Bug 34348 - python-django new security issue CVE-2025-48432
Summary: python-django new security issue CVE-2025-48432
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-06-05 10:43 CEST by Nicolas Salguero
Modified: 2025-06-25 07:32 CEST (History)
4 users (show)

See Also:
Source RPM: python-django-4.1.13-1.4.mga9.src.rpm
CVE: CVE-2025-48432
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-05 10:43:21 CEST 
CVE-2025-48432 was announced here:
https://www.openwall.com/lists/oss-security/2025/06/04/5

Upstream fix for version 4.2, which may need to be backported for Mageia 9:
https://github.com/django/django/commit/ac03c5e7df8680c61cdb0d3bdb8be9095dba841e
Nicolas Salguero 2025-06-05 10:44:21 CEST

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 5.1.10 and patch available from upstream
CVE: (none) => CVE-2025-48432
Source RPM: (none) => python-django-5.1.9-1.mga10.src.rpm, python-django-4.1.13-1.4.mga9.src.rpm

Comment 1 Nicolas Salguero 2025-06-05 15:45:52 CEST 
Ubuntu has issued an advisory on June 4:
https://ubuntu.com/security/notices/USN-7555-1
Comment 2 Marja Van Waes 2025-06-05 20:38:24 CEST 
Assigning to thr python stack maintainers

Assignee: bugsquad => python
CC: (none) => marja11

Comment 5 Nicolas Salguero 2025-06-24 10:29:49 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Potential log injection via unescaped request path. (CVE-2025-48432)

References:
https://www.openwall.com/lists/oss-security/2025/06/04/5
https://www.openwall.com/lists/oss-security/2025/06/10/2
https://ubuntu.com/security/notices/USN-7555-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVFOPDCA45B4XTMYRHQUSJ7JCA56453W/
========================

Updated package in core/updates_testing:
========================
python3-django-4.1.13-1.5.mga9

from SRPM:
python-django-4.1.13-1.5.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 5.1.10 and patch available from upstream => (none)
Source RPM: python-django-5.1.9-1.mga10.src.rpm, python-django-4.1.13-1.4.mga9.src.rpm => python-django-4.1.13-1.4.mga9.src.rpm
Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: python => qa-bugs

Comment 6 Herman Viaene 2025-06-24 16:10:04 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
[tester9@mach3 Documents]$ django-admin startproject mysite
[tester9@mach3 Documents]$ ls
airco/     expat/                   libxml/          rss_4.1_1.rdf  server.js      testcups.pdf       testtransfig.gif  volkstuintjes/
bugs/      firefox.exe              man_nmap_ru.txt  rss_5.3_1.rdf  soup.txt       testpoppler/       testtransfig.pdf  xlst/
dcmtk.txt  Frans-Bruynseelspad.pdf  mysite/          rss_7_1.rdf    soup.txt.gpg   testtexstudio.log  testtransfig.png
django/    httpd.conf               php/             rss_8_1.rdf    soup.txt.orig  testtexstudio.tex  testtransfig.ps
erlang/    libcaptest/              qa/              ruby/          sqlit/         testtransfig.fig   testtransfig.tex
[tester9@mach3 Documents]$ tree mysite
mysite
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── settings.py
    ├── urls.py
    └── wsgi.py

2 directories, 6 files
[tester9@mach3 Documents]$ cd mysite/
[tester9@mach3 mysite]$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK
[tester9@mach3 mysite]$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
June 24, 2025 - 14:07:02
Django version 4.1.13, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

I could visit the page, see its little rocket and links to documentation etc...
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

katnatek 2025-06-24 20:52:57 CEST

Keywords: (none) => advisory
CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2025-06-25 00:55:24 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2025-06-25 07:32:53 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0193.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.