惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
Secure Thoughts
V2EX - 技术
V2EX - 技术
大猫的无限游戏
大猫的无限游戏
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
O
OpenAI News
D
DataBreaches.Net
The Cloudflare Blog
L
LangChain Blog
Last Week in AI
Last Week in AI
酷 壳 – CoolShell
酷 壳 – CoolShell
The Register - Security
The Register - Security
MyScale Blog
MyScale Blog
Help Net Security
Help Net Security
Jina AI
Jina AI
T
The Blog of Author Tim Ferriss
T
The Exploit Database - CXSecurity.com
D
Darknet – Hacking Tools, Hacker News & Cyber Security
博客园 - 叶小钗
The Last Watchdog
The Last Watchdog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
TaoSecurity Blog
TaoSecurity Blog
博客园 - 司徒正美
aimingoo的专栏
aimingoo的专栏
C
Cyber Attacks, Cyber Crime and Cyber Security
A
Arctic Wolf
T
Tenable Blog
Know Your Adversary
Know Your Adversary
Google DeepMind News
Google DeepMind News
量子位
The Hacker News
The Hacker News
AWS News Blog
AWS News Blog
Apple Machine Learning Research
Apple Machine Learning Research
Vercel News
Vercel News
Hacker News: Ask HN
Hacker News: Ask HN
Scott Helme
Scott Helme
小众软件
小众软件
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
Threat Research - Cisco Blogs
G
GRAHAM CLULEY
H
Heimdal Security Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园_首页
B
Blog
GbyAI
GbyAI
P
Palo Alto Networks Blog
美团技术团队
Hacker News - Newest:
Hacker News - Newest: "LLM"
博客园 - Franky

The Django weblog

Supporting the Triptych Project Explore the DjangoCon US 2026 Speaker Lineup and Reserve Your Spot Last Call 2026 Django Developer Survey Keeping Up with the Django Community DSF member of the month - Salim Nuru How the Django Software Foundation Became a CNA Django 6.1 beta 1 released Announcing the Search for a DSF Executive Director DSF 2026 Fundraising Goals Django security releases issued: 6.0.6 and 5.2.15 Django 6.1 alpha 1 released 2026 Django Developers Survey DSF member of the month - Bhuvnesh Sharma Announcing the Google Summer of Code 2026 contributors for Django Django security releases issued: 6.0.5 and 5.2.14 Renew Your PyCharm License and Support Django It's time to redesign djangoproject.com DSF member of the month - Rob Hudson New Technical Governance - request for community feedback PyCharm & Django annual fundraiser DSF member of the month - Baptiste Mispelon Django security releases issued: 6.0.2, 5.2.11, and 4.2.28
Django security releases issued: 6.0.7 and 5.2.16
Jacob Walls · 2026-07-07 · via The Django weblog

In accordance with our security release policy, the Django team is issuing releases for Django 6.0.7 and Django 5.2.16. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

django.middleware.cache.UpdateCacheMiddleware and django.views.decorators.cache.cache_page avoided caching responses that set a cookie while varying on Cookie only when the incoming request contained no cookies at all. When the request already carried an unrelated cookie (such as a language or theme preference cookie), the protection did not apply, allowing a response that sets a session or other sensitive cookie to be stored in Django's shared cache.

This issue has severity "low" according to the Django security policy.

Thanks to Chris Whyland for the report.

CVE-2026-53877: Heap buffer over-read in GDALRaster

When django.contrib.gis.gdal.GDALRaster was instantiated with a bytes object representing a raster file, the vsi_buffer property could over-read the allocated buffer by approximately 32 bytes. This could result in information disclosure of adjacent heap memory or, in rare cases, a segmentation fault. Only rasters stored in GDAL's virtual filesystem were affected.

This issue has severity "low" according to the Django security policy.

Thanks to Bence Nagy for the report.

CVE-2026-53878: Header injection possibility since DomainNameValidator accepted newlines in input

django.core.validators.DomainNameValidator accepted newlines in domain names. If such values were included in HTTP responses, header injection attacks were possible. Django itself wasn't vulnerable because HttpResponse prohibits newlines in HTTP headers.

The vulnerability only affected uses of DomainNameValidator outside Django form fields, as CharField strips newlines by default.

This issue has severity "low" according to the Django security policy.

Thanks to Bence Nagy for the report.

Affected supported versions

  • Django main
  • Django 6.1 (currently at beta status)
  • Django 6.0
  • Django 5.2

Resolution

Patches to resolve the issue have been applied to Django's main, 6.1 (currently at beta status), 6.0, and 5.2 branches. The patches may be obtained from the following changesets.

CVE-2026-53877: Heap buffer over-read in GDALRaster

CVE-2026-53878: Header injection possibility since DomainNameValidator accepted newlines in input

The following releases have been issued

The PGP key ID used for this release is Jacob Walls: 131403F4D16D8DC7

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, nor via the Django Forum. Please see our security policies for further information.