34612 – python-django new security issue CVE-2025-57833

Bug 34612 - python-django new security issue CVE-2025-57833

Summary: python-django new security issue CVE-2025-57833

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-09-04 08:56 CEST by Nicolas Salguero
Modified:	2025-09-08 21:36 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	python-django-4.1.13-1.5.mga9.src.rpm
CVE:	CVE-2025-57833
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-09-04 08:56:43 CEST

CVE-2025-57833 was announced here:
https://www.openwall.com/lists/oss-security/2025/09/03/3

For Mageia 9, the patch, which may need to be backported, is: https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92

Nicolas Salguero 2025-09-04 08:57:30 CEST

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 5.1.12 and patch available from upstream
CVE: (none) => CVE-2025-57833
Source RPM: (none) => python-django-5.1.11-1.mga10.src.rpm, python-django-4.1.13-1.5.mga9.src.rpm

Comment 1 Nicolas Salguero 2025-09-04 10:04:39 CEST

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Potential SQL injection in FilteredRelation column aliases. (CVE-2025-57833)

References:
https://www.openwall.com/lists/oss-security/2025/09/03/3
========================

Updated package in core/updates_testing:
========================
python3-django-4.1.13-1.6.mga9

from SRPM:
python-django-4.1.13-1.6.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Source RPM: python-django-5.1.11-1.mga10.src.rpm, python-django-4.1.13-1.5.mga9.src.rpm => python-django-4.1.13-1.5.mga9.src.rpm
Status comment: Fixed upstream in 5.1.12 and patch available from upstream => (none)
Version: Cauldron => 9
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2025-09-05 11:08:30 CEST

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34348
$ django-admin startproject mysite
$ ls
airco/     firefox.exe              man_nmap_ru.txt  qt6image.txt   rss_8_1.rdf   soup.txt.orig      testtexstudio.tex  testtransfig.ps
bugs/      Frans-Bruynseelspad.pdf  mysite/          redistutorial  ruby/         sqlit/             testtransfig.fig   testtransfig.tex
dcmtk.txt  httpd.conf               nss.txt          rss_4.1_1.rdf  server.js     testcups.pdf       testtransfig.gif   volkstuintjes/
erlang/    libcaptest/              php/             rss_5.3_1.rdf  soup.txt      testpoppler/       testtransfig.pdf   xlst/
expat/     libxml/                  qa/              rss_7_1.rdf    soup.txt.gpg  testtexstudio.log  testtransfig.png

$ tree mysite
mysite
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── settings.py
    ├── urls.py
    └── wsgi.py

2 directories, 6 files
$ cd mysite/
$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK
[tester9@mach3 mysite]$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
September 05, 2025 - 09:03:18
Django version 4.1.13, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

I could visit the page, see its little rocket and links to documentation etc...
OK for me, good to go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2025-09-06 02:49:00 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

katnatek 2025-09-06 04:41:14 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2025-09-08 21:36:37 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0229.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.