This update for python-Django fixes the following issues

- CVE-2026-3902: headers spoofing by exploiting an ambiguous mapping of two header variants in `ASGIRequest` requests
  (bsc#1261729).
- CVE-2026-4277: permissions on inline model instances were not validated on submission of forged POST data in
  GenericInlineModelAdmin (bsc#1261731).
- CVE-2026-4292: admin changelist forms using ModelAdmin.list_editable incorrectly allowed new instances to be created
  via forged POST data (bsc#1261732).
- CVE-2026-5766: potential denial-of-service vulnerability in ASGI requests via file upload limit bypass (bsc#1264153).
- CVE-2026-6907: potential exposure of private data due to incorrect handling of `Vary: *` in `UpdateCacheMiddleware`
  (bsc#1264152).
- CVE-2026-33033: denial of service via missing or understated Content-Length header in ASGI requests (bsc#1261722).
- CVE-2026-33034: ASGI requests with a missing or understated Content-Length header could bypass the
  `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading HttpRequest.body (bsc#1261724).
- CVE-2026-35192: session fixation via public cached pages and `SESSION_SAVE_EVERY_REQUEST` (bsc#1264154).