chango.git, branch 5.1.11django
http://cgit.adnoto.dev/chango.git/atom?h=5.1.112025-06-10T09:47:54Z[5.1.x] Bumped version for 5.1.11 release.2025-06-10T09:47:54ZSarah Boyce42296566+sarahboyce@users.noreply.github.com2025-06-10T09:47:54Zurn:sha1:2285698fc1e41ff34dffcc0625528a8db7318a18[5.1.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.2025-06-06T12:09:06ZJake Howardgit@theorangeone.net2025-06-04T15:08:46Zurn:sha1:31f4bd31fa16f7f5302f65b9b8b7a49b69a7c4a6
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 957951755259b412d5113333b32bf85871d29814 from main.
[5.1.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() for consistency.2025-06-06T12:07:54ZNatalia124304+nessita@users.noreply.github.com2025-06-05T13:07:17Zurn:sha1:363d2566859a4f6aef4256939b39fd0e2d423157
Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
[5.1.x] Refactored logging_tests to reuse assertions for log records.2025-06-06T12:07:48ZNatalia124304+nessita@users.noreply.github.com2025-06-04T19:12:13Zurn:sha1:15e4df1d3379ac69f628d0d2660ce65e7c45dbc2
Backport of 9d72e7daf7299ef1ece56fd657a02f77a469efe9 from main.
[5.1.x] Added CVE-2025-48432 to security archive.2025-06-04T13:58:49ZNatalia124304+nessita@users.noreply.github.com2025-06-04T13:57:51Zurn:sha1:976e34a2a5be067cce0c41d94367000d47947147
Backport of 51923c576a596ad00214e44028f9dee9748bce95 from main.
[5.1.x] Post-release version bump.2025-06-04T11:49:22ZNatalia124304+nessita@users.noreply.github.com2025-06-04T11:49:22Zurn:sha1:400170b69efda98d1535e622138eaadd8a0a7906[5.1.x] Bumped version for 5.1.10 release.2025-06-04T11:46:54ZNatalia124304+nessita@users.noreply.github.com2025-06-04T11:46:54Zurn:sha1:23a853821b75787d77016811881220ec6f57310a[5.1.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.2025-06-04T11:46:07ZNatalia124304+nessita@users.noreply.github.com2025-05-20T18:29:52Zurn:sha1:596542ddb46cdabe011322917e1655f0d24eece2
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
[5.1.x] Added stub release notes and release date for 5.1.10 and 4.2.22.2025-05-28T13:19:23ZNatalia124304+nessita@users.noreply.github.com2025-05-28T13:03:06Zurn:sha1:a70841bc03a5f025c0c7d7a436021f154aee7bef
Backport of 1a744343999c9646912cee76ba0a2fa6ef5e6240 from main.
[5.1.x] Fixed #36402, Refs #35980 -- Updated built package name in reusable apps tutorial for PEP 625.2025-05-26T15:37:29ZJason Judkins34417573+jcjudkins@users.noreply.github.com2025-05-26T15:33:29Zurn:sha1:129750a8074b1f1f712b0005062cd1293eac21a9
Backport of 1307b8a1cb05762147736d0f347792b33f645390 from main.