Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN455 _____________________________________________________________________ DATE : 05/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems Django versions prior to 6.0.5, 5.2.14. ===================================================================== https://www.djangoproject.com/weblog/2026/may/05/security-releases/ _____________________________________________________________________ Django security releases issued: 6.0.5 and 5.2.14 Posted by Sarah Boyce on 5 mai 2026 In accordance with our security release policy, the Django team is issuing releases for Django 6.0.5 and Django 5.2.14. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. This issue has severity "low" according to the Django security policy. This issue was originally highlighted by Kyle Agronick in Trac. Thanks to Jacob Walls for following up and reporting it. CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user's session after that user visits a cached public page. This issue has severity "low" according to the Django security policy. CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware Previously, django.middleware.cache.UpdateCacheMiddleware would erroneously cache requests where the Vary header contained an asterisk ('*'). This could lead to private data being stored and served. This issue has severity "low" according to the Django security policy. Thanks to Ahmad Sadeddin for the report. Affected supported versions Django main Django 6.0 Django 5.2 Resolution Patches to resolve the issue have been applied to Django's main, 6.0, and 5.2 branches. The patches may be obtained from the following changesets. CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass On the main branch On the 6.0 branch On the 5.2 branch CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST On the main branch On the 6.0 branch On the 5.2 branch CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware On the main branch On the 6.0 branch On the 5.2 branch The following releases have been issued Django 6.0.5 (tarball | checksums) Django 5.2.14 (tarball | checksums) The PGP key ID used for this release is Sarah Boyce: 3955B19851EA96EF General notes regarding security reporting As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, nor via the Django Forum. Please see our security policies for further information. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================