SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-3446

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-3446

Security update for python-Django

Type: security

Severity: critical

Issued: 2025-10-02

Description:

This update for python-Django fixes the following issues:

- CVE-2025-59681: SQL injection via the `QuerySet` annotate()`, `alias()`, `aggregate()`, or `extra()` methods when
  processing a specially crafted dictionary with dictionary expansion (bsc#1250485).
- CVE-2025-59682: directory traversal via the `django.utils.archive.extract()` function when processing an archive with
  file paths that share a common prefix with the target directory (bsc#1250487).

References

CVE: CVE-2025-59682
CVE: CVE-2025-59681
Bugzilla: 1250487 VUL-0: EMBARGOED: CVE-2025-59682: python-Django,python-Django4: Potential partial directory-traversal via archive.extract()
Bugzilla: 1250485 VUL-0: EMBARGOED: CVE-2025-59681: python-Django,python-Django4: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB

Packages

python-Django-4.2.11-150600.3.33.1