Bug 34645 - python-django new security issues CVE-2025-5968[12]
Summary: python-django new security issues CVE-2025-5968[12]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-10-07 16:22 CEST by Nicolas Salguero
Modified: 2025-10-22 22:08 CEST (History)
4 users (show)

See Also:
Source RPM: python-django-4.1.13-1.6.mga9.src.rpm
CVE: CVE-2025-59681, CVE-2025-59682
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-10-07 16:22:56 CEST

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 5.1.13
CVE: (none) => CVE-2025-59681, CVE-2025-59682
Source RPM: (none) => python-django-5.1.12-1.mga10.src.rpm, python-django-4.1.13-1.6.mga9.src.rpm

Comment 1 Marja Van Waes 2025-10-07 19:25:30 CEST 
Assigning to the Python Stack maintainers

Assignee: bugsquad => python
CC: (none) => marja11

Comment 2 Nicolas Salguero 2025-10-17 15:31:54 CEST 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). (CVE-2025-59681)

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. (CVE-2025-59682)

References:
https://www.openwall.com/lists/oss-security/2025/10/01/3
========================

Updated package in core/updates_testing:
========================
python3-django-4.1.13-1.7.mga9

from SRPM:
python-django-4.1.13-1.7.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 5.1.13 => (none)
Whiteboard: MGA9TOO => (none)
Source RPM: python-django-5.1.12-1.mga10.src.rpm, python-django-4.1.13-1.6.mga9.src.rpm => python-django-4.1.13-1.6.mga9.src.rpm
Version: Cauldron => 9
Assignee: python => qa-bugs

katnatek 2025-10-17 22:08:50 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2025-10-20 11:28:09 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34612
$ django-admin startproject mysite

$ ls
airco/     firefox.exe              libxml/          qa/            rss_7_1.rdf  soup.txt.gpg   testpoppler/       testtransfig.pdf  xlst/
bugs/      Frans-Bruynseelspad.pdf  man_nmap_ru.txt  qt6image.txt   rss_8_1.rdf  soup.txt.orig  testtexstudio.log  testtransfig.png
dcmtk.txt  hello.pir                mysite/          redistutorial  ruby/        sqlit/         testtexstudio.tex  testtransfig.ps
erlang/    httpd.conf               nss.txt          rss_4.1_1.rdf  server.js    swordtest*     testtransfig.fig   testtransfig.tex
expat/     libcaptest/              php/             rss_5.3_1.rdf  soup.txt     testcups.pdf   testtransfig.gif   volkstuintjes/

$ tree mysite
mysite
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── settings.py
    ├── urls.py
    └── wsgi.py

2 directories, 6 files
[tester9@mach3 Documents]$ cd mysite/

$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK
[tester9@mach3 mysite]$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
October 20, 2025 - 09:18:41
Django version 4.1.13, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
Pointing to http://127.0.0.1:8000/ gives feedback
[20/Oct/2025 09:18:53] "GET / HTTP/1.1" 200 10681
[20/Oct/2025 09:18:53] "GET /static/admin/css/fonts.css HTTP/1.1" 200 423
[20/Oct/2025 09:18:54] "GET /static/admin/fonts/Roboto-Bold-webfont.woff HTTP/1.1" 200 86184
[20/Oct/2025 09:18:54] "GET /static/admin/fonts/Roboto-Regular-webfont.woff HTTP/1.1" 200 85876
[20/Oct/2025 09:18:54] "GET /static/admin/fonts/Roboto-Light-webfont.woff HTTP/1.1" 200 85692
And I could visit the page, see its little rocket and links to documentation etc...

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2025-10-21 02:22:10 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-10-22 22:08:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0243.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.