django.git, branch 4.2.16

[4.2.x] Bumped version for 4.2.16 release.

2024-09-03T12:44:17Z

[4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails.

2024-09-03T12:42:25Z

On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.

[4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

2024-09-03T12:42:15Z

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.

[4.2.x] Fixed grammatical error in stub release notes for upcoming security release.

2024-08-27T12:52:50Z

Backport of b941de340daed4ce88f04a8012b9dba00ccb1359 from main.

[4.2.x] Added stub release notes and release date for 4.2.16.

2024-08-27T12:37:37Z

Backport of 67efd42517af0faf24872df4295b39e98ce826af from main.

[4.2.x] Added CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005 to security archive.

2024-08-06T15:33:37Z

Backport of fdc638bf4a35b5497d0b3b4faedaf552da792f99 from main.

[4.2.x] Post-release version bump.

2024-08-06T13:32:16Z

[4.2.x] Bumped version for 4.2.15 release.

2024-08-06T12:56:30Z

[4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.

2024-07-31T14:12:35Z

Thanks Eyal (eyalgabay) for the report.

[4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.

2024-07-31T14:12:23Z

Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>