releasing package python-django version 3:5.2.2-1

ae8ed262 · Chris Lamb · cb3c413d · ae8ed262
Commit ae8ed262 authored 2 months ago by Chris Lamb
--- a/debian/changelog
+++ b/debian/changelog
-python-django (3:5.2.2-1) UNRELEASED; urgency=medium
+python-django (3:5.2.2-1) experimental; urgency=medium

-  * New upstream release.
+  * New upstream security release:
+
+    - CVE-2025-48432: Potential log injection via unescaped request path.
+
+      Django's internal HTTP response logging used request.path directly,
+      allowing control characters (e.g. newlines or ANSI escape sequences) to
+      be written unescaped into logs. This could enable log injection or
+      forgery, letting attackers manipulate log appearance or structure,
+      especially in logs processed by external systems or viewed in terminals.
+
+      Although this does not directly impact Django's security model, it poses
+      risks when logs are consumed or interpreted by other tools.  To fix this,
+      the internal django.utils.log.log_response() function now escapes all
+      positional formatting arguments using a safe encoding.
+
+      (Closes: #1107282)
+
+    <https://www.djangoproject.com/weblog/2025/jun/04/security-releases/>

- -- Chris Lamb <lamby@debian.org>  Wed, 04 Jun 2025 08:09:22 -0700
+ -- Chris Lamb <lamby@debian.org>  Wed, 04 Jun 2025 08:09:36 -0700

 python-django (3:5.2.1-1) experimental; urgency=medium