CVS commit: pkgsrc/www/py-django

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/py-django
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Mon, 16 Feb 2026 12:33:51 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Feb 16 12:33:51 UTC 2026

Modified Files:
        pkgsrc/www/py-django: Makefile distinfo
Removed Files:
        pkgsrc/www/py-django: MESSAGE

Log Message:
py-django: updated to 5.2.11

5.2.11

Django 5.2.11 fixes three security issues with severity “high”, two security issues with severity “moderate”, and one security issue with severity “low” in 5.2.10.

CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler

The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack.

This issue has severity “low” according to the Django security policy.

CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI

When receiving duplicates of a single header, ASGIRequest allowed a remote attacker to cause a potential denial-of-service via a specifically created request with multiple duplicate headers. The 
vulnerability resulted from repeated string concatenation while combining repeated headers, which produced super-linear computation resulting in service degradation or outage.

This issue has severity “moderate” according to the Django security policy.

CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS

Raster lookups on GIS fields (only implemented on PostGIS) were subject to SQL injection if untrusted data was used as a band index.

As a reminder, all untrusted user input should be validated before use.

This issue has severity “high” according to the Django security policy.

CVE-2026-1285: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods

django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters were subject to a potential denial-of-service 
attack via certain inputs with a large number of unmatched HTML end tags, which could cause quadratic time complexity during HTML parsing.

This issue has severity “moderate” according to the Django security policy.

CVE-2026-1287: Potential SQL injection in column aliases via control characters

FilteredRelation was subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate(), 
aggregate(), extra(), values(), values_list(), and alias().

This issue has severity “high” according to the Django security policy.

CVE-2026-1312: Potential SQL injection via QuerySet.order_by and FilteredRelation

QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias was, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r0 pkgsrc/www/py-django/MESSAGE
cvs rdiff -u -r1.152 -r1.153 pkgsrc/www/py-django/Makefile
cvs rdiff -u -r1.124 -r1.125 pkgsrc/www/py-django/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-django/Makefile
diff -u pkgsrc/www/py-django/Makefile:1.152 pkgsrc/www/py-django/Makefile:1.153
--- pkgsrc/www/py-django/Makefile:1.152 Tue Dec  2 20:37:45 2025
+++ pkgsrc/www/py-django/Makefile       Mon Feb 16 12:33:51 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.152 2025/12/02 20:37:45 adam Exp $
+# $NetBSD: Makefile,v 1.153 2026/02/16 12:33:51 adam Exp $
 
-DISTNAME=      django-5.2.9
+DISTNAME=      django-5.2.11
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/

Index: pkgsrc/www/py-django/distinfo
diff -u pkgsrc/www/py-django/distinfo:1.124 pkgsrc/www/py-django/distinfo:1.125
--- pkgsrc/www/py-django/distinfo:1.124 Tue Dec  2 20:37:45 2025
+++ pkgsrc/www/py-django/distinfo       Mon Feb 16 12:33:51 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.124 2025/12/02 20:37:45 adam Exp $
+$NetBSD: distinfo,v 1.125 2026/02/16 12:33:51 adam Exp $
 
-BLAKE2s (django-5.2.9.tar.gz) = 199b4e4431837d8a0ef9dd424c166adf95ba0a2fee61e873d1d81110bc1b9bee
-SHA512 (django-5.2.9.tar.gz) = 669bb4e21b2073fd7a59971efa6d662c5bbfc05284867b562f93b6e56039b06f843726a1a964a4763458c211e238b21d1f91e70cda394d78031a2324bbf35d7f
-Size (django-5.2.9.tar.gz) = 10848762 bytes
+BLAKE2s (django-5.2.11.tar.gz) = a45c7a026b3a5bcd531640d194ea005650e2e9d96647b6030ae4ddb98a9a370d
+SHA512 (django-5.2.11.tar.gz) = 3c82fcd23ecdc2b83fa7fa668389111f88922b16a31e3cd7f279df1cb4bcb0246382bbb8f76fd0d719bef08d0490765cebc0e209d126c932ccc6c6af9ddb43bd
+Size (django-5.2.11.tar.gz) = 10885017 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/www/py-django4
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/www/py-django4
Indexes:

Home | Main Index | Thread Index | Old Index