deepin-community · Zeno-sole · May 6, 2026 · May 6, 2026
diff --git a/Django.egg-info/PKG-INFO b/Django.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: Django
-Version: 4.2.27
+Version: 4.2.28
 Summary: A high-level Python web framework that encourages rapid development and clean, pragmatic design.
 Author-email: Django Software Foundation <foundation@djangoproject.com>
 License: BSD-3-Clause

diff --git a/Django.egg-info/SOURCES.txt b/Django.egg-info/SOURCES.txt
@@ -4211,6 +4211,7 @@ docs/releases/4.2.24.txt
 docs/releases/4.2.25.txt
 docs/releases/4.2.26.txt
 docs/releases/4.2.27.txt
+docs/releases/4.2.28.txt
 docs/releases/4.2.3.txt
 docs/releases/4.2.4.txt
 docs/releases/4.2.5.txt

diff --git a/PKG-INFO b/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: Django
-Version: 4.2.27
+Version: 4.2.28
 Summary: A high-level Python web framework that encourages rapid development and clean, pragmatic design.
 Author-email: Django Software Foundation <foundation@djangoproject.com>
 License: BSD-3-Clause

diff --git a/debian/.gitignore b/debian/.gitignore
diff --git a/debian/changelog b/debian/changelog
@@ -1,110 +1,89 @@
-python-django (3:4.2.27-2) unstable; urgency=medium
+python-django (3:4.2.28-0+deb13u1) trixie-security; urgency=high
 
-  * Team upload.
-  * Backport various upstream fixes for newer Python versions (closes:
-    #1122185):
-    - Fixed tests for test --parallel option on Python 3.14+.
-    - Fixed copying BaseContext and its subclasses on Python 3.14+.
-    - Fixed OtherModelFormTests.test_prefetch_related_queryset() test on
-      Python 3.14+.
-    - Adjusted test_strip_tags following Python behavior change for
-      incomplete entities.
-  * Revert "Mark that Python 3.14 is not supported yet", since it now is.
-
- -- Colin Watson <cjwatson@debian.org>  Wed, 17 Dec 2025 10:23:30 +0000
-
-python-django (3:4.2.27-1) unstable; urgency=medium
-
-  * New upstream security release.
-    <https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>
-
-    - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
-      column aliases when using PostgreSQL. FilteredRelation was subject to SQL
-      injection in column aliases via a suitably crafted dictionary as the
-      **kwargs passed to QuerySet.annotate() or QuerySet.alias().
-
-    - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
-      XML serializer text extraction. An algorithmic complexity issue in
-      django.core.serializers.xml_serializer.getInnerText() allowed a remote
-      attacker to cause a potential denial-of-service triggering CPU and memory
-      exhaustion via a specially crafted XML input submitted to a service that
-      invokes XML Deserializer. The vulnerability resulted from repeated string
-      concatenation while recursively collecting text nodes, which produced
-      superlinear computation.
+  * New upstream security release:
 
-    (Closes: #1121788))
+    - CVE-2025-13473: The check_password function in
+      django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi
+      allowed remote attackers to enumerate users via a timing attack.
 
-  * Mark that Python 3.14 is not supported yet.
+    - CVE-2025-14550: When receiving duplicates of a single header, ASGIRequest
+      allowed a remote attacker to cause a potential denial-of-service via a
+      specifically created request with multiple duplicate headers. The
+      vulnerability resulted from repeated string concatenation while combining
+      repeated headers, which produced super-linear computation resulting in
+      service degradation or outage.
 
- -- Chris Lamb <lamby@debian.org>  Tue, 02 Dec 2025 11:34:10 -0800
+    - CVE-2026-1207: Raster lookups on RasterField (only implemented on
+      PostGIS) allowed remote attackers to inject SQL via the band index
+      parameter.
 
-python-django (3:4.2.26-1) unstable; urgency=high
+    - CVE-2026-1285: The django.utils.text.Truncator.chars() and
+      Truncator.words() methods (with html=True) and the truncatechars_html and
+      truncatewords_html template filters allowed a remote attacker to cause a
+      potential denial-of-service via crafted inputs containing a large number
+      of unmatched HTML end tags.
 
-  * New upstream security release.
-    <https://www.djangoproject.com/weblog/2025/nov/05/security-releases/>
+    - CVE-2026-1287: FilteredRelation was subject to SQL injection in column
+      aliases via control characters using a suitably crafted dictionary, with
+      dictionary expansion, as the **kwargs passed to QuerySet methods
+      annotate(), aggregate(), extra(), values(), values_list() and alias().
 
-    - CVE-2025-64458: Fix a potential denial-of-service vulnerability in
-      HttpResponseRedirect and HttpResponsePermanentRedirect. NFKC
-      normalization in Python is slow on Windows; as a consequence,
-      HttpResponseRedirect, HttpResponsePermanentRedirect and redirect were
-      subject to a potential denial-of-service attack via certain inputs with
-      a very large number of Unicode characters.
+    - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column
+      aliases containing periods when the same alias is, using a suitably
+      crafted dictionary, with dictionary expansion, used in FilteredRelation.
 
