Package | python-django |
---|---|
Version | 1:1.10.7-2+deb9u27 (stretch), 1:1.11.29-1+deb10u16 (buster) |
Related CVEs | CVE-2025-59681 CVE-2025-59682 |
It was discovered that there were two vulnerabilities in Django, a popular web development framework:
-
CVE-2025-59681: Fix a potential SQL injection in
QuerySet.annotate()
,alias()
,aggregate()
andextra()
. These methods were subject to SQL injection in column aliases, using a suitably crafted dictionary via dictionary expansion as the**kwargs
passed to these methods on MySQL and MariaDB. -
CVE-2025-59682: Fix a potential partial directory-traversal vulnerability in
archive.extract()
. This function, used bystartapp --template
andstartproject --template
allowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory.
For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u16.
For Debian 9 stretch, these problems have been fixed in version 1:1.10.7-2+deb9u27.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.