summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-11-05[5.1.x] Bumped version for 5.1.14 release.5.1.14Natalia
2025-11-05[5.1.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on ↵Jacob Walls
dictionary expansion. Backport of 3c3f46357718166069948625354b8315a8505262 from main.
2025-11-05[5.1.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via ↵Jacob Walls
the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-05[5.1.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in ↵Jacob Walls
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-10-29[5.1.x] Added stub release notes and release date for 5.1.14 and 4.2.26.Jacob Walls
Backport of ab108bf94dfc06c311d7dc81866b848fe5b5ee6c from main.
2025-10-22[5.1.x] Made RemoteTestResultTest.test_pickle_errors_detection() compatible ↵Mariusz Felisiak
with tblib 3.2+. tblib 3.2+ makes exception subclasses with __init__() and the default __reduce__() picklable. This broke the test for RemoteTestResult._confirm_picklable(), which expects a specific exception to fail unpickling. https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21 This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj)) raises TypeError. Refs #27301. This preserves the intent of the regression test from 52188a5ca6bafea0a66f17baacb315d61c7b99cd without skipping it. Backport of 548209e620b3ca34396a360453f07c8dbb8aa6c7 from main.
2025-10-20[5.1.x] Fixed RelatedGeoModelTest.test_related_union_aggregate() test on ↵Mariusz Felisiak
Oracle and GEOS 3.12+. Backport of 344ae16e1e21ab7c0b594d755519738f7f16eaf1 from main
2025-10-10[5.1.x] Refs #36646 -- Doc'd that oracledb < 3.3.0 is required.Mariusz Felisiak
2025-10-10[5.1.x] Fixed OGRInspectTest.test_time_field with memory Spatialite database.David Smith
Backport of 82b3b84a78055844ee07d5d97843a4fc72872e28 from main
2025-10-08[5.1.x] Fixed #35961 -- Migrated license metadata in pyproject.toml to ↵Michiel W. Beijen
conform PEP 639. See https://peps.python.org/pep-0639/ and https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license-and-license-files. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 96a7a652166bece8acc96d6335ebb8091de2f496 from main.
2025-10-01[5.1.x] Rewrapped security archive at 79 chars.Mariusz Felisiak
Backport of 1499c95d990fb776c39ad60e43228cbbbfcad3a8 from main.
2025-10-01[5.1.x] Added CVE-2025-59681 and CVE-2025-59682 to security archive.Jacob Walls
Backport of 43d84aef04a9e71164c21a74885996981857e66e from main.
2025-10-01[5.1.x] Post-release version bump.Jacob Walls
2025-10-01[5.1.x] Bumped version for 5.1.13 release.5.1.13Jacob Walls
2025-10-01[5.1.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal ↵Sarah Boyce
via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
2025-10-01[5.1.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-24[5.1.x] Added stub release notes and release date for 5.1.13 and 4.2.25.Mariusz Felisiak
Backport of 00174507f8a91e9577ae233c58af561b379f2695 from main.
2025-09-04[5.1.x] Added missing backticks in docs/releases/security.txt.Mariusz Felisiak
Backport of 686a8a62ae7faba9c3b17080c3532b821e8cb1f3 from main
2025-09-03[5.1.x] Added CVE-2025-57833 to security archive.Sarah Boyce
Backport of f0c05a40d27d69ef3a7b4e5e0199b5dba5b11feb from main.
2025-09-03[5.1.x] Post-release version bump.Sarah Boyce
2025-09-03[5.1.x] Bumped version for 5.1.12 release.5.1.12Sarah Boyce
2025-09-03[5.1.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2025-08-27[5.1.x] Added stub release notes and release date for 5.1.12 and 4.2.24.Sarah Boyce
Backport of 4c71e334401a3e83c013419d0e2211543e7e873b from main.
2025-08-13[5.1.x] Fixed #36499 -- Adjusted ↵Natalia
utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior. Python fixed a quadratic complexity processing for HTMLParser in: https://github.com/python/cpython/commit/6eb6c5db. Backport of 2980627502c84a9fd09272e1349dc574a2ff1fb1 from main.
2025-08-13[5.1.x] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors following ↵Natalia
Python's HTMLParser fixed parsing. Further details about Python changes can be found in: https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3. Refs #36499. Thank you Clifford Gama for the thorough review! Backport of e4515dad7a6d953c0bd2414127ba36e1446ff41a from main.
2025-08-04[5.1.x] Refs #36535 -- Doc'd that docutils < 0.22 is required.Natalia
2025-07-16[5.1.x] Fixed GitHub Action that checks commit prefixes to fetch PR head ↵nessita
correctly. Backport of 8499fba0e18826a77fe32cbc13a3d951d9ca8924 from main.
2025-07-16[5.1.x] Added GitHub Action to enforce stable branch commit message prefix.nessita
Backport of 10386fac00be55e73279459f00f1959c3ef30a1c from main.
2025-06-10[5.1.x] Added follow-up to CVE-2025-48432 to security archive.Sarah Boyce
Backport of 2714bc3f2c8675d32caae764c874ac381c836c7f from main.
2025-06-10[5.1.x] Post-release version bump.Sarah Boyce
2025-06-10[5.1.x] Bumped version for 5.1.11 release.5.1.11Sarah Boyce
2025-06-06[5.1.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response ↵Jake Howard
logging. Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 957951755259b412d5113333b32bf85871d29814 from main.
2025-06-06[5.1.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use ↵Natalia
log_response() for consistency. Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
2025-06-06[5.1.x] Refactored logging_tests to reuse assertions for log records.Natalia
Backport of 9d72e7daf7299ef1ece56fd657a02f77a469efe9 from main.
2025-06-04[5.1.x] Added CVE-2025-48432 to security archive.Natalia
Backport of 51923c576a596ad00214e44028f9dee9748bce95 from main.
2025-06-04[5.1.x] Post-release version bump.Natalia
2025-06-04[5.1.x] Bumped version for 5.1.10 release.5.1.10Natalia
2025-06-04[5.1.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in ↵Natalia
`log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
2025-05-28[5.1.x] Added stub release notes and release date for 5.1.10 and 4.2.22.Natalia
Backport of 1a744343999c9646912cee76ba0a2fa6ef5e6240 from main.
2025-05-26[5.1.x] Fixed #36402, Refs #35980 -- Updated built package name in reusable ↵Jason Judkins
apps tutorial for PEP 625. Backport of 1307b8a1cb05762147736d0f347792b33f645390 from main.
2025-05-22[5.1.x] Added helpers in csrf_tests and logging_tests to assert logs from ↵Natalia
`log_response()`. Backport of ad6f99889838ccc2c30b3c02ed3868c9b565e81b from main.
2025-05-22[5.1.x] Refs #26688 -- Added tests for `log_response()` internal helper.Natalia
Backport of 897046815944cc9a2da7ed9e8082f45ffe8110e3 from main.
2025-05-09[5.1.x] Refs #35980 -- Added release note about changes in release artifacts ↵Natalia
filenames. Backport of 42ab99309d347f617d60751c2e8d627fb2963049 from main.
2025-05-09[5.1.x] Removed "Expected" from release date for 5.1.9 and 4.2.21.Natalia
Backport of c86156378db09e68db3a9ae1c108f661a67e3abe from main.
2025-05-07[5.1.x] Cleaned up CVE-2025-32873 security archive description.Natalia
Backport of 37f2a77c729ccb71059c8e66c49b07499d2edf60 from main.
2025-05-07[5.1.x] Added CVE-2025-32873 to security archive.Natalia
Backport of fdabda4e05587347aeb3382a442d7e77c1a0c3e5 from main.
2025-05-06[5.1.x] Post-release version bump.Natalia
2025-05-06[5.1.x] Bumped version for 5.1.9 release.5.1.9Natalia
2025-05-06[5.1.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-04-30[5.1.x] Added upcoming security release to release notes.Natalia
Backport of 0f5dd0dff3049189a3fe71a62670b746543335d5 from main.