summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2022-10-04[3.2.x] Bumped version for 3.2.16 release.3.2.16Carlton Gibson
2022-09-27[3.2.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as ↵Adam Johnson
regular expressions. Thanks to Benjamin Balder Bach for the report.
2022-08-03[3.2.x] Post-release version bump.Carlton Gibson
2022-08-03[3.2.x] Bumped version for 3.2.15 release.3.2.15Carlton Gibson
2022-08-03[3.2.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.Carlton Gibson
Thanks to Motoyasu Saburi for the report.
2022-08-01[3.2.x] Fixed collation tests on MySQL 8.0.30+.Mariusz Felisiak
The utf8_ collations are renamed to utf8mb3_* on MySQL 8.0.30+. Backport of 88dba2e3fd64b64bcf4fae83b256b4f6f492558f from main.
2022-08-01[3.2.x] Fixed inspectdb and schema tests on MariaDB 10.6+.Mariusz Felisiak
The utf8 character set (and related collations) is by default an alias for utf8mb3 on MariaDB 10.6+. Backport of 355ecd141671e34853d1ff99ffdb1a7fb95b4276 from main
2022-07-04[3.2.x] Post-release version bump.Mariusz Felisiak
2022-07-04[3.2.x] Bumped version for 3.2.14 release.3.2.14Mariusz Felisiak
2022-07-04[3.2.x] Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) ↵Mariusz Felisiak
against SQL injection. Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
2022-04-11[3.2.x] Post-release version bump.Mariusz Felisiak
2022-04-11[3.2.x] Bumped version for 3.2.13 release.3.2.13Mariusz Felisiak
2022-04-11[3.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) ↵Mariusz Felisiak
against SQL injection on PostgreSQL. Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
2022-04-11[3.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), ↵Mariusz Felisiak
and extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
2022-04-11[3.2.x] Fixed #33628 -- Ignored directories with empty names in autoreloader ↵Manel Clos
check for template changes. Regression in 68357b2ca9e88c40fc00d848799813241be39129. Backport of 62739b6e2630e37faa68a86a59fad135cc788cd7 from main.
2022-02-01[3.2.x] Post-release version bump.Mariusz Felisiak
2022-02-01[3.2.x] Bumped version for 3.2.12 release.3.2.12Mariusz Felisiak
2022-02-01[3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.Mariusz Felisiak
Thanks Alan Ryan for the report and initial patch. Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main.
2022-02-01[3.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.Markus Holtermann
Thanks Keryn Knight for the report. Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main. Co-authored-by: Adam Johnson <me@adamj.eu>
2022-01-04[3.2.x] Post-release version bump.Carlton Gibson
2022-01-04[3.2.x] Bumped version for 3.2.11 release.3.2.11Carlton Gibson
2022-01-04[3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage ↵Florian Apolloner
subsystem. Thanks to Dennis Brinkrolf for the report.
2022-01-04[3.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in ↵Florian Apolloner
dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2022-01-04[3.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in ↵Florian Apolloner
UserAttributeSimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2021-12-07[3.2.x] Post-release version bump.Mariusz Felisiak
2021-12-07[3.2.x] Bumped version for 3.2.10 release.3.2.10Mariusz Felisiak
2021-12-07[3.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an ↵Florian Apolloner
upstream access control based on URL paths. Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
2021-12-03[3.2.x] Fixed #33333 -- Fixed setUpTestData() crash with models.BinaryField ↵Mariusz Felisiak
on PostgreSQL. This makes models.BinaryField pickleable on PostgreSQL. Regression in 3cf80d3fcf7446afdde16a2be515c423f720e54d. Thanks Adam Zimmerman for the report. Backport of 2c7846d992ca512d36a73f518205015c88ed088c from main.
2021-11-01[3.2.x] Post-release version bump.Mariusz Felisiak
2021-11-01[3.2.x] Bumped version for 3.2.9 release.3.2.9Mariusz Felisiak
2021-10-18[3.2.x] Fixed #33194 -- Fixed migrations when altering a field with ↵Hannes Ljungberg
functional indexes on SQLite. This adjusts Expressions.rename_table_references() to only update alias when needed. Regression in 83fcfc9ec8610540948815e127101f1206562ead. Co-authored-by: Simon Charette <charettes@users.noreply.github.com> Backport of 86971c40909430a798e4e55b140004c4b1fb02ff from main.
2021-10-05[3.2.x] Refs #32074 -- Used asyncio.get_running_loop() instead of ↵Mariusz Felisiak
get_event_loop() on Python 3.7+. Using asyncio.get_event_loop() when there is no running event loop was deprecated in Python 3.10, see https://bugs.python.org/issue39529.
2021-10-05[3.2.x] Refs #32074 -- Fixed find_module()/find_loader() warnings on Python ↵Mariusz Felisiak
3.10+. Backport of f1bcaa9be8227dce89a320ce1ca37e1df7c80d03 from main.
2021-10-05[3.2.x] Refs #32074 -- Removed usage of deprecated Thread.setDaemon().Karthikeyan Singaravelan
Thread.setDaemon() was deprecated in Python 3.10 and will be removed in Python 3.12. Backport of f9f6bd63c98dc2f01412887f4a98dbfdab363fdf from main
2021-10-05[3.2.x] Refs #32074 -- Removed usage of Python's deprecated ↵Mariusz Felisiak
distutils.version package. The distutils package was formally deprecated in Python 3.10 and will be removed in Python 3.12. Backport of b8c9e9fae14676d2e81242cb8df1e2eeef9c3a2d from main
2021-10-05[3.2.x] Post-release version bump.Carlton Gibson
2021-10-05[3.2.x] Bumped version for 3.2.8 release.3.2.8Carlton Gibson
2021-09-21[3.2.x] Fixed #33083 -- Fixed selecting all items in the admin changelist ↵Carlton Gibson
when actions are both top and bottom. Thanks Benjamin Locher for the report. Regression in 30e59705fc3e3e9e8370b965af794ad6173bf92b. Backport of b0ed619303d2fb723330ca9efa3acf23d49f1d19 from main
2021-09-18[3.2.x] Fixed #33077 -- Fixed links to related models for admin's readonly ↵Ken Whitesell
fields in custom admin site. Backport of 0a9aa02e6f1d1b9ceca155d281a2be624bb1d3a2 from main
2021-09-01[3.2.x] Post-release version bump.Mariusz Felisiak
2021-09-01[3.2.x] Bumped version for 3.2.7 release.3.2.7Mariusz Felisiak
2021-08-30[3.2.x] Fixed #32992 -- Restored offset extraction for fixed offset timezones.Carlton Gibson
Regression in 10d126198434810529e0220b0c6896ed64ca0e88. Backport of cbba49971bbbbe3e8c6685e4ce6ab87b1187ae87 from main
2021-08-23[3.2.x] Fixed #33030 -- Fixed broken links to GDAL docs.Märt Häkkinen
Backport of ed317e79e355bd3aacb1393b821df7b1a7267ebc from main
2021-08-02[3.2.x] Post-release version bump.Carlton Gibson
2021-08-02[3.2.x] Bumped version for 3.2.6 release.3.2.6Carlton Gibson
2021-07-26[3.2.x] Fixed #32947 -- Fixed hash() crash on reverse M2M relation when ↵Tom Wojcik
through_fields is a list. Regression in c32d8f33d8e988a376e44997b8f3606d821f305e. Backport of 20226fcd461670334646f78a0c4d133e439b12b2 from main
2021-07-21[3.2.x] Fixed #32949 -- Restored invalid number handling in ↵yakimka
DecimalField.validate(). DecimalField must itself validate() values, such as NaN, which cannot be passed to validators, such as MaxValueValidator, during the run_validators() phase. Regression in cc3d24d7d577f174937a0744d886c4c7123cfa85. Backport of c542d0a07237033225c1d57337ca9474a00648f2 from main
2021-07-01[3.2.x] Post-release version bump.Mariusz Felisiak
2021-07-01[3.2.x] Bumped version for 3.2.5 release.3.2.5Mariusz Felisiak
2021-07-01[3.2.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by().Simon Charette
Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5 by marking the raw SQL column reference feature for deprecation in Django 4.0 while lifting the column format validation. In retrospective the validation should have been kept around and the user should have been pointed at using RawSQL expressions during the deprecation period. The main branch is not affected because the raw SQL column reference support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff per the 4.0 deprecation life cycle. Thanks Joel Saunders for the report.