SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2318

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2318

Security update for python-Django

Type: security

Severity: important

Issued: 2026-06-09

Description:

This update for python-Django fixes the following issues

- CVE-2026-6873: signed cookie salt namespace collision in `django.http.HttpRequest.get_signed_cookie` (bsc#1267578).
- CVE-2026-7666: potential unencrypted email transmission via `STARTTLS` in the SMTP backend (bsc#1267579).
- CVE-2026-8404: potential exposure of private data via case-sensitive `Cache-Control` directives in
  `UpdateCacheMiddleware` (bsc#1267580).
- CVE-2026-35193: potential exposure of private data via missing `Vary: Authorization` in `UpdateCacheMiddleware`
  (bsc#1267576).
- CVE-2026-48587: potential exposure of private data via whitespace padding in `Vary` header (bsc#1267577).

References

CVE: CVE-2026-8404
CVE: CVE-2026-7666
CVE: CVE-2026-6873
CVE: CVE-2026-48587
CVE: CVE-2026-35193
Bugzilla: 1267580 VUL-0: CVE-2026-8404: python-Django: potential exposure of private data via case-sensitive `Cache-Control` directives in `UpdateCacheMiddleware`
Bugzilla: 1267579 VUL-0: CVE-2026-7666: python-Django: potential unencrypted email transmission via `STARTTLS` in the SMTP backend
Bugzilla: 1267578 VUL-0: CVE-2026-6873: python-Django: signed cookie salt namespace collision in `django.http.HttpRequest.get_signed_cookie`
Bugzilla: 1267577 VUL-0: CVE-2026-48587: python-Django: potential exposure of private data via whitespace padding in `Vary` header
Bugzilla: 1267576 VUL-0: CVE-2026-35193: python-Django: potential exposure of private data via missing `Vary: Authorization` in `UpdateCacheMiddleware`

Packages

python-Django-4.2.11-150600.3.59.1