django.git, branch 4.2.29

[4.2.x] Bumped version for 4.2.29 release.

2026-03-03T12:24:26Z

[4.2.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation.

2026-03-03T12:23:20Z

This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.

[4.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.

2026-03-03T12:22:17Z

This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.

[4.2.x] Added stub release notes and release date for 4.2.29.

2026-02-24T16:52:35Z

Backport of acd0bec51366e259b4c2b43e4c09755541cdf560 from main.

[4.2.x] Added CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312 to security archive.

2026-02-03T14:12:15Z

Backport of af361d3be4725b9da1022c078b2db02b9d9b96e7 from main.

[4.2.x] Post-release version bump.

2026-02-03T13:32:56Z

[4.2.x] Bumped version for 4.2.28 release.

2026-02-03T13:31:19Z

[4.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods.

2026-02-03T13:26:51Z

This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.

[4.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases with periods.

2026-02-03T13:26:22Z

Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main.

[4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.

2026-02-03T13:25:58Z

Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.