Skip to content

Update dependency django to v6.0.6 [SECURITY]#9031

Open
renovate-bot wants to merge 1 commit into
googleapis:mainfrom
renovate-bot:renovate/pypi-django-vulnerability
Open

Update dependency django to v6.0.6 [SECURITY]#9031
renovate-bot wants to merge 1 commit into
googleapis:mainfrom
renovate-bot:renovate/pypi-django-vulnerability

Conversation

@renovate-bot

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
django (changelog) ==6.0.5==6.0.6 age confidence

Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake

CVE-2026-7666 / GHSA-mm6v-q8q9-pgcf

More information

Details

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.

django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when fail_silently=True, which allows on-path network attackers to read email content via cleartext interception.

Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kasper Dupont for reporting this issue.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

django/django (django)

v6.0.6

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested review from a team and yoshi-approver as code owners July 13, 2026 17:36
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 13, 2026
@renovate-bot renovate-bot force-pushed the renovate/pypi-django-vulnerability branch 12 times, most recently from 603e994 to 6784680 Compare July 16, 2026 01:21
@renovate-bot renovate-bot force-pushed the renovate/pypi-django-vulnerability branch from 6784680 to 62446cd Compare July 16, 2026 01:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kokoro:force-run Add this label to force Kokoro to re-run the tests.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant