summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2023-10-04[3.2.x] Bumped version for 3.2.22 release.3.2.22Natalia
2023-10-04[3.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator when truncating HTML text. Thanks Wenchao Li of Alibaba Group for the report.
2023-09-04[3.2.x] Post-release version bump.Mariusz Felisiak
2023-09-04[3.2.x] Bumped version for 3.2.21 release.3.2.21Mariusz Felisiak
2023-09-04[3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in ↵Mariusz Felisiak
django.utils.encoding.uri_to_iri(). Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-07-03[3.2.x] Post-release version bump.Mariusz Felisiak
2023-07-03[3.2.x] Bumped version for 3.2.20 release.3.2.20Mariusz Felisiak
2023-07-03[3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator ↵Mariusz Felisiak
and URLValidator. Thanks Seokchan Yoon for reports.
2023-05-03[3.2.x] Post-release version bump.Mariusz Felisiak
2023-05-03[3.2.x] Bumped version for 3.2.19 release.3.2.19Mariusz Felisiak
2023-05-03[3.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of ↵Mariusz Felisiak
validation when uploading multiple files using one form field. Thanks Moataz Al-Sharida and nawaik for reports. Co-authored-by: Shai Berger <shai@platonix.com> Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-02-14[3.2.x] Post-release version bump.Carlton Gibson
2023-02-14[3.2.x] Bumped version for 3.2.18 release.3.2.18Carlton Gibson
2023-02-07[3.2.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.Markus Holtermann
Thanks to Jakob Ackermann for the report.
2023-02-01[3.2.x] Post-release version bump.Mariusz Felisiak
2023-02-01[3.2.x] Bumped version for 3.2.17 release.3.2.17Mariusz Felisiak
2023-02-01[3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for ↵Nick Pope
Accept-Language. The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. Accept-Language headers are now limited to a maximum length in order to avoid this issue.
2022-10-04[3.2.x] Post-release version bump.Carlton Gibson
2022-10-04[3.2.x] Bumped version for 3.2.16 release.3.2.16Carlton Gibson
2022-09-27[3.2.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as ↵Adam Johnson
regular expressions. Thanks to Benjamin Balder Bach for the report.
2022-08-03[3.2.x] Post-release version bump.Carlton Gibson
2022-08-03[3.2.x] Bumped version for 3.2.15 release.3.2.15Carlton Gibson
2022-08-03[3.2.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.Carlton Gibson
Thanks to Motoyasu Saburi for the report.
2022-08-01[3.2.x] Fixed collation tests on MySQL 8.0.30+.Mariusz Felisiak
The utf8_ collations are renamed to utf8mb3_* on MySQL 8.0.30+. Backport of 88dba2e3fd64b64bcf4fae83b256b4f6f492558f from main.
2022-08-01[3.2.x] Fixed inspectdb and schema tests on MariaDB 10.6+.Mariusz Felisiak
The utf8 character set (and related collations) is by default an alias for utf8mb3 on MariaDB 10.6+. Backport of 355ecd141671e34853d1ff99ffdb1a7fb95b4276 from main
2022-07-04[3.2.x] Post-release version bump.Mariusz Felisiak
2022-07-04[3.2.x] Bumped version for 3.2.14 release.3.2.14Mariusz Felisiak
2022-07-04[3.2.x] Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) ↵Mariusz Felisiak
against SQL injection. Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
2022-04-11[3.2.x] Post-release version bump.Mariusz Felisiak
2022-04-11[3.2.x] Bumped version for 3.2.13 release.3.2.13Mariusz Felisiak
2022-04-11[3.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) ↵Mariusz Felisiak
against SQL injection on PostgreSQL. Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
2022-04-11[3.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), ↵Mariusz Felisiak
and extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
2022-04-11[3.2.x] Fixed #33628 -- Ignored directories with empty names in autoreloader ↵Manel Clos
check for template changes. Regression in 68357b2ca9e88c40fc00d848799813241be39129. Backport of 62739b6e2630e37faa68a86a59fad135cc788cd7 from main.
2022-02-01[3.2.x] Post-release version bump.Mariusz Felisiak
2022-02-01[3.2.x] Bumped version for 3.2.12 release.3.2.12Mariusz Felisiak
2022-02-01[3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.Mariusz Felisiak
Thanks Alan Ryan for the report and initial patch. Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main.
2022-02-01[3.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.Markus Holtermann
Thanks Keryn Knight for the report. Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main. Co-authored-by: Adam Johnson <me@adamj.eu>
2022-01-04[3.2.x] Post-release version bump.Carlton Gibson
2022-01-04[3.2.x] Bumped version for 3.2.11 release.3.2.11Carlton Gibson
2022-01-04[3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage ↵Florian Apolloner
subsystem. Thanks to Dennis Brinkrolf for the report.
2022-01-04[3.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in ↵Florian Apolloner
dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2022-01-04[3.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in ↵Florian Apolloner
UserAttributeSimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2021-12-07[3.2.x] Post-release version bump.Mariusz Felisiak
2021-12-07[3.2.x] Bumped version for 3.2.10 release.3.2.10Mariusz Felisiak
2021-12-07[3.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an ↵Florian Apolloner
upstream access control based on URL paths. Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
2021-12-03[3.2.x] Fixed #33333 -- Fixed setUpTestData() crash with models.BinaryField ↵Mariusz Felisiak
on PostgreSQL. This makes models.BinaryField pickleable on PostgreSQL. Regression in 3cf80d3fcf7446afdde16a2be515c423f720e54d. Thanks Adam Zimmerman for the report. Backport of 2c7846d992ca512d36a73f518205015c88ed088c from main.
2021-11-01[3.2.x] Post-release version bump.Mariusz Felisiak
2021-11-01[3.2.x] Bumped version for 3.2.9 release.3.2.9Mariusz Felisiak
2021-10-18[3.2.x] Fixed #33194 -- Fixed migrations when altering a field with ↵Hannes Ljungberg
functional indexes on SQLite. This adjusts Expressions.rename_table_references() to only update alias when needed. Regression in 83fcfc9ec8610540948815e127101f1206562ead. Co-authored-by: Simon Charette <charettes@users.noreply.github.com> Backport of 86971c40909430a798e4e55b140004c4b1fb02ff from main.
2021-10-05[3.2.x] Refs #32074 -- Used asyncio.get_running_loop() instead of ↵Mariusz Felisiak
get_event_loop() on Python 3.7+. Using asyncio.get_event_loop() when there is no running event loop was deprecated in Python 3.10, see https://bugs.python.org/issue39529.