Django Weblog: Django security releases issued: 6.0.3, 5.2.12, and 4.2.29

The Django team has released new versions, 6.0.3, 5.2.12, and 4.2.29, to address security vulnerabilities. These releases fix critical issues and users are urged to update promptly. One vulnerability, CVE-2026-25673, concerns a potential denial-of-service in URLField on Windows due to Unicode normalization. The fix involves simplifying scheme detection in URLField, removing the slow normalization process. This change impacts how whitespace and control characters are handled. Another vulnerability, CVE-2026-25674, addresses potential incorrect permissions for file system objects in multi-threaded environments. The fix implements `os.chmod()` after directory creation, eliminating umask dependency. The first issue is of moderate severity and the second is of low severity. Thanks go to Seokchan Yoon and Tarek Nakkouch for reporting the vulnerabilities. Patches are available for Django's main, 6.0, 5.2, and 4.2 branches. Download links for the updated releases, including checksums, are provided. Security issues should be reported privately to security@djangoproject.com. The release is signed with Natalia Bidart's PGP key.