django.git, branch 4.2.23 django http://cgit.adnoto.dev/django.git/atom?h=4.2.23 2025-06-10T09:51:54Z [4.2.x] Bumped version for 4.2.23 release. 2025-06-10T09:51:54Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-06-10T09:51:54Z urn:sha1:a698dc223be0e245c8e9cf347defc1892ae5e3ea [4.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response logging. 2025-06-06T12:24:47Z Jake Howard git@theorangeone.net 2025-06-04T15:08:46Z urn:sha1:b597d46bb19c8567615e62029210dab16c70db7d Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 957951755259b412d5113333b32bf85871d29814 from main. [4.2.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() for consistency. 2025-06-06T12:22:03Z Natalia 124304+nessita@users.noreply.github.com 2025-06-05T13:07:17Z urn:sha1:10ba3f78da2e22bd232dc085e2a8a7c293c3fb73 Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main. [4.2.x] Refactored logging_tests to reuse assertions for log records. 2025-06-06T12:21:16Z Natalia 124304+nessita@users.noreply.github.com 2025-06-04T19:12:13Z urn:sha1:ba24ee34f98cb17d99b1f82bc1ede45ff311a70b Backport of 9d72e7daf7299ef1ece56fd657a02f77a469efe9 from main. [4.2.x] Added CVE-2025-48432 to security archive. 2025-06-04T13:58:57Z Natalia 124304+nessita@users.noreply.github.com 2025-06-04T13:57:51Z urn:sha1:b07f886af713c7d87f1a954560c6b2ff843f379c Backport of 51923c576a596ad00214e44028f9dee9748bce95 from main. [4.2.x] Post-release version bump. 2025-06-04T11:52:32Z Natalia 124304+nessita@users.noreply.github.com 2025-06-04T11:52:32Z urn:sha1:8d87045d8f312c5d8d9779b54831fabc320a27a3 [4.2.x] Bumped version for 4.2.22 release. 2025-06-04T11:51:01Z Natalia 124304+nessita@users.noreply.github.com 2025-06-04T11:51:01Z urn:sha1:7275cc5d1326fad562725ed47fbe5eb149dfa6fb [4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`. 2025-06-04T11:50:05Z Natalia 124304+nessita@users.noreply.github.com 2025-05-20T18:29:52Z urn:sha1:ac03c5e7df8680c61cdb0d3bdb8be9095dba841e Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main. [4.2.x] Added stub release notes and release date for 4.2.22. 2025-05-28T13:21:44Z Natalia 124304+nessita@users.noreply.github.com 2025-05-28T13:03:06Z urn:sha1:c62f4eeda774b10541154b9e980f5b981030c4a0 Backport of 1a744343999c9646912cee76ba0a2fa6ef5e6240 from main. [4.2.x] Fixed #36402, Refs #35980 -- Updated built package name in reusable apps tutorial for PEP 625. 2025-05-26T15:38:29Z Jason Judkins 34417573+jcjudkins@users.noreply.github.com 2025-05-26T15:33:29Z urn:sha1:c5b42632c95fdaaa46e2b9b512bf39346e21abc9 Backport of 1307b8a1cb05762147736d0f347792b33f645390 from main.