summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJake Howard <git@theorangeone.net>2025-06-04 16:08:46 +0100
committerNatalia <124304+nessita@users.noreply.github.com>2025-06-06 09:07:12 -0300
commit8fcc83953c350e158a484bf1da0aa1b79b69bb07 (patch)
tree75049c5eb7c7b654a29db41a4a1d09d1fd650874 /docs
parent9d7fc9eb1c79242f3330aa62629699a8b5fc5451 (diff)
[5.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.
Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 957951755259b412d5113333b32bf85871d29814 from main.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.23.txt14
-rw-r--r--docs/releases/5.1.11.txt14
-rw-r--r--docs/releases/5.2.3.txt6
-rw-r--r--docs/releases/index.txt2
4 files changed, 34 insertions, 2 deletions
diff --git a/docs/releases/4.2.23.txt b/docs/releases/4.2.23.txt
new file mode 100644
index 0000000000..e4232f9bea
--- /dev/null
+++ b/docs/releases/4.2.23.txt
@@ -0,0 +1,14 @@
+===========================
+Django 4.2.23 release notes
+===========================
+
+*June 10, 2025*
+
+Django 4.2.23 fixes a potential log injection issue in 4.2.22.
+
+Bugfixes
+========
+
+* Fixed a log injection possibility by migrating remaining response logging
+ to ``django.utils.log.log_response()``, which safely escapes arguments such
+ as the request path to prevent unsafe log output (:cve:`2025-48432`).
diff --git a/docs/releases/5.1.11.txt b/docs/releases/5.1.11.txt
new file mode 100644
index 0000000000..de44dc0e67
--- /dev/null
+++ b/docs/releases/5.1.11.txt
@@ -0,0 +1,14 @@
+===========================
+Django 5.1.11 release notes
+===========================
+
+*June 10, 2025*
+
+Django 5.1.11 fixes a potential log injection issue in 5.1.10.
+
+Bugfixes
+========
+
+* Fixed a log injection possibility by migrating remaining response logging
+ to ``django.utils.log.log_response()``, which safely escapes arguments such
+ as the request path to prevent unsafe log output (:cve:`2025-48432`).
diff --git a/docs/releases/5.2.3.txt b/docs/releases/5.2.3.txt
index fa0b4163c0..5aaa7fd2dd 100644
--- a/docs/releases/5.2.3.txt
+++ b/docs/releases/5.2.3.txt
@@ -2,7 +2,7 @@
Django 5.2.3 release notes
==========================
-*Expected July 2, 2025*
+*June 10, 2025*
Django 5.2.3 fixes several bugs in 5.2.2. Also, the latest string translations
from Transifex are incorporated.
@@ -10,4 +10,6 @@ from Transifex are incorporated.
Bugfixes
========
-* ...
+* Fixed a log injection possibility by migrating remaining response logging
+ to ``django.utils.log.log_response()``, which safely escapes arguments such
+ as the request path to prevent unsafe log output (:cve:`2025-48432`).
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index e65fa85a38..1ec2a91c06 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -35,6 +35,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 5.1.11
5.1.10
5.1.9
5.1.8
@@ -74,6 +75,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 4.2.23
4.2.22
4.2.21
4.2.20