Debian has released several security updates for Debian GNU/Linux 11 (Bullseye) LTS, including fixes for vulnerabilities in openjpeg2, osslsigncode, and python-django. The most recent update for python-django addresses two issues: SQL injection via the _connector keyword argument and a potential denial-of-service vulnerability in XML serialization. Similar vulnerabilities have also been found in previous versions of Python-Django on Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1602-1 python-django security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4424-1] openjpeg2 security update
[DLA 4426-1] osslsigncode security update
[DLA 4425-1] python-django security update

[SECURITY] [DLA 4424-1] openjpeg2 security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4424-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
December 29, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : openjpeg2
Version : 2.4.0-3+deb11u2
CVE ID : CVE-2025-50952

A NULL pointer dereference was found in the component openjp2/dwt.c.

For Debian 11 bullseye, this problem has been fixed in version
2.4.0-3+deb11u2.

We recommend that you upgrade your openjpeg2 packages.

For the detailed security status of openjpeg2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjpeg2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4426-1] osslsigncode security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4426-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
December 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : osslsigncode
Version : 2.5-4~deb11u1
CVE ID : CVE-2023-36377
Debian Bug : 1035875

A Buffer Overflow vulnerability has been found in osslsigncode, a
OpenSSL based Authenticode signing tool for PE/MSI/Java CAB files,
which possibly allows an malicious attacker to execute arbitrary code
when signing a crafted file.

For Debian 11 bullseye, this problem has been fixed in version
2.5-4~deb11u1.

We recommend that you upgrade your osslsigncode packages.

For the detailed security status of osslsigncode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/osslsigncode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4425-1] python-django security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4425-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
December 29, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-django
Version : 2:2.2.28-1~deb11u10
CVE IDs : CVE-2025-64459 CVE-2025-64460
Debian Bug : 1121788

It was discovered that there were two issues in Django, the
Python-based web development framework:

* CVE-2025-64459: A potential SQL injection via _connector
keyword argument in QuerySet/Q objects. The methods QuerySet
filter(), exclude() and get() as well as the Q() class were
subject to SQL injection when using a suitably crafted dictionary
as the _connector argument.

* CVE-2025-64460: A potential denial-of-service vulnerability in
XML serializer text extraction. An algorithmic complexity issue in
django.core.serializers.xml_serializer.getInnerText() allowed a
remote attacker to cause a potential denial-of-service triggering
CPU and memory exhaustion via a specially crafted XML input
submitted to a service that invokes XML Deserializer. The
vulnerability resulted from repeated string concatenation while
recursively collecting text nodes, which produced superlinear
computation.

For Debian 11 bullseye, these problems have been fixed in version
2:2.2.28-1~deb11u10.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1602-1 python-django security update

Package : python-django


Version : 1:1.10.7-2+deb9u28 (stretch), 1:1.11.29-1+deb10u17 (buster)


Related CVEs :

CVE-2025-64460



A potential denial-of-service vulnerability was discovered in Django, a popular
Python-based web development framework.
An algorithmic complexity issue in the getInnerText() method in the
django.core.serializers.xml_serializer class could have allowed a remote
attacker to cause a potential denial-of-service, triggering CPU and memory
exhaustion via a specially crafted XML input submitted to a service that
invokes the XML Deserializer. The vulnerability resulted from repeated string
concatenation while recursively collecting text nodes which produced
superlinear-style computation.

ELA-1602-1 python-django security update