Debian 11: Security Update for python-django DLA-4425-1 CVE-2025-64459
debian lts
December 29, 2025
Summary
* CVE-2025-64459: A potential SQL injection via _connector
keyword argument in QuerySet/Q objects. The methods QuerySet
filter(), exclude() and get() as well as the Q() class were
subject to SQL injection when using a suitably crafted dictionary
as the _connector argument.
* CVE-2025-64460: A potential denial-of-service vulnerability in
XML serializer text extraction. An algorithmic complexity issue in
django.core.serializers.xml_serializer.getInnerText() allowed a
remote attacker to cause a potential denial-of-service triggering
CPU and memory exhaustion via a specially crafted XML input
submitted to a service that invokes XML Deserializer. The
vulnerability resulted from repeated string concatenation while
recursively collecting text nodes, which produced superlinear
computation.
For Debian 11 bullseye, these problems have been fixed in version
2:2.2.28-1~deb11u10.
We recommend that you upgrade your python-django packages.
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: python-django
Version: 2:2.2.28-1~deb11u10
Debian Bug: 1121788
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!