diff options
| author | Jake Howard <git@theorangeone.net> | 2025-06-04 16:08:46 +0100 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-06-06 09:07:12 -0300 |
| commit | 8fcc83953c350e158a484bf1da0aa1b79b69bb07 (patch) | |
| tree | 75049c5eb7c7b654a29db41a4a1d09d1fd650874 /docs | |
| parent | 9d7fc9eb1c79242f3330aa62629699a8b5fc5451 (diff) | |
[5.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 957951755259b412d5113333b32bf85871d29814 from main.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.2.23.txt | 14 | ||||
| -rw-r--r-- | docs/releases/5.1.11.txt | 14 | ||||
| -rw-r--r-- | docs/releases/5.2.3.txt | 6 | ||||
| -rw-r--r-- | docs/releases/index.txt | 2 |
4 files changed, 34 insertions, 2 deletions
diff --git a/docs/releases/4.2.23.txt b/docs/releases/4.2.23.txt new file mode 100644 index 0000000000..e4232f9bea --- /dev/null +++ b/docs/releases/4.2.23.txt @@ -0,0 +1,14 @@ +=========================== +Django 4.2.23 release notes +=========================== + +*June 10, 2025* + +Django 4.2.23 fixes a potential log injection issue in 4.2.22. + +Bugfixes +======== + +* Fixed a log injection possibility by migrating remaining response logging + to ``django.utils.log.log_response()``, which safely escapes arguments such + as the request path to prevent unsafe log output (:cve:`2025-48432`). diff --git a/docs/releases/5.1.11.txt b/docs/releases/5.1.11.txt new file mode 100644 index 0000000000..de44dc0e67 --- /dev/null +++ b/docs/releases/5.1.11.txt @@ -0,0 +1,14 @@ +=========================== +Django 5.1.11 release notes +=========================== + +*June 10, 2025* + +Django 5.1.11 fixes a potential log injection issue in 5.1.10. + +Bugfixes +======== + +* Fixed a log injection possibility by migrating remaining response logging + to ``django.utils.log.log_response()``, which safely escapes arguments such + as the request path to prevent unsafe log output (:cve:`2025-48432`). diff --git a/docs/releases/5.2.3.txt b/docs/releases/5.2.3.txt index fa0b4163c0..5aaa7fd2dd 100644 --- a/docs/releases/5.2.3.txt +++ b/docs/releases/5.2.3.txt @@ -2,7 +2,7 @@ Django 5.2.3 release notes ========================== -*Expected July 2, 2025* +*June 10, 2025* Django 5.2.3 fixes several bugs in 5.2.2. Also, the latest string translations from Transifex are incorporated. @@ -10,4 +10,6 @@ from Transifex are incorporated. Bugfixes ======== -* ... +* Fixed a log injection possibility by migrating remaining response logging + to ``django.utils.log.log_response()``, which safely escapes arguments such + as the request path to prevent unsafe log output (:cve:`2025-48432`). diff --git a/docs/releases/index.txt b/docs/releases/index.txt index e65fa85a38..1ec2a91c06 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -35,6 +35,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 5.1.11 5.1.10 5.1.9 5.1.8 @@ -74,6 +75,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 4.2.23 4.2.22 4.2.21 4.2.20 |
