Overview

File _patchinfo of Package patchinfo.40845

<patchinfo incident="40845">
  <issue tracker="cve" id="2025-59681"/>
  <issue tracker="cve" id="2025-59682"/>
  <issue tracker="bnc" id="1250485">VUL-0: EMBARGOED: CVE-2025-59681: python-Django,python-Django4: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB</issue>
  <issue tracker="bnc" id="1250487">VUL-0: EMBARGOED: CVE-2025-59682: python-Django,python-Django4: Potential partial directory-traversal via archive.extract()</issue>
  <packager>mcalabkova</packager>
  <rating>critical</rating>
  <category>security</category>
  <summary>Security update for python-Django</summary>
  <description>This update for python-Django fixes the following issues:

- CVE-2025-59681: SQL injection via the `QuerySet` annotate()`, `alias()`, `aggregate()`, or `extra()` methods when
  processing a specially crafted dictionary with dictionary expansion (bsc#1250485).
- CVE-2025-59682: directory traversal via the `django.utils.archive.extract()` function when processing an archive with
  file paths that share a common prefix with the target directory (bsc#1250487).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places