-    - CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
-      argument in QuerySet/Q objects. The methods QuerySet.filter(),
-      QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
-      SQL injection when using a suitably crafted dictionary (with dictionary
-      expansion) as the _connector argument.
-
-  * Refresh patches.
+    <https://docs.djangoproject.com/en/dev/releases/4.2.28/> (Closes: #1126914)
 
- -- Chris Lamb <lamby@debian.org>  Wed, 05 Nov 2025 08:36:26 -0800
+ -- Chris Lamb <lamby@debian.org>  Wed, 18 Feb 2026 14:44:14 -0800
 
-python-django (3:4.2.25-2) unstable; urgency=medium
+python-django (3:4.2.27-0+deb13u1) trixie-security; urgency=high
 
-  * Team upload.
-  * Skip NOT NULL constraints on PostgreSQL 18+ (closes: #1117647).
-
- -- Colin Watson <cjwatson@debian.org>  Wed, 22 Oct 2025 10:05:23 +0100
+  * New upstream security release:
 
-python-django (3:4.2.25-1) unstable; urgency=high
+    - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
+      column aliases when using PostgreSQL. FilteredRelation was subject to SQL
+      injection in column aliases via a suitably crafted dictionary as the
+      **kwargs passed to QuerySet.annotate() or QuerySet.alias().
 
-  * New upstream security release (Closes: #1116979):
+    - CVE-2025-57833: Potential SQL injection in FilteredRelation column
+      aliases. The FilteredRelation feature in Django was subject to a
+      potential SQL injection vulnerability in column aliases that was
+      exploitable via suitably crafted dictionary with dictionary expansion as
+      the **kwargs passed QuerySet.annotate() or QuerySet.alias(). This CVE
+      was fixed in Django 4.2.24. (Closes: #1113865)
 
     - CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
-      aggregate() and extra() on MySQL and MariaDB.
-
-      QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate() and
-      QuerySet.extra() methods were subject to SQL injection in column aliases,
-      using a suitably crafted dictionary with dictionary expansion as the
-      **kwargs passed to these methods on MySQL and MariaDB.
+      aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
+      QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
+      subject to SQL injection in column aliases, using a suitably crafted
+      dictionary with dictionary expansion as the **kwargs passed to these
+      methods on MySQL and MariaDB. This CVE was fixed in Django 4.2.25.
 
     - CVE-2025-59682: Potential partial directory-traversal via
-      archive.extract()
+      archive.extract(). The django.utils.archive.extract() function, used by
+      startapp --template and startproject --template allowed partial
+      directory-traversal via an archive with file paths sharing a common
+      prefix with the target directory. This CVE was fixed in Django 4.2.25.
 
-      The django.utils.archive.extract() function, used by startapp --template
-      and startproject --template allowed partial directory-traversal via an
-      archive with file paths sharing a common prefix with the target
-      directory.
-
-    <https://www.djangoproject.com/weblog/2025/oct/01/security-releases/>
-
- -- Chris Lamb <lamby@debian.org>  Wed, 01 Oct 2025 11:17:18 -0700
-
-python-django (3:4.2.24-1) unstable; urgency=high
-
-  * New upstream security release:
+    - CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
+      argument in QuerySet/Q objects. The methods QuerySet.filter(),
+      QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
+      SQL injection when using a suitably crafted dictionary (with dictionary
+      expansion) as the _connector argument. This CVE was fixed in Django
+      4.2.26.
 
-    - CVE-2025-57833: Potential SQL injection in FilteredRelation column
-      aliases. The FilteredRelation feature in Django was subject to a
-      potential SQL injection vulnerability in column aliases that was
-      exploitable via suitably crafted dictionary with dictionary expansion as
-      the **kwargs passed QuerySet.annotate() or QuerySet.alias().
-      (Closes: #1113865)
+    - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
+      XML serializer text extraction. An algorithmic complexity issue in
+      django.core.serializers.xml_serializer.getInnerText() allowed a remote
+      attacker to cause a potential denial-of-service triggering CPU and memory
+      exhaustion via a specially crafted XML input submitted to a service that
+      invokes XML Deserializer. The vulnerability resulted from repeated string
+      concatenation while recursively collecting text nodes, which produced
+      superlinear computation. (Closes: #1121788)
 
-    <https://www.djangoproject.com/weblog/2025/sep/03/security-releases/>
+    <https://docs.djangoproject.com/en/4.2/releases/4.2.27/>
 
- -- Chris Lamb <lamby@debian.org>  Wed, 03 Sep 2025 08:28:19 -0700
+ -- Chris Lamb <lamby@debian.org>  Fri, 23 Jan 2026 10:43:29 -0800
 
 python-django (3:4.2.23-1) unstable; urgency=high
 

diff --git a/debian/control b/debian/control
@@ -25,12 +25,12 @@ Build-Depends:
  python3-jinja2 <!nocheck>,
  python3-numpy <!nocheck>,
  python3-pil <!nocheck>,
- python3-pytz <!nocheck>,
  python3-selenium <!nocheck>,
  python3-setuptools,
  python3-sphinx,
  python3-sqlparse <!nocheck>,
  python3-tblib <!nocheck>,
+ python3-tz <!nocheck>,
  python3-yaml <!nocheck>,
 Build-Depends-Indep:
  libjs-jquery,
@@ -55,6 +55,7 @@ Depends:
 Recommends:
  libjs-jquery,
  python3-sqlparse,
+ python3-tz,
 Suggests:
  bpython3,
  geoip-database-contrib,
@@ -69,7 +70,6 @@ Suggests:
  python3-mysqldb,
  python3-pil,
  python3-psycopg2,
- python3-pytz,
  python3-selenium,
  python3-sqlite,
  python3-yaml,

diff --git a/debian/patches/postgresql-18-skip-not-null-constraints.patch b/debian/patches/postgresql-18-skip-not-null-constraints.patch
diff --git a/debian/patches/py314-copy-BaseContext.patch b/debian/patches/py314-copy-BaseContext.patch
diff --git a/debian/patches/py314-test-prefetch-related-queryset.patch b/debian/patches/py314-test-prefetch-related-queryset.patch