| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2024-02-06 | [3.2.x] Bumped version for 3.2.24 release.3.2.24 | Natalia | |
| 2024-02-06 | [3.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ↵ | Adam Johnson | |
| filter. Thanks Seokchan Yoon for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Shai Berger <shai@platonix.com> | |||
| 2023-11-01 | [3.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2023-11-01 | [3.2.x] Bumped version for 3.2.23 release.3.2.23 | Mariusz Felisiak | |
| 2023-11-01 | [3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. | Mariusz Felisiak | |
| Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. | |||
| 2023-10-04 | [3.2.x] Post release version bump. | Natalia | |
| 2023-10-04 | [3.2.x] Bumped version for 3.2.22 release.3.2.22 | Natalia | |
| 2023-10-04 | [3.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in ↵ | Natalia | |
| django.utils.text.Truncator when truncating HTML text. Thanks Wenchao Li of Alibaba Group for the report. | |||
| 2023-09-04 | [3.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2023-09-04 | [3.2.x] Bumped version for 3.2.21 release.3.2.21 | Mariusz Felisiak | |
| 2023-09-04 | [3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in ↵ | Mariusz Felisiak | |
| django.utils.encoding.uri_to_iri(). Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com> | |||
| 2023-07-03 | [3.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2023-07-03 | [3.2.x] Bumped version for 3.2.20 release.3.2.20 | Mariusz Felisiak | |
| 2023-07-03 | [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator ↵ | Mariusz Felisiak | |
| and URLValidator. Thanks Seokchan Yoon for reports. | |||
| 2023-05-03 | [3.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2023-05-03 | [3.2.x] Bumped version for 3.2.19 release.3.2.19 | Mariusz Felisiak | |
| 2023-05-03 | [3.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of ↵ | Mariusz Felisiak | |
| validation when uploading multiple files using one form field. Thanks Moataz Al-Sharida and nawaik for reports. Co-authored-by: Shai Berger <shai@platonix.com> Co-authored-by: nessita <124304+nessita@users.noreply.github.com> | |||
| 2023-02-14 | [3.2.x] Post-release version bump. | Carlton Gibson | |
| 2023-02-14 | [3.2.x] Bumped version for 3.2.18 release.3.2.18 | Carlton Gibson | |
| 2023-02-07 | [3.2.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files. | Markus Holtermann | |
| Thanks to Jakob Ackermann for the report. | |||
| 2023-02-01 | [3.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2023-02-01 | [3.2.x] Bumped version for 3.2.17 release.3.2.17 | Mariusz Felisiak | |
| 2023-02-01 | [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for ↵ | Nick Pope | |
| Accept-Language. The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. Accept-Language headers are now limited to a maximum length in order to avoid this issue. | |||
| 2022-10-04 | [3.2.x] Post-release version bump. | Carlton Gibson | |
| 2022-10-04 | [3.2.x] Bumped version for 3.2.16 release.3.2.16 | Carlton Gibson | |
| 2022-09-27 | [3.2.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as ↵ | Adam Johnson | |
| regular expressions. Thanks to Benjamin Balder Bach for the report. | |||
| 2022-08-03 | [3.2.x] Post-release version bump. | Carlton Gibson | |
| 2022-08-03 | [3.2.x] Bumped version for 3.2.15 release.3.2.15 | Carlton Gibson | |
| 2022-08-03 | [3.2.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header. | Carlton Gibson | |
| Thanks to Motoyasu Saburi for the report. | |||
| 2022-08-01 | [3.2.x] Fixed collation tests on MySQL 8.0.30+. | Mariusz Felisiak | |
| The utf8_ collations are renamed to utf8mb3_* on MySQL 8.0.30+. Backport of 88dba2e3fd64b64bcf4fae83b256b4f6f492558f from main. | |||
| 2022-08-01 | [3.2.x] Fixed inspectdb and schema tests on MariaDB 10.6+. | Mariusz Felisiak | |
| The utf8 character set (and related collations) is by default an alias for utf8mb3 on MariaDB 10.6+. Backport of 355ecd141671e34853d1ff99ffdb1a7fb95b4276 from main | |||
| 2022-07-04 | [3.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2022-07-04 | [3.2.x] Bumped version for 3.2.14 release.3.2.14 | Mariusz Felisiak | |
| 2022-07-04 | [3.2.x] Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) ↵ | Mariusz Felisiak | |
| against SQL injection. Thanks Takuto Yoshikai (Aeye Security Lab) for the report. | |||
| 2022-04-11 | [3.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2022-04-11 | [3.2.x] Bumped version for 3.2.13 release.3.2.13 | Mariusz Felisiak | |
| 2022-04-11 | [3.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) ↵ | Mariusz Felisiak | |
| against SQL injection on PostgreSQL. Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main. | |||
| 2022-04-11 | [3.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), ↵ | Mariusz Felisiak | |
| and extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main. | |||
| 2022-04-11 | [3.2.x] Fixed #33628 -- Ignored directories with empty names in autoreloader ↵ | Manel Clos | |
| check for template changes. Regression in 68357b2ca9e88c40fc00d848799813241be39129. Backport of 62739b6e2630e37faa68a86a59fad135cc788cd7 from main. | |||
| 2022-02-01 | [3.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2022-02-01 | [3.2.x] Bumped version for 3.2.12 release.3.2.12 | Mariusz Felisiak | |
| 2022-02-01 | [3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. | Mariusz Felisiak | |
| Thanks Alan Ryan for the report and initial patch. Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main. | |||
| 2022-02-01 | [3.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag. | Markus Holtermann | |
| Thanks Keryn Knight for the report. Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main. Co-authored-by: Adam Johnson <me@adamj.eu> | |||
| 2022-01-04 | [3.2.x] Post-release version bump. | Carlton Gibson | |
| 2022-01-04 | [3.2.x] Bumped version for 3.2.11 release.3.2.11 | Carlton Gibson | |
| 2022-01-04 | [3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage ↵ | Florian Apolloner | |
| subsystem. Thanks to Dennis Brinkrolf for the report. | |||
| 2022-01-04 | [3.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in ↵ | Florian Apolloner | |
| dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu> | |||
| 2022-01-04 | [3.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in ↵ | Florian Apolloner | |
| UserAttributeSimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu> | |||
| 2021-12-07 | [3.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2021-12-07 | [3.2.x] Bumped version for 3.2.10 release.3.2.10 | Mariusz Felisiak | |
