[USN-8154-2] Django vulnerabilities

========================================================================== Ubuntu Security Notice USN-8154-2 April 09, 2026 python-django vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Django. Software Description: - python-django: High-level Python web development framework Details: USN-8154-1 fixed vulnerabilities in Django. This update provides the corresponding updates for CVE-2026-33033 and CVE-2026-4292 in Ubuntu 14.04 LTS and Ubuntu 16.04 LTS, and CVE-2026-4277 in Ubuntu 16.04 LTS. Original advisory details: Seokchan Yoon discovered that Django incorrectly handled copying memory when parsing multipart uploads with excessive whitespace. A remote attacker could possibly use this issue to cause Django to use excessive resources, leading to a denial of service. (CVE-2026-33033) It was discovered that Django did not enforce an upload memory size limit in the Content-Length header. A remote attacker could possibly use this issue to cause Django to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-33034) Tarek Nakkouch discovered that Django incorrectly handled underscores in the ASGI headers. A remote attacker could possibly use this issue to spoof HTTP headers. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-3902) It was discovered that Django incorrectly handled verification of model data created with POST requests. A remote attacker could possibly use this issue to forge new model permissions. (CVE-2026-4277, CVE-2026-4292) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS python-django 1.8.7-1ubuntu5.15+esm12 Available with Ubuntu Pro python3-django 1.8.7-1ubuntu5.15+esm12 Available with Ubuntu Pro Ubuntu 14.04 LTS python-django 1.6.11-0ubuntu1.3+esm11 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8154-2 https://ubuntu.com/security/notices/USN-8154-1 CVE-2026-33033, CVE-2026-4277, CVE-2026-4292