Ubuntu has issued an advisory on March 6: https://ubuntu.com/security/notices/USN-7335-1
Upstream fix: https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860
Whiteboard: (none) => MGA9TOOSource RPM: (none) => python-django-5.1.5-2.mga10.src.rpm, python-django-4.1.13-1.2.mga9.src.rpmCVE: (none) => CVE-2025-26699Status comment: (none) => Fixed upstream in 5.1.7 and patch available from upstream and Ubuntu
That is the patch. Assigning to Python stack maintainers.
Assignee: bugsquad => python
Suggested advisory: ======================== The updated package fixes a security vulnerability: An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. (CVE-2025-26699) References: https://ubuntu.com/security/notices/USN-7335-1 ======================== Updated package in core/updates_testing: ======================== python3-django-4.1.13-1.3.mga9 from SRPM: python-django-4.1.13-1.3.mga9.src.rpm
Version: Cauldron => 9Status comment: Fixed upstream in 5.1.7 and patch available from upstream and Ubuntu => (none)Whiteboard: MGA9TOO => (none)Status: NEW => ASSIGNEDAssignee: python => qa-bugsSource RPM: python-django-5.1.5-2.mga10.src.rpm, python-django-4.1.13-1.2.mga9.src.rpm => python-django-4.1.13-1.2.mga9.src.rpm
Keywords: (none) => advisory
RH x86_64 installing python3-django-4.1.13-1.3.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: python3-django ################################################################################################## 1/1: removing python3-django-4.1.13-1.2.mga9.noarch ################################################################################################## Ref bug#32944 comment#3 django-admin startproject mysite tree mysite mysite ├── manage.py └── mysite ├── asgi.py ├── __init__.py ├── settings.py ├── urls.py └── wsgi.py 2 directories, 6 files cd mysite/ python manage.py migrate Operations to perform: Apply all migrations: admin, auth, contenttypes, sessions Running migrations: Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK Applying admin.0001_initial... OK Applying admin.0002_logentry_remove_auto_add... OK Applying admin.0003_logentry_add_action_flag_choices... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying auth.0007_alter_validators_add_error_messages... OK Applying auth.0008_alter_user_username_max_length... OK Applying auth.0009_alter_user_last_name_max_length... OK Applying auth.0010_alter_group_name_max_length... OK Applying auth.0011_update_proxy_permissions... OK Applying auth.0012_alter_user_first_name_max_length... OK Applying sessions.0001_initial... OK python manage.py runserver Watching for file changes with StatReloader Performing system checks... System check identified no issues (0 silenced). March 11, 2025 - 18:44:50 Django version 4.1.13, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. The result open http://127.0.0.1:8000/ in browser is as described Give Ok
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0095.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED