000 --- a/python-Django +++ b/python-Django @@ -1 +1 @@ -Subproject commit 58adc28d1a7975cac81228993b6630e435ce44e35bf29fa857c63fa8799032e9 +Subproject commit 239aa42157245eaa580c1afe8562592cc8be37b9cd8bef67ab2a81fddd8078fc -- 2.51.1 From 4cfc011cfbc3b4ccdf069e2db7cb67bb442f8bd4d684745c0a4390b383754493 Mon Sep 17 00:00:00 2001 From: AutoGits PR Review Bot Date: Wed, 4 Feb 2026 15:10:55 +0000 Subject: [PATCH 2/2] auto-created for python-Django This commit was autocreated by AutoGits PR Review Bot referencing PRs: PR: pool/python-Django!4 --- python-Django | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-Django b/python-Django index 239aa42..5363808 160000 --- a/python-Django +++ b/python-Django @@ -1 +1 @@ -Subproject commit 239aa42157245eaa580c1afe8562592cc8be37b9cd8bef67ab2a81fddd8078fc +Subproject commit 53638080fdf7438db3f085abcc981fc604e07aea7e5dacfe4499e2c07e1c3624 -- 2.51.1