Prepare stable update for python-django (DLA-3558-1, DLA-4006-1, DLA 4010-1, DLA-4030-1, DLA-4086-1, DLA-4210-1, DLA-4301-1, DLA-4324-1, DLA-4425-1)

This package has one or more CVEs fixed by a DLA, but the same CVEs remain unfixed in more recent releases.

In this case, the remaining open CVEs have been triaged by the security team, so they have no immediate plans to deal with them.

Please coordinate with the maintainer and SRM to have an updated package included in the next point release (for CVEs affecting bookworm or trixie). https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions

Additionally, please keep the security team informed concerning this matter by mailing team@security.debian.org with a brief summary once a course of action has been agreed upon between yourself, the maintainer, and SRM (as applicable).

Package: python-django
DLA:
  DLA-3558-1 https://lists.debian.org/debian-lts-announce/2023/09/msg00005.html
  DLA-4006-1 https://lists.debian.org/debian-lts-announce/2024/12/msg00028.html
  DLA 4010-1 https://lists.debian.org/debian-lts-announce/2025/01/msg00005.html
  DLA-4030-1 https://lists.debian.org/debian-lts-announce/2025/01/msg00024.html
  DLA-4086-1 https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html
  DLA-4210-1 https://lists.debian.org/debian-lts-announce/2025/06/msg00010.html
  DLA-4301-1 https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html
  DLA-4324-1 https://lists.debian.org/debian-lts-announce/2025/10/msg00004.html
  DLA-4425-1 https://lists.debian.org/debian-lts-announce/2025/12/msg00036.html
CVE(s):
   CVE-2023-41164 CVE-2024-53907 CVE-2024-56374 CVE-2025-26699
   CVE-2023-41164 CVE-2023-43665 CVE-2024-24680 CVE-2024-27351
   CVE-2025-32873 CVE-2025-48432 CVE-2025-57833 CVE-2025-59681
   CVE-2025-59682 CVE-2025-64459 CVE-2025-64460
Fixed in: bullseye buster
Still present in: bookworm trixie(partial)

Preliminary work for bookworm: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079454

/cc @lamby (DLAs uploader, package maintainer)

Edited by Sylvain Beucler