An update for python-django is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2379 Final 1.0 1.0 2025-10-11 Initial 2025-10-11 2025-10-11 openEuler SA Tool V1.0 2025-10-11 python-django security update An update for python-django is now available for openEuler-24.03-LTS A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fix(es): An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods on MySQL and MariaDB.(CVE-2025-59681) A critical vulnerability was found in Django up to 4.2.24/5.1.12/5.2.6. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality, integrity, and availability. Upgrading to version 4.2.25, 5.1.13 or 5.2.7 eliminates this vulnerability.(CVE-2025-59682) An update for python-django is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical python-django https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2379 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-59681 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-59682 https://nvd.nist.gov/vuln/detail/CVE-2025-59681 https://nvd.nist.gov/vuln/detail/CVE-2025-59682 openEuler-24.03-LTS python-django-4.2.15-9.oe2403.src.rpm python-django-help-4.2.15-9.oe2403.noarch.rpm python3-Django-4.2.15-9.oe2403.noarch.rpm An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods on MySQL and MariaDB. 2025-10-11 CVE-2025-59681 openEuler-24.03-LTS Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H python-django security update 2025-10-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2379 A critical vulnerability was found in Django up to 4.2.24/5.1.12/5.2.6. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality, integrity, and availability. Upgrading to version 4.2.25, 5.1.13 or 5.2.7 eliminates this vulnerability. 2025-10-11 CVE-2025-59682 openEuler-24.03-LTS Low 3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N python-django security update 2025-10-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2379