CVE-2025-13473 fixed by: https://github.com/django/django/commit/6dc23508f3395e1254c315084c7334ef81c4c09a
CVE-2025-14550 fixed by: https://github.com/django/django/commit/f578acc8c54530fffabd52d2db654c8669b011af
CVE-2026-1207 fixed by: https://github.com/django/django/commit/a14363102d98fa29b8cced578eb3a0fadaa5bcb7
CVE-2026-1285 fixed by: https://github.com/django/django/commit/b40cfc6052ced26dcd8166a58ea6f841d0d2cac8
CVE-2026-1287 fixed by: https://github.com/django/django/commit/f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d
CVE-2026-1312 fixed by: https://github.com/django/django/commit/90f5b10784ba5bf369caed87640e2b4394ea3314

Status comment: (none) => Fixed upstream in 5.2.11 and patches available from Ubuntu and upstream
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => python-django-5.2.9-1.mga10.src.rpm, python-django-4.1.13-1.9.mga9.src.rpm
CVE: (none) => CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, CVE-2026-1312

Assigning back to you, Nicolas, as it seems that you have done all python-django updates for the past year. Re-assign to Python if you prefer.

Assignee: bugsquad => nicolas.salguero

For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Username enumeration through timing difference in mod_wsgi authentication handler. (CVE-2025-13473)

Potential denial-of-service vulnerability via repeated headers when using ASGI. (CVE-2025-14550)

Potential SQL injection via raster lookups on PostGIS. (CVE-2026-1207)

Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods. (CVE-2026-1285)

Potential SQL injection in column aliases via control characters. (CVE-2026-1287)

Potential SQL injection via QuerySet.order_by and FilteredRelation. (CVE-2026-1312)

References:
https://ubuntu.com/security/notices/USN-8009-1
========================

Updated package in core/updates_testing:
========================
python3-django-4.1.13-1.10.mga9

from SRPM:
python-django-4.1.13-1.10.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA9TOO => (none)
Source RPM: python-django-5.2.9-1.mga10.src.rpm, python-django-4.1.13-1.9.mga9.src.rpm => python-django-4.1.13-1.9.mga9.src.rpm
Status comment: Fixed upstream in 5.2.11 and patches available from Ubuntu and upstream => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34348
$ django-admin startproject mysite
$ ls
20250610bekeuring.pdf      erlang/                  logging.rb       qt6image.txt   ruby/               testbotan.txt      testtransfig.png
2025.png                   expat/                   man_nmap_ru.txt  rackapp.rb     server.js           testcups.pdf       testtransfig.ps
airco/                     firefox.exe              mysite/
and some more....

$ tree mysite
mysite
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── settings.py
    ├── urls.py
    └── wsgi.py

2 directories, 6 files
$ cd mysite/
$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK
$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
February 05, 2026 - 15:21:52
Django version 4.1.13, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

I could visit the page, see its little rocket and links to documentation etc... and get the feedback:
[05/Feb/2026 15:22:18] "GET / HTTP/1.1" 200 10681
[05/Feb/2026 15:22:19] "GET /static/admin/css/fonts.css HTTP/1.1" 200 423
Not Found: /favicon.ico
[05/Feb/2026 15:22:19] "GET /favicon.ico HTTP/1.1" 404 2110
[05/Feb/2026 15:22:19] "GET /static/admin/fonts/Roboto-Bold-webfont.woff HTTP/1.1" 200 86184
[05/Feb/2026 15:22:19] "GET /static/admin/fonts/Roboto-Regular-webfont.woff HTTP/1.1" 200 85876
[05/Feb/2026 15:22:20] "GET /static/admin/fonts/Roboto-Light-webfont.woff HTTP/1.1" 200 85692
 Looks OK to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Mid-air collision there.  Ah well!
Mageia9 x86_64
Before update:
$ rpm -qa | grep django
python3-django-4.1.13-1.9.mga9
$ django-admin startproject mysite
$ tree mysite
mysite
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── settings.py
    ├── urls.py
    └── wsgi.py
    
After update:
Checked for documentation:-
$ cd /usr/share/doc/python3-django/html/topics/
$ ls
async.html                        files.html       performance.html
auth/                             forms/           security.html
cache.html                        http/            serialization.html
checks.html                       i18n/            settings.html
class-based-views/                index.html       signals.html
conditional-view-processing.html  install.html     signing.html
db/                               logging.html     templates.html
email.html                        migrations.html  testing/
external-packages.html            pagination.html

Had a look at one of these in a browser:
$ firefox /usr/share/doc/python3-django/html/topics/checks.html
This presented a web page outlining Django 4.1.13 documentation and includes a search field.

Removed mysite. then:
$ django-admin startproject mysite
$ ls mysite
manage.py*  mysite/
$ cd mysite/mysite
$ ls
asgi.py  __init__.py  settings.py  urls.py  wsgi.py
$ head settings.py
"""
Django settings for mysite project.

Generated by 'django-admin startproject' using Django 4.1.13.

For more information on this file, see
https://docs.djangoproject.com/en/4.1/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/4.1/ref/settings/

asgi.py has something to do with deploying asynchronous web servers.
That is as far it goes since I have no idea about developing python projects.
The base components seem to be in place.

CC: (none) => tarazed25

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0032.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED