adduser (3.157) unstable; urgency=medium
.
[ Marc Haber ]
* add script that runs the testsuite without autopkgtest
(Closes: #1101457)
* add a NOTE to adduser.8 regarding group membership (Closes: #1103776)
* implement adduser --force-home.
Thanks to Jeff Hanson (Closes: #472820)
* Add new Romanian program and man page translation.
Thanks to Remus-Gabriel Chelu (Closes: #1137603, #1137602)
* update dutch program translation.
Thanks to Frans Spiesschaert (Closes: #1118210, #1133696)
.
[ Dustin Kirkland ]
* Add support for encrypting home directories
* adduser: Add --encrypt-home option, which calls ecryptfs-setup-private
for the hard work.
* doc/adduser.8: document the --encrypt-home option
* debian/control: suggest ecryptfs-utils >= 67-1
* deluser: remove all of /var/lib/ecryptfs/$user with --remove-home
.
[ Mateus Rodrigues de Morais ]
* Add encrypted home tests with isolation-machine restriction
aiohttp-socks (0.11.0-1) unstable; urgency=medium
.
[ Dale Richards ]
* Team upload.
* New upstream version 0.11.0
* Run upstream unit tests during build and with autopkgtest
* Bump Standards-Version to 4.7.4
- d/control: Remove Priority field as it is no longer recommended
* Bump copyright year
* Add debian/salsa-ci.yml file
* d/watch: Update to v5
.
[ Jeroen Ploemen ]
* Control: remove redundant Rules-Requires-Root field.
* Tests: loop over all supported Python versions.
* Watch: remove broken combo of github tags and searchmode plain,
simplify matching and renaming options.
aioquic (1.3.0-1) unstable; urgency=medium
.
* Team Upload
* Add debian/salsa-ci.yml
* Mark python3-sphinx* build-dep as !nodoc
* Drop "Rules-Requires-Root: no": it is the default now
* Use dh-sequence-* build dependencies instead of dh --with: sphinxdoc.
* Also use dh-sequence-python3
.
[ Emmanuel Arias ]
* New upstream version
* Standards-Version: 4.7.4 (routine-update)
* Reorder sequence of d/control fields by cme (routine-update)
* Remove trailing whitespace in debian/copyright (routine-update)
* Set upstream metadata fields: Documentation.
django-anymail (15.0-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Control: add missing epoch to build-dep on python3-django.
django-anymail (15.0-1) unstable; urgency=medium
.
* New upstream version 15.0
* d/control:
- Bump Standards-Version to 4.7.4
- Remove optional field Rules-Requires-Root
- Set python3-django dependency minimum version to 5.0
* d/watch: Update watch file format to version 5
gst-plugins-base1.0 (1.28.4-1) unstable; urgency=medium
.
* New upstream version 1.28.4
hamlib (4.7.2-1) unstable; urgency=medium
.
* New upstream version 4.7.2.
libdbi-perl (1.648-1) unstable; urgency=medium
.
* Import upstream version 1.648.
Fixes CVE-2026-9698 and CVE-2026-10879.
* Update years of upstream and packaging copyright.
* Declare compliance with Debian Policy 4.7.4.
* Remove «Rules-Requires-Root: no», which is the current default.
* Remove «Priority: optional», which is the current default.
nbclient (0.10.4-2) unstable; urgency=medium
.
* Team upload.
* Add debian/salsa-ci.yml
* Clean better (Closes: #1045453)
* Drop build-dep on python3-async-generator
node-call-limit (1.1.1-4) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* debian/watch version 5
* Adapt to tap 21
node-callback-stream (1.1.0-5) unstable; urgency=medium
.
* Team upload
[ Debian Janitor ]
* Update standards version to 4.6.1, no changes needed.
* Apply multi-arch hints. + node-callback-stream: Add Multi-Arch: foreign.
.
[ Xavier Guimard ]
* Declare compliance with policy 4.7.4
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* debian/watch version 5
* Adapt to tap 21
node-chownr (3.0.0-3) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* Adapt to tap 21
node-re2 (1.25.0+~cs1.6.0-2) unstable; urgency=medium
.
* Team upload
* Drop autopkgtest for install-artifact-from-github
node-re2 (1.25.0+~cs1.6.0-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* New upstream version 1.25.0+~cs1.6.0
* Refresh patches
nodejs (24.17.0+dfsg+~cs24.13.2-1) unstable; urgency=medium
.
* New upstream version 24.17.0+dfsg+~cs24.13.2
This release addresses the following vulnerabilities:
+ CVE-2026-48930: dns,net: reject hostnames with embedded NUL bytes
+ CVE-2026-48931: http: fix response queue poisoning in http.Agent
+ CVE-2026-48619: http2: cap originSet size to prevent unbounded memory growth
+ CVE-2026-48615: lib,test: redact proxy credentials in tunnel errors
+ CVE-2026-48935: permission: disable FileHandle utimes with permission model
+ CVE-2026-48617: permission: handle process.chdir on writereport
+ CVE-2026-48934: tls: bind reusable sessions to authenticated host
+ CVE-2026-48928: tls: fix case-sensitive SNI context matching
+ CVE-2026-48618: tls: normalize hostname for server identity checks
* Reenable nghttp tests, as this release supports latest version.
python-django (3:5.2.15-2) unstable; urgency=medium
.
* Apply a patch from upstream to fix a FTBFS with gettext 0.26.
(Closes: #1126978)
python-django (3:5.2.15-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2026-6873: Signed cookie salt namespace collision in
django.http.HttpRequest.get_signed_cookie
.
get_signed_cookie derived the signing salt by concatenating the cookie
name (key) and salt arguments. When distinct name and salt pairs produced
the same concatenation, cookies could be accepted in a context different
from the one where they were signed.
.
Cookies are now signed with an unambiguous salt derivation. For backwards
compatibility, cookies signed by older Django versions are accepted until
Django 7.0.
.
- CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in
the SMTP backend
.
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a
partially-initialized connection that would subsequently be reused for
sending email without encryption. This can occur with fail_silently=True,
as used by send_mail and BrokenLinkEmailsMiddleware among others.
Connections configured with EMAIL_USE_SSL are not affected.
.
- CVE-2026-8404: Potential exposure of private data via case-sensitive
Cache-Control directives in UpdateCacheMiddleware
.
django.middleware.cache.UpdateCacheMiddleware and
django.views.decorators.cache.cache_page decorator incorrectly cached
responses marked with private Cache-Control directives when using mixed
or uppercase values (e.g. Private).
.
The django.views.decorators.cache.cache_control decorator and
django.utils.cache.patch_cache_control function were not affected
since they normalize directives to lowercase. This issue only affects
responses where Cache-Control is set manually.
.
- CVE-2026-35193: Potential exposure of private data via missing Vary:
Authorization in UpdateCacheMiddleware
.
django.middleware.cache.UpdateCacheMiddleware and
django.views.decorators.cache.cache_page decorator allowed responses to
requests bearing an Authorization header (and without Cache-Control:
public) to be cached. To conform with the existing mechanism for
constructing cache keys, responses to these requests will now vary on
Authorization.
.
- CVE-2026-48587: Potential exposure of private data via whitespace padding
in Vary header
.
django.middleware.cache.UpdateCacheMiddleware incorrectly cached
responses whose Vary header values contained leading or trailing
whitespace. Because has_vary_header failed to strip that whitespace, a
response with a "Vary: * " header (note the trailing space) was not
recognized as containing the wildcard, causing it to be stored and
potentially served from the cache when it should not have been.
.
.
(Closes: #1138775)
python-django (3:5.2.14-2) unstable; urgency=medium
.
[ Athos Ribeiro ]
* Cherry-pick patch to skip NOT NULL constraints on PostgreSQL 18.
This addresses an issue that surfaces in python-django-postgres-extra.
(LP: #2136172)
python-django (3:5.2.14-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2026-5766: Prevent a potential denial-of-service vulnerability in
ASGI requests via a file upload limit bypass. ASGI requests with a
missing or understated Content-Length header could bypass the
FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into
memory and causing service degradation. As a reminder, Django expects a
limit to be configured at the web server level rather than solely relying
on FILE_UPLOAD_MAX_MEMORY_SIZE.
.
- CVE-2026-35192: Address a session fixation issue via public cached pages
and SESSION_SAVE_EVERY_REQUEST. Response headers did not vary on cookies
if a session was not modified but SESSION_SAVE_EVERY_REQUEST was True. A
remote attacker could therefore steal a user's session after that user
visits a cached public page.
.
- CVE-2026-6907: Prevent a potential exposure of private data due to incorrect
handling of "Vary: *" in UpdateCacheMiddleware. Previously,
django.middleware.cache.UpdateCacheMiddleware would erroneously cache
requests where the Vary header contained an asterisk ('*'). This could
lead to private data being stored and served.
.
(Closes: #1135755)
.
* Bump Standards-Version to 4.7.4.
python-django (3:5.2.13-1) unstable; urgency=medium
.
* Upload of 5.2 branch to unstable. (Closes: #1102743)
* New upstream security release:
.
- CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation.
