django.git, branch 3.1.13

[3.1.x] Bumped version for 3.1.13 release.

2021-07-01T06:37:09Z

[3.1.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by().

2021-07-01T06:36:17Z

Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5 by marking the raw SQL column reference feature for deprecation in Django 4.0 while lifting the column format validation. In retrospective the validation should have been kept around and the user should have been pointed at using RawSQL expressions during the deprecation period. The main branch is not affected because the raw SQL column reference support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff per the 4.0 deprecation life cycle. Thanks Joel Saunders for the report.

[3.1.x] Added stub release notes for 3.1.13.

2021-07-01T04:59:22Z

Backport of 8e97698d7b537cd298438a8d7b55916d275ff851 from main.

[3.1.x] Fixed docs header underlines in security archive.

2021-06-02T10:26:59Z

Backport of d9cee3f5f2f90938d2c2c0230be40c7d50aef53d from main

[3.1.x] Added CVE-2021-33203 and CVE-2021-33571 to security archive.

2021-06-02T09:18:36Z

Backport of a39f235ca4cb7370dba3a3dedeaab0106d27792f from main

[3.1.x] Post-release version bump.

2021-06-02T08:43:27Z

[3.1.x] Bumped version for 3.1.12 release.

2021-06-02T08:39:54Z

[3.1.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.

2021-06-02T08:38:07Z

validate_ipv4_address() was affected only on Python < 3.9.5, see [1]. URLValidator() uses a regular expressions and it was affected on all Python versions. [1] https://bugs.python.org/issue36384

[3.1.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.

2021-06-02T08:38:07Z

[3.1.x] Confirmed release date for Django 3.1.12, and 2.2.24.

2021-06-02T08:22:02Z

Backport of f66ae7a2d5558fe88ddfe639a610573872be6628 from main