django.git/docs/releases/4.2.22.txt, branch maindjango
http://cgit.adnoto.dev/django.git/atom?h=main2025-06-04T11:33:30ZFixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.2025-06-04T11:33:30ZNatalia124304+nessita@users.noreply.github.com2025-05-20T18:29:52Zurn:sha1:a07ebec5591e233d8bbb38b7d63f35c5479eef0e
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Added stub release notes and release date for 5.2.2, 5.1.10, and 4.2.22.2025-05-28T13:03:06ZNatalia124304+nessita@users.noreply.github.com2025-05-28T13:03:06Zurn:sha1:1a744343999c9646912cee76ba0a2fa6ef5e6240