File _patchinfo of Package patchinfo.19338

<patchinfo incident="19338">
  <issue tracker="cve" id="2025-13473"/>
  <issue tracker="cve" id="2026-1312"/>
  <issue tracker="cve" id="2026-1285"/>
  <issue tracker="cve" id="2026-1207"/>
  <issue tracker="cve" id="2026-1287"/>
  <issue tracker="bnc" id="1257401">VUL-0: CVE-2025-13473: python-Django,python3-Django,python-Django6: Username enumeration through timing difference in mod_wsgi authentication handler</issue>
  <issue tracker="bnc" id="1257406">VUL-0: CVE-2026-1285: python-Django,python3-Django,python-Django6: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods</issue>
  <issue tracker="bnc" id="1257407">VUL-0: CVE-2026-1287: python-Django,python3-Django,python-Django6: Potential SQL injection in column aliases via control characters</issue>
  <issue tracker="bnc" id="1257408">VUL-0: CVE-2026-1312: python-Django,python3-Django,python-Django6: Potential SQL injection via QuerySet.order_by and FilteredRelation</issue>
  <issue tracker="bnc" id="1257405">VUL-0: CVE-2026-1207: python-Django,python3-Django,python-Django6: Potential SQL injection via raster lookups on PostGIS</issue>
  <packager>mcalabkova</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python-Django</summary>
  <description>This update for python-Django fixes the following issues:

- CVE-2026-1312: Fixed potential SQL injection via QuerySet.order_by and FilteredRelation (bsc#1257408).
- CVE-2026-1287: Fixed potential SQL injection in column aliases via control characters (bsc#1257407).
- CVE-2026-1207: Fixed potential SQL injection via raster lookups on PostGIS (bsc#1257405).
- CVE-2026-1285: Fixed potential denial-of-service in django.utils.text.Truncator HTML methods (bsc#1257406).
- CVE-2025-13473: Fixed username enumeration through timing difference in mod_wsgi authentication handler (bsc#1257401).
</description>
</patchinfo>