CVE-2026-25673 affects Windows.

Source RPM: (none) => python-django-5.2.11-1.mga10.src.rpm, python-django-4.1.13-1.10.mga9.src.rpm
CVE: (none) => CVE-2026-25674
Whiteboard: (none) => MGA9TOO
Summary: python-django new security issues CVE-2026-2567[34] => python-django new security issue CVE-2026-25674
Status comment: (none) => Fixed upstream in 5.2.12 and patch available from upstream

For Cauldron, I asked for a freeze move.

Source RPM: python-django-5.2.11-1.mga10.src.rpm, python-django-4.1.13-1.10.mga9.src.rpm => python-django-4.1.13-1.10.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Potential incorrect permissions on newly created file system objects. (CVE-2026-25674)

References:
https://www.openwall.com/lists/oss-security/2026/03/03/3
========================

Updated package in core/updates_testing:
========================
python3-django-4.1.13-1.11.mga9

from SRPM:
python-django-4.1.13-1.11.mga9.src.rpm

Status comment: Fixed upstream in 5.2.12 and patch available from upstream => (none)
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34348
$ django-admin startproject mysite
$ ls
20250610bekeuring.pdf      erlang/                  logging.rb       qt6image.txt   ruby/          tekst.txt           testtransfig.gif
2025.png                   expat/                   man_nmap_ru.txt  rackapp.rb     server.js      testbotancrypt.txt  testtransfig.pdf
airco/                     firefox.exe              mysite/          redistutorial  solv.txt       testbotan.txt       testtransfig.png
bookmarks-2025-11-13.json  Frans-Bruynseelspad.pdf  mysite.zip       result         solvtxt        testcups.pdf        testtransfig.ps
bookmarks.html             function.rb              nodejs/          rexml_test.rb  soup.txt       testfile            testtransfig.tex
bugs/                      hello.pir                nss.txt          rss_4.1_1.rdf  soup.txt.gpg   testpoppler/        testwget2.html
dcmtk.txt                  httpd.conf               php/             rss_5.3_1.rdf  soup.txt.orig  testtexstudio.log   volkstuintjes/
donderdag.html             libcaptest/              pyasn1.txt       rss_7_1.rdf    sqlit/         testtexstudio.tex   vpx.txt
donderdag.html.1           libxml/                  qa/              rss_8_1.rdf    swordtest*     testtransfig.fig    xlst/
$ tree mysite
mysite
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── settings.py
    ├── urls.py
    └── wsgi.py

2 directories, 6 files
$ cd mysite/
$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK
[tester9@mach3 mysite]$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
March 05, 2026 - 14:54:24
Django version 4.1.13, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.


I could visit the page, see its little rocket and links to documentation etc... and get the feedback:
[05/Mar/2026 14:55:15] "GET / HTTP/1.1" 200 10681
[05/Mar/2026 14:55:15] "GET /static/admin/css/fonts.css HTTP/1.1" 200 423
[05/Mar/2026 14:55:16] "GET /static/admin/fonts/Roboto-Bold-webfont.woff HTTP/1.1" 200 86184
[05/Mar/2026 14:55:16] "GET /static/admin/fonts/Roboto-Regular-webfont.woff HTTP/1.1" 200 85876
[05/Mar/2026 14:55:16] "GET /static/admin/fonts/Roboto-Light-webfont.woff HTTP/1.1" 200 85692

Looks OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene
Flags: (none) => test_passed_mga9_64+

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0050.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED