summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-11-05[4.2.x] Bumped version for 4.2.26 release.4.2.26Natalia
2025-11-05[4.2.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on ↵Jacob Walls
dictionary expansion. Backport of 3c3f46357718166069948625354b8315a8505262 from main.
2025-11-05[4.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via ↵Jacob Walls
the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-05[4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in ↵Jacob Walls
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-03[4.2.x] Skipped test_compressed_file_based_raster_creation() test on GDAL 3.5+.Mariusz Felisiak
2025-11-03[4.2.x] Fixed RelatedGeoModelTest.test_related_union_aggregate() crash on ↵Mariusz Felisiak
Python < 3.10. Regression in 321af4877b62be6849f44e00d1c7e75928e7d3a2.
2025-10-29[4.2.x] Added stub release notes and release date for 4.2.26.Jacob Walls
Backport of ab108bf94dfc06c311d7dc81866b848fe5b5ee6c from main.
2025-10-22[4.2.x] Made RemoteTestResultTest.test_pickle_errors_detection() compatible ↵Mariusz Felisiak
with tblib 3.2+. tblib 3.2+ makes exception subclasses with __init__() and the default __reduce__() picklable. This broke the test for RemoteTestResult._confirm_picklable(), which expects a specific exception to fail unpickling. https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21 This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj)) raises TypeError. Refs #27301. This preserves the intent of the regression test from 52188a5ca6bafea0a66f17baacb315d61c7b99cd without skipping it. Backport of 548209e620b3ca34396a360453f07c8dbb8aa6c7 from main.
2025-10-20[4.2.x] Fixed RelatedGeoModelTest.test_related_union_aggregate() test on ↵Mariusz Felisiak
Oracle and GEOS 3.12+. Backport of 344ae16e1e21ab7c0b594d755519738f7f16eaf1 from main
2025-10-01[4.2.x] Rewrapped security archive at 79 chars.Mariusz Felisiak
Backport of 1499c95d990fb776c39ad60e43228cbbbfcad3a8 from main.
2025-10-01[4.2.x] Added CVE-2025-59681 and CVE-2025-59682 to security archive.Jacob Walls
Backport of 43d84aef04a9e71164c21a74885996981857e66e from main.
2025-10-01[4.2.x] Post-release version bump.Jacob Walls
2025-10-01[4.2.x] Bumped version for 4.2.25 release.4.2.25Jacob Walls
2025-10-01[4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal ↵Sarah Boyce
via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
2025-10-01[4.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-24[4.2.x] Added stub release notes and release date for 4.2.25.Mariusz Felisiak
Backport of 00174507f8a91e9577ae233c58af561b379f2695 from main.
2025-09-04[4.2.x] Added missing backticks in docs/releases/security.txt.Mariusz Felisiak
Backport of 686a8a62ae7faba9c3b17080c3532b821e8cb1f3 from main
2025-09-03[4.2.x] Added CVE-2025-57833 to security archive.Sarah Boyce
Backport of f0c05a40d27d69ef3a7b4e5e0199b5dba5b11feb from main.
2025-09-03[4.2.x] Post-release version bump.Sarah Boyce
2025-09-03[4.2.x] Bumped version for 4.2.24 release.4.2.24Sarah Boyce
2025-09-03[4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2025-08-27[4.2.x] Added stub release notes and release date for 4.2.24.Sarah Boyce
Backport of 4c71e334401a3e83c013419d0e2211543e7e873b from main.
2025-08-13[4.2.x] Fixed #36499 -- Adjusted ↵Natalia
utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior. Python fixed a quadratic complexity processing for HTMLParser in: https://github.com/python/cpython/commit/6eb6c5db. Backport of 2980627502c84a9fd09272e1349dc574a2ff1fb1 from main.
2025-08-13[4.2.x] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors following ↵Natalia
Python's HTMLParser fixed parsing. Further details about Python changes can be found in: https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3. Refs #36499. Thank you Clifford Gama for the thorough review! Backport of e4515dad7a6d953c0bd2414127ba36e1446ff41a from main.
2025-08-04[4.2.x] Refs #36535 -- Doc'd that docutils < 0.22 is required.Natalia
Backport of 9d9b3bc71702e4bd4b7f8e1602d83fd69f871e94 from stable/5.1.x.
2025-07-16[4.2.x] Fixed GitHub Action that checks commit prefixes to fetch PR head ↵nessita
correctly. Backport of 8499fba0e18826a77fe32cbc13a3d951d9ca8924 from main.
2025-07-16[4.2.x] Added GitHub Action to enforce stable branch commit message prefix.nessita
Backport of 10386fac00be55e73279459f00f1959c3ef30a1c from main.
2025-06-10[4.2.x] Added follow-up to CVE-2025-48432 to security archive.Sarah Boyce
Backport of 2714bc3f2c8675d32caae764c874ac381c836c7f from main.
2025-06-10[4.2.x] Post-release version bump.Sarah Boyce
2025-06-10[4.2.x] Bumped version for 4.2.23 release.4.2.23Sarah Boyce
2025-06-06[4.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response ↵Jake Howard
logging. Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 957951755259b412d5113333b32bf85871d29814 from main.
2025-06-06[4.2.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use ↵Natalia
log_response() for consistency. Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
2025-06-06[4.2.x] Refactored logging_tests to reuse assertions for log records.Natalia
Backport of 9d72e7daf7299ef1ece56fd657a02f77a469efe9 from main.
2025-06-04[4.2.x] Added CVE-2025-48432 to security archive.Natalia
Backport of 51923c576a596ad00214e44028f9dee9748bce95 from main.
2025-06-04[4.2.x] Post-release version bump.Natalia
2025-06-04[4.2.x] Bumped version for 4.2.22 release.4.2.22Natalia
2025-06-04[4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in ↵Natalia
`log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
2025-05-28[4.2.x] Added stub release notes and release date for 4.2.22.Natalia
Backport of 1a744343999c9646912cee76ba0a2fa6ef5e6240 from main.
2025-05-26[4.2.x] Fixed #36402, Refs #35980 -- Updated built package name in reusable ↵Jason Judkins
apps tutorial for PEP 625. Backport of 1307b8a1cb05762147736d0f347792b33f645390 from main.
2025-05-22[4.2.x] Added helpers in csrf_tests and logging_tests to assert logs from ↵Natalia
`log_response()`. Backport of ad6f99889838ccc2c30b3c02ed3868c9b565e81b from main.
2025-05-22[4.2.x] Refs #26688 -- Added tests for `log_response()` internal helper.Natalia
Backport of 897046815944cc9a2da7ed9e8082f45ffe8110e3 from main.
2025-05-09[4.2.x] Refs #35980 -- Added release note about changes in release artifacts ↵Natalia
filenames. Backport of 42ab99309d347f617d60751c2e8d627fb2963049 from main.
2025-05-09[4.2.x] Removed "Expected" from release date for 4.2.21.Natalia
Backport of c86156378db09e68db3a9ae1c108f661a67e3abe from main.
2025-05-07[4.2.x] Cleaned up CVE-2025-32873 security archive description.Natalia
Backport of 37f2a77c729ccb71059c8e66c49b07499d2edf60 from main.
2025-05-07[4.2.x] Added CVE-2025-32873 to security archive.Natalia
Backport of fdabda4e05587347aeb3382a442d7e77c1a0c3e5 from main.
2025-05-06[4.2.x] Post-release version bump.Natalia
2025-05-06[4.2.x] Bumped version for 4.2.21 release.4.2.21Natalia
2025-05-06[4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-05-05[4.2.x] Changed packing recommendation to use pyproject.toml in reusable ↵Claude Paroz
apps docs. Backport of f71bcc001bb3324020cfd756e84d4e9c6bb98cce from main.
2025-05-05[4.2.x] Adjusted GitHub Action workflow to test Python versions based off ↵Natalia
pyproject.toml.