Bug 34727 - python-django new security issues CVE-2025-64459
Summary: python-django new security issues CVE-2025-64459
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-11-06 14:59 CET by Nicolas Salguero
Modified: 2025-11-15 08:14 CET (History)
3 users (show)

See Also:
Source RPM: python-django-4.1.13-1.7.mga9.src.rpm
CVE: CVE-2025-64459
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-11-06 15:00:05 CET

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-64458, CVE-2025-64459
Source RPM: (none) => python-django-5.2.7-1.mga10.src.rpm, python-django-4.1.13-1.7.mga9.src.rpm

Comment 1 Nicolas Salguero 2025-11-06 15:31:54 CET 
CVE-2025-64458 only affects Windows.

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Potential SQL injection via ``_connector`` keyword argument in ``QuerySet`` and ``Q`` objects. (CVE-2025-64459)

References:
https://www.openwall.com/lists/oss-security/2025/11/05/12
========================

Updated package in core/updates_testing:
========================
python3-django-4.1.13-1.8.mga9

from SRPM:
python-django-4.1.13-1.8.mga9.src.rpm

Summary: python-django new security issues CVE-2025-6445[89] => python-django new security issues CVE-2025-64459
CVE: CVE-2025-64458, CVE-2025-64459 => CVE-2025-64459
Status: NEW => ASSIGNED
Source RPM: python-django-5.2.7-1.mga10.src.rpm, python-django-4.1.13-1.7.mga9.src.rpm => python-django-4.1.13-1.7.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9

katnatek 2025-11-06 23:48:49 CET

Keywords: (none) => advisory

Comment 2 katnatek 2025-11-07 00:04:03 CET 
installing //home/katnatek/qa-testing/x86_64/python3-django-4.1.13-1.8.mga9.noarch.rpm                                                
/var/cache/urpmi/rpms/python3-sqlparse-0.4.4-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/python3-asgiref-3.6.0-1.mga9.noarch.rpm
Preparing...                     ####################################################################################################
      1/3: python3-asgiref       ####################################################################################################
      2/3: python3-sqlparse      ####################################################################################################
      3/3: python3-django        ####################################################################################################

As regular user
Ref bug 34612

django-admin startproject mysite

tree mysite
mysite
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── settings.py
    ├── urls.py
    └── wsgi.py

cd mysite
python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK

python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
November 06, 2025 - 23:01:14
Django version 4.1.13, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[06/Nov/2025 23:01:29] "GET / HTTP/1.1" 200 10681
[06/Nov/2025 23:01:29] "GET /static/admin/css/fonts.css HTTP/1.1" 200 423
Not Found: /favicon.ico
[06/Nov/2025 23:01:30] "GET /favicon.ico HTTP/1.1" 404 2110

The warning about favico.ico not looks good , all other things works

Keywords: (none) => feedback

Comment 3 Len Lawrence 2025-11-14 01:53:10 CET 
Cannot remember the contexts but the favicon icon missing message has been seen several times in the past and we have chosen to ignore it, without any ill effects (AFAICR).

CC: (none) => tarazed25

Comment 4 katnatek 2025-11-14 01:55:51 CET 
(In reply to Len Lawrence from comment #3)
> Cannot remember the contexts but the favicon icon missing message has been
> seen several times in the past and we have chosen to ignore it, without any
> ill effects (AFAICR).

I will trust your wisdom, thank you

Whiteboard: (none) => MGA9-64-OK
Keywords: feedback => (none)

Comment 5 Len Lawrence 2025-11-14 01:59:15 CET 
More bon that:
https://www.favicon.cc
favicon.cc is a tool to create or download favicon.ico icons, that get displayed in the address bar of every browser.
Comment 6 Thomas Andrews 2025-11-15 03:02:25 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2025-11-15 08:14:51 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0292.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.