django.git, branch 2.1.11

django.git, branch 2.1.11 django http://cgit.adnoto.dev/django.git/atom?h=2.1.11 2019-08-01T08:48:48Z [2.1.x] Bumped version for 2.1.11 release. 2019-08-01T08:48:48Z Carlton Gibson carlton.gibson@noumenal.es 2019-08-01T08:48:48Z urn:sha1:ff9dcc0867eba90e9ab1b07a4b3eb79928717918 [2.1.x] Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri(). 2019-07-31T10:43:32Z Florian Apolloner florian@apolloner.eu 2019-07-19T15:04:53Z urn:sha1:5d50a2e5fa36ad23ab532fc54cf4073de84b3306 Thanks to Guido Vranken for initial report. [2.1.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection. 2019-07-31T10:43:32Z Mariusz Felisiak felisiak.mariusz@gmail.com 2019-07-22T08:45:26Z urn:sha1:f74b3ae3628c26e1b4f8db3d13a91d52a833a975 Thanks to Sage M. Abdullah for the report and initial patch. Thanks Florian Apolloner for reviews. [2.1.X] Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities. 2019-07-29T09:12:53Z Florian Apolloner florian@apolloner.eu 2019-07-15T10:00:06Z urn:sha1:5ff8e791148bd451180124d76a55cb2b2b9556eb Thanks to Guido Vranken for initial report. [2.1.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML. 2019-07-29T09:09:18Z Florian Apolloner florian@apolloner.eu 2019-07-15T09:46:09Z urn:sha1:c23723a1551340cc7d3126f04fcfd178fa224193 Thanks to Guido Vranken for initial report. [2.1.x] Added stub release notes for security releases. 2019-07-25T08:54:51Z Carlton Gibson carlton.gibson@noumenal.es 2019-07-25T08:49:30Z urn:sha1:24eba901eb9795ee87eddd5447ede62053fe59d4 Backport of f13147c8de725eed7038941758469aeb9bd66503 from master [2.1.x] Added CVE-2019-12781 to the security release archive. 2019-07-01T08:21:48Z Mariusz Felisiak felisiak.mariusz@gmail.com 2019-07-01T08:14:36Z urn:sha1:765dac3d76c5632258176b77a5687c83d464d52d Backport of 868cd56f058ca203419ad0886353173b74c3bcf1 from master [2.1.x] Post-release version bump. 2019-07-01T06:37:24Z Mariusz Felisiak felisiak.mariusz@gmail.com 2019-07-01T06:37:24Z urn:sha1:fafde97fd70b0ac135eed570f07c3a15f1728391 [2.1.x] Bumped version for 2.1.10 release. 2019-07-01T06:27:38Z Mariusz Felisiak felisiak.mariusz@gmail.com 2019-07-01T06:27:38Z urn:sha1:90a1cfd60002c465d9c47ad9ebc0a79ad0bc6cf9 [2.1.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. 2019-07-01T06:24:47Z Carlton Gibson carlton.gibson@noumenal.es 2019-06-13T08:57:29Z urn:sha1:1e40f427bb8d0fb37cc9f830096a97c36c97af6f An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review. Backport of 54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 from master