django.git, branch 4.2.18 django http://cgit.adnoto.dev/django.git/atom?h=4.2.18 2025-01-14T12:08:35Z [4.2.x] Bumped version for 4.2.18 release. 2025-01-14T12:08:35Z Natalia 124304+nessita@users.noreply.github.com 2025-01-14T12:08:35Z urn:sha1:a7b0e50eadba8f0420013605c70eb790280b0fd2 [4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation. 2025-01-14T12:08:01Z Natalia 124304+nessita@users.noreply.github.com 2025-01-06T18:51:45Z urn:sha1:ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> [4.2.x] Added stub release notes and release date for 4.2.18. 2025-01-07T15:37:42Z Natalia 124304+nessita@users.noreply.github.com 2025-01-07T15:28:39Z urn:sha1:b0d309c9eb802cbc652595e2d413bb451e37f124 Backport of 53e21eebf22bc05c7fa30820b453b7f345b7af40 from main. [4.2.x] Cleaned up CVE-2024-53907 and CVE-2024-53908 security archive descriptions. 2024-12-04T16:03:55Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-12-04T15:51:46Z urn:sha1:39cf3c63f3228a04f101f3e62c75a6aae7c6ef0f Backport of eb665e076ca3417eb0ac654aed9e9c1853c5af84 from main. [4.2.x] Added CVE-2024-53907 and CVE-2024-53908 to security archive. 2024-12-04T15:33:06Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-12-04T15:30:03Z urn:sha1:0ff19d12e7d240d871975432ce429616012aa35e Backport of 595cb4a7aeb1ba1770d10d601ce9a2b4e487c46e from main. [4.2.x] Post-release version bump. 2024-12-04T13:37:13Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-12-04T13:37:13Z urn:sha1:6c4fc7d6202b70ca20d21a62808e38b36bc50854 [4.2.x] Bumped version for 4.2.17 release. 2024-12-04T13:34:11Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-12-04T13:34:11Z urn:sha1:1f0356ff2af11a5fa71fb07b4627e10edd170438 [4.2.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct HasKeyLookup usage on Oracle. 2024-12-04T13:32:17Z Simon Charette charette.s@gmail.com 2024-11-09T02:27:31Z urn:sha1:7376bcbf508883282ffcc0f0fac5cf0ed2d6cbc5 Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews. [4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags(). 2024-12-04T13:32:08Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-11-13T14:06:23Z urn:sha1:790eb058b0716c536a2f2e8d1c6d5079d776c22b Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews. [4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to properly validate IPv6 and IPvFuture addresses. 2024-12-03T08:50:11Z Mariusz Felisiak felisiak.mariusz@gmail.com 2024-12-01T11:31:12Z urn:sha1:f663277a4c22ef96cbdebfd0ed76155b9d37b4f8 Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. https://github.com/python/cpython/pull/103849