Alerts This Week
Warning Icon 1 923
Alerts This Week
Warning Icon 1 923

Fedora 42 python-django4.2 Vital SQL Injection DoS FEDORA-2026-ca3d81129a

fedora
Calendar Grey March 1, 2026
Dist Fedora Esm H88
Critical security patch for Python Django in Fedora 42 addresses SQL injection, DoS, and username enumeration issues. Install now!
Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated...

Summary

Django is a high-level Python Web framework that encourages rapid

development and a clean, pragmatic design. It focuses on automating as

much as possible and adhering to the DRY (Don't Repeat Yourself)

principle.

Update Information:

Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI Fixes CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS Fixes CVE-2026-1285: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods Fixes CVE-2026-1287: Potential SQL injection in column aliases via control characters Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and FilteredRelation

Topics%20covered

Topics Covered

security advisory SQL Injection fedora critical DoS username enumeration

Change Log

* Thu Feb 19 2026 Michel Lind - 4.2.28-1 - Update to version 4.2.28 - Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler - Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI - Fixes CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS - Fixes CVE-2026-1285: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods - Fixes CVE-2026-1287: Potential SQL injection in column aliases via control characters - Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and FilteredRelation

References


[ 1 ] Bug #2436703 - CVE-2026-1287 python-django4.2: Django: SQL Injection via crafted column aliases [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2436703 [ 2 ] Bug #2436705 - CVE-2026-1312 python-django4.2: Django: SQL injection via crafted column aliases in QuerySet.order_by() [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2436705 [ 3 ] Bug #2436711 - CVE-2026-1285 python-django4.2: Django: Denial of Service via crafted HTML inputs [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2436711 [ 4 ] Bug #2436720 - CVE-2025-14550 python-django4.2: Django: Denial of Service via crafted request with duplicate headers [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2436720 [ 5 ] Bug #2436722 - CVE-2026-1207 python-django4.2: Django: SQL Injection via RasterField band index parameter [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2436722

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-ca3d81129a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: python-django4.2
Product: Fedora 42
Version: 4.2.28
Release: 1.fc42
URL: https://www.djangoproject.com/
Summary: A high-level Python Web framework

Topics%20covered

Topics Covered

security advisory SQL Injection fedora critical DoS username enumeration

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here