chango.git, branch 5.0.10

chango.git, branch 5.0.10 django http://cgit.adnoto.dev/chango.git/atom?h=5.0.10 2024-12-04T13:27:16Z [5.0.x] Bumped version for 5.0.10 release. 2024-12-04T13:27:16Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-12-04T13:27:16Z urn:sha1:3b3a5f4efbf93692557b7f473519bd0ad8f04c6a [5.0.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct HasKeyLookup usage on Oracle. 2024-12-04T13:25:15Z Simon Charette charette.s@gmail.com 2024-11-09T02:27:31Z urn:sha1:ff08bb6c70aa45f83a5ef3bd0b601c7c9d1a7642 Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews. [5.0.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags(). 2024-12-04T13:25:05Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-11-13T14:06:23Z urn:sha1:a5a89ea28cc550c1b29b03f9e14ef3c128ec1e84 Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews. [5.0.x] Added stub release notes and release date for 5.0.10, and 4.2.17. 2024-11-27T14:45:35Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-11-27T13:30:12Z urn:sha1:baf63eb0981e8127419a1f4fd98f3a533525ec44 Backport of 2544c1585473c1e82dab1274b52052744f97ca72 from main. [5.0.x] Fixed docs build on Sphinx 8.1+. 2024-11-26T13:09:00Z Mariusz Felisiak felisiak.mariusz@gmail.com 2024-10-11T11:50:51Z urn:sha1:c8ce36bb7b5198382baedbdcd0074b3d8aa99c1f Sphinx 8.1 added :cve: role, so there is no need to define it in Django: - https://github.com/sphinx-doc/sphinx/pull/11781 This also changes used URL to the one used by Python and soonish to be used by Sphinx itself: - https://github.com/sphinx-doc/sphinx/pull/13006 Backport of 263f7319192b217c4e3b1eea0ea7809836392bbc from main. [5.0.x] Refs #35844 -- Expanded compatibility for expected error messages in command tests on Python 3.12. 2024-10-30T10:28:55Z Tainara Palmeira tainarapalmeirag@gmail.com 2024-10-28T13:46:20Z urn:sha1:5064ddb4f9532cb2827744c052f277c39b74920a Updated CommandTests.test_subparser_invalid_option and CommandDBOptionChoiceTests.test_invalid_choice_db_option to use assertRaisesRegex() for compatibility with modified error messages in Python 3.12, 3.13, and 3.14+.. Backport of fc22fdd34f1e55adde161f5f2dca8db90bbfce80 from main. [5.0.x] Added CVE-2024-45230 and CVE-2024-45231 to security archive. 2024-09-03T14:24:42Z Natalia 124304+nessita@users.noreply.github.com 2024-09-03T14:19:02Z urn:sha1:901ec7a217d174b25ac008c9c385928a36f870d1 Backport of aa5293068782dfa2d2173c75c8477f58a9989942 from main. [5.0.x] Post-release version bump. 2024-09-03T12:37:31Z Natalia 124304+nessita@users.noreply.github.com 2024-09-03T12:37:31Z urn:sha1:cc13485c298cdf46fc1efdda51b9385a4d8010aa [5.0.x] Bumped version for 5.0.9 release. 2024-09-03T12:34:49Z Natalia 124304+nessita@users.noreply.github.com 2024-09-03T12:34:49Z urn:sha1:8e68f938f376cf2ca22a7e8ff0bcbe1b7a5832d1 [5.0.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails. 2024-09-03T12:33:01Z Natalia 124304+nessita@users.noreply.github.com 2024-08-19T17:47:38Z urn:sha1:96d84047715ea1715b4bd1594e46122b8a77b9e2 On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.