ASGIRequest normalizes header names following WSGI conventions, mapping
hyphens to underscores. As a result, even in configurations where reverse
proxies carefully strip security-sensitive headers named with hyphens,
such a header could be spoofed by supplying a header named with
underscores. Under WSGI, it is the responsibility of the server or proxy
to avoid ambiguous mappings. (Django's runserver was patched via
CVE-2015-0219.) But under ASGI, there is not the same uniform
expectation, even if many proxies protect against this under default
configuration (including nginx via underscores_in_headers off;). Headers
containing underscores are now ignored by ASGIRequest, matching the
behavior of Daphne, the reference server for ASGI.
.
- CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin. Add
permissions on inline model instances were not validated on submission of
forged POST data in GenericInlineModelAdmin.
.
- CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable. Admin
changelist forms using ModelAdmin.list_editable incorrectly allowed new
instances to be created via forged POST data.
.
- CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload. When using
django.http.multipartparser.MultiPartParser, multipart uploads with
Content-Transfer-Encoding: base64 that include excessive whitespace may
trigger repeated memory copying, potentially degrading performance.
.
- CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
requests via memory upload limit bypass. ASGI requests with a missing or
understated Content-Length header could bypass the
DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body,
potentially loading an unbounded request body into memory and causing
service degradation.
.
.
(Closes: #1132927)
.
* Don't test Sphinx/GitHub interlinks during autopkgtests. These tests are
essentially hardcoded to rely on the "django" Python package to
reside adjacent to the tests in the directory tree. In the context of an
autopkgtest, however, the "django" package must exist an installed
package (ie. via the .deb) under /usr/lib/python3, etc.
* Refresh patches.
.
python-django (3:5.2.12-1) unstable; urgency=medium
.
* New upstream 5.2.x release.
python-django (3:5.2.6-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2025-57833: Potential SQL injection in FilteredRelation column
aliases. The FilteredRelation feature in Django was subject to a
potential SQL injection vulnerability in column aliases that was
exploitable via suitably crafted dictionary with dictionary expansion as
the **kwargs passed QuerySet.annotate() or QuerySet.alias().
(Closes: #1113865)
.
python-django (3:5.2.5-1) experimental; urgency=medium
.
* New upstream bugfix release.
python-django (3:5.2.4-1) experimental; urgency=medium
.
* New upstream bugfix release.
python-django (3:5.2.3-1) experimental; urgency=medium
.
* New upstream bugfix release.
python-django (3:5.2.2-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2025-48432: Potential log injection via unescaped request path.
.
Django's internal HTTP response logging used request.path directly,
allowing control characters (e.g. newlines or ANSI escape sequences) to
be written unescaped into logs. This could enable log injection or
forgery, letting attackers manipulate log appearance or structure,
especially in logs processed by external systems or viewed in terminals.
.
Although this does not directly impact Django's security model, it poses
risks when logs are consumed or interpreted by other tools. To fix this,
the internal django.utils.log.log_response() function now escapes all
positional formatting arguments using a safe encoding.
.
(Closes: #1107282)
.
python-django (3:5.2.1-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2025-32873: Denial-of-service possibility in strip_tags()
.
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used
to implement the striptags template filter, which was therefore also
vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
encounters an unusually large number of unclosed opening tags.
.
(Closes: #1104872)
.
python-django (3:5.2-1) experimental; urgency=medium
.
* New upstream stable release.
* Bump Standards-Version to 4.7.2.
python-django (3:5.2~rc1-1) experimental; urgency=medium
.
* New upstream release candidate.
python-django (3:5.2~beta1-1) experimental; urgency=medium
.
* New upstream beta release.
* Refresh patches.
python-django (3:5.2~alpha1-1) experimental; urgency=medium
.
* New upstream alpha release.
* Refresh patches.
python-django (3:5.1.5-1) experimental; urgency=high
.
* New upstream security release. (Closes: #1093049)
.
- CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
validation.
.
A lack of upper bound limit enforcement in strings passed when performing
IPv6 validation could have led to a potential denial-of-service (DoS)
attack. The undocumented and private functions clean_ipv6_address and
is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField
form field, which has now been updated to define a max_length of 39
characters. The GenericIPAddressField model field was not affected.
.
python-django (3:5.1.4-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2024-53907: Potential DoS in django.utils.html.strip_tags.
The strip_tags() method and striptags template filter were subject to a
potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
.
- CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle
was subject to SQL injection if untrusted data is used as a lhs value.
Applications that use the jsonfield.has_key lookup through the __ syntax
are unaffected.
.
python-django (3:5.1.3-1) experimental; urgency=medium
.
* New upstream bugfix release.
* Refresh patches.
python-django (3:5.1.2-1) experimental; urgency=medium
.
