| Package | python-django |
|---|---|
| Version | 1:1.10.7-2+deb9u27 (stretch), 1:1.11.29-1+deb10u16 (buster) |
| Related CVEs | CVE-2025-59681 CVE-2025-59682 |
It was discovered that there were two vulnerabilities in Django, a popular web development framework:
-
CVE-2025-59681: Fix a potential SQL injection in
QuerySet.annotate(),alias(),aggregate()andextra(). These methods were subject to SQL injection in column aliases, using a suitably crafted dictionary via dictionary expansion as the**kwargspassed to these methods on MySQL and MariaDB. -
CVE-2025-59682: Fix a potential partial directory-traversal vulnerability in
archive.extract(). This function, used bystartapp --templateandstartproject --templateallowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory.
For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u16.
For Debian 9 stretch, these problems have been fixed in version 1:1.10.7-2+deb9u27.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.