[ubuntu/noble-security] python-django 3:4.2.11-1ubuntu1.15 (Accepted)
Hlib Korzhynskyy
hlib.korzhynskyy at canonical.com
Tue Apr 7 20:10:23 UTC 2026
python-django (3:4.2.11-1ubuntu1.15) noble-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
- debian/patches/CVE-2026-33033.patch: mitigate potential DoS in
MultiPartParser in django/http/multipartparser.py,
tests/requests_tests/tests.py.
- CVE-2026-33033
* SECURITY UPDATE: Potential denial-of-service vulnerability in ASGI
requests via memory upload limit bypass
- debian/patches/CVE-2026-33034.patch: enforce
DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ASGI requests in
django/http/request.py, tests/asgi/tests.py.
- CVE-2026-33034
* SECURITY UPDATE: ASGI header spoofing via underscore/hyphen conflation
- debian/patches/CVE-2026-3902.patch: ignore headers with underscores
in ASGIRequest in django/core/handlers/asgi.py,
django/test/client.py, tests/asgi/tests.py.
- CVE-2026-3902
* SECURITY UPDATE: Privilege abuse in GenericInlineModelAdmin
- debian/patches/CVE-2026-4277.patch: Check add permissions in
GenericInlineModelAdmin in django/contrib/contenttypes/admin.py,
tests/generic_inline_admin/tests.py.
- CVE-2026-4277
* SECURITY UPDATE: Privilege abuse in ModelAdmin.list_editable
- debian/patches/CVE-2026-4292.patch: Disallow instance creation via
ModelAdmin.list_editable in django/contrib/admin/options.py,
tests/admin_views/admin.py, tests/admin_views/tests.py.
- CVE-2026-4292
Date: 2026-04-01 15:01:10.918487+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
https://launchpad.net/ubuntu/+source/python-django/3:4.2.11-1ubuntu1.15
-------------- next part --------------
Sorry, changesfile not available.
More information about the noble-changes
mailing list