* New upstream bugfix release.
python-django (3:5.1.1-1) experimental; urgency=high
.
* New upstream security release:
.
- CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize(). urlize and urlizetrunc were subject to a
potential denial-of-service attack via very large inputs with a specific
sequence of characters.
.
- CVE-2024-45231: Potential user email enumeration via response status on
password reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes. To mitigate this risk, exceptions occurring
during password reset email sending are now handled and logged using the
django.contrib.auth logger.
.
* Bump Standards-Version to 4.7.0.
python-django (3:5.1-1) experimental; urgency=medium
.
* New upstream 5.1 release.
python-django (3:5.1~rc1-1) experimental; urgency=medium
.
* New upstream 5.1 release candidate.
python-django (3:5.1~beta1-1) experimental; urgency=medium
.
* New upstream beta release.
* Add pybuild-plugin-pyproject to Build-Depends.
python-django (3:5.1~alpha1-1) experimental; urgency=medium
.
* New upstream experimental alpha release.
* Refresh patches.
python-django (3:5.0.6-1) experimental; urgency=medium
.
* New upstream bugfix release, incorporating changes from 5.0.5 as well.
python-django (3:5.0.4-1) experimental; urgency=medium
.
* New upstream bugfix release.
python-django (3:5.0.3-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2024-27351: Fix a potential regular expression denial-of-service
(ReDoS) attack in django.utils.text.Truncator.words. This method
(with html=True) and the truncatewords_html template filter were subject
to a potential regular expression denial-of-service attack via a suitably
crafted string. This is, in part, a follow up to CVE-2019-14232 and
CVE-2023-43665.
.
python-django (3:5.0.2-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2024-24680: Potential denial-of-service in intcomma template filter.
The intcomma template filter was subject to a potential denial-of-service
attack when used with very long strings.
.
python-django (3:5.0.1-1) experimental; urgency=medium
.
* New upstream bugfix release.
python-django (3:5.0-1) experimental; urgency=medium
.
* New upstream stable release.
https://docs.djangoproject.com/en/5.0/releases/5.0/
python-django (3:5.0~rc1-1) experimental; urgency=medium
.
* New upstream RC1 release.
python-django (3:5.0~alpha1-1) experimental; urgency=medium
.
* New upstream alpha release.
* Refresh patches.
ruby-kdl (2.2.0-2) unstable; urgency=medium
.
* Team upload.
* Enable the test suite.
* Add drop-tests-requiring-submodule.patch to drop specific tests.
* Ensure kdl.tab gets compiled.
ruby-kdl (2.2.0-1) unstable; urgency=medium
.
* Team upload.
* Upgrade the watch file to version 5.
* New upstream release.
* Refresh the upstream metadata.
* Refresh the copyright file.
* Update Standards-Version to 4.7.4.
* Drop {XS,XB}-Ruby-Versions from control.
* Bump debhelper-compat to 14, dropping ${misc:Depends},
${shlibs:Depends}, and ${ruby:Depends} from runtime dependencies.
* Add relax-bigdecimal.patch to relax the dependency on bigdecimal.
* Add a runtime dependency on ruby:any for scripts.
social-auth-app-django (5.9.0-1) unstable; urgency=medium
.
* Team upload.
* [c8c6fcc] New upstream version 5.9.0
* [d8bd554] d/control: Update B-D on p-django version
social-auth-app-django (5.8.0-1) experimental; urgency=medium
.
* Team upload.
* [bd560ea] New upstream version 5.8.0
* [547fee0] d/control: Drop field Priority: optional
* [8efe1ba] d/control: Update Standards-Version to 4.7.4
No further changes needed.
social-auth-app-django (5.7.0-1) experimental; urgency=medium
.
* Team upload.
* [9e39505] New upstream version 5.7.0
* [412dc5b] d/control: Bump B-D on python3-social-auth-core >= 4.8.3
* [916f88c] d/control: Update Standards-Version to 4.7.3
No further changes needed.
* [d065623] d/copyright: Update content and year data
social-auth-app-django (5.6.0-1) experimental; urgency=medium
.
* Team upload.
* [fa3184e] d/watch: Convert to version 5
* [b5f3172] d/gbp.conf: Adjust to debian/experimental
* [c27266d] New upstream version 5.6.0
Fixes CVE-2025-61783
* [e61a9b4] d/control: Adjust to debian/experimental
* [5f08c6e] d/control: Remove Rules-Requires-Root
The setting of Rules-Requires-Root: no is now default.
* [356d4fb] d/control: Update Standards-Version to 4.7.2
No further changes needed.
* [d491ef2] d/control: Bump some B-D versions due upstream changes