summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2025-01-14[4.2.x] Bumped version for 4.2.18 release.4.2.18Natalia
2025-01-14[4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.Natalia
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-12-04[4.2.x] Post-release version bump.Sarah Boyce
2024-12-04[4.2.x] Bumped version for 4.2.17 release.4.2.17Sarah Boyce
2024-12-04[4.2.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct ↵Simon Charette
HasKeyLookup usage on Oracle. Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
2024-12-04[4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-12-03[4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to properly ↵Mariusz Felisiak
validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. https://github.com/python/cpython/pull/103849
2024-09-03[4.2.x] Post-release version bump.Natalia
2024-09-03[4.2.x] Bumped version for 4.2.16 release.4.2.16Natalia
2024-09-03[4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵Natalia
email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-03[4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-06[4.2.x] Post-release version bump.Sarah Boyce
2024-08-06[4.2.x] Bumped version for 4.2.15 release.4.2.15Sarah Boyce
2024-07-31[4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵Simon Charette
attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-07-31[4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-31[4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-07-31[4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in ↵Sarah Boyce
floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
2024-07-25[4.2.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵Lorenzo Peña
ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
2024-07-09[4.2.x] Post-release version bump.Natalia
2024-07-09[4.2.x] Bumped version for 4.2.14 release.4.2.14Natalia
2024-07-09[4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵Sarah Boyce
get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09[4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in ↵Natalia
Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
2024-07-09[4.2.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵Michael Manfre
checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-09[4.2.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and ↵Adam Johnson
urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-07[4.2.x]Post-release version bump.Natalia
2024-05-07[4.2.x] Bumped version for 4.2.13 release.4.2.13Sarah Boyce
2024-05-06[4.2.x] Post-release version bump.Natalia
2024-05-06[4.2.x] Bumped version for 4.2.12 release.4.2.12Sarah Boyce
2024-04-19[4.2.x] Reverted "Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS ↵Sarah Boyce
class unconditionally in Admin." This reverts commit 0fc832676cd585fa420d583937b5b2318bc2c629.
2024-04-19[4.2.x] Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS class ↵Adam Johnson
unconditionally in Admin. Backport of bdd76c4c3817d8e3ed5b0450d5e18e4eae096f16 from main.
2024-04-10[4.2.x] Refs #34900, Refs #35361 -- Fixed SafeMIMEText.set_payload() crash ↵Mariusz Felisiak
on Python 3.13. Payloads with surrogates are passed to the set_payload() since https://github.com/python/cpython/commit/f97f25ef5dfcdfec0d9a359fd970abd139cf3428 Backport of b231bcd19e57267ce1fc21d42d46f0b65fdcfcf8 from main.
2024-03-04[4.2.x] Post-release version bump.Mariusz Felisiak
2024-03-04[4.2.x] Bumped version for 4.2.11 release.4.2.11Mariusz Felisiak
2024-03-04[4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().Shai Berger
Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-02-08[4.2.x] Fixed #35172 -- Fixed intcomma for string floats.Mariusz Felisiak
Thanks Warwick Brown for the report. Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9. Backport of 2f14c2cedc9c92373471c1f98a80c81ba299584a from main.
2024-02-06[4.2.x] Post release version bump.Natalia
2024-02-06[4.2.x] Bumped version for 4.2.10 release.4.2.10Natalia
2024-02-06[4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ↵Adam Johnson
filter. Thanks Seokchan Yoon for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Shai Berger <shai@platonix.com>
2024-01-02[4.2.x] Post-release version bump.Mariusz Felisiak
2024-01-02[4.2.x] Bumped version for 4.2.9 release.4.2.9Mariusz Felisiak
2023-12-13[4.2.x] Fixed #35012 -- Restored wrapping admin fieldsets with multiple ↵Tom Carrick
fields per line. Thanks James Gillard for the report. Regression in 729266c6f29c7a0677b24926a86a767ef3078b26. Backport of 4aae864463b149393a36e0b18345cf6ed392634d from main
2023-12-04[4.2.x] Post-release version bump.Mariusz Felisiak
2023-12-04[4.2.x] Bumped version for 4.2.8 release.4.2.8Mariusz Felisiak
2023-11-30[4.2.x] Fixed #35006 -- Fixed migrations crash when altering ↵Mariusz Felisiak
Meta.db_table_comment on SQLite. Thanks Юрий for the report. Regression in 78f163a4fb3937aca2e71786fbdd51a0ef39629e. Backport of 37fc832a54ad37e75a898a2c8f9ab0820617c4af from main
2023-11-27[4.2.x] Fixed #34982 -- Fixed admin's read-only password widget and help ↵Tom Carrick
texts alignment for tablet screen size. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of 729266c6f29c7a0677b24926a86a767ef3078b26 from main
2023-11-27[4.2.x] Fixed #34992 -- Fixed DatabaseFeatures.allows_group_by_selected_pks ↵Nathaniel Conroy
on MariaDB with ONLY_FULL_GROUP_BY sql mode. Regression in 041551d716b69ee7c81199eee86a2d10a72e15ab. Backport of 0257426fe1fe9d146fd5813f09d909917ff59360 from main.
2023-11-23[4.2.x] Fixed #34994 -- Fixed checkbox layout in admin's change page for ↵Tom Carrick
narrow screen widths. Regression in d687febce5868545f99974d2499a91f81a32fef5. Backport of a89c715c3bcf7ab1a90747cf8658ebce6304b6e4 from main
2023-11-23[4.2.x] Fixed #34991 -- Fixed pagination links and input layout in admin's ↵Tom Carrick
change list page when using list_editable. Regression in b4817d20b9e55df30be0b1b2ca8c8bb6d61aab07. Thanks Tom Carrick for the report and fix. Backport of 4eb9c3d90aff55182151b6be0122f7d0b28832fd from main
2023-11-23[4.2.x] Fixed #34987 -- Fixed queryset crash when mixing aggregate and ↵Simon Charette
window annotations. Regression in f387d024fc75569d2a4a338bfda76cc2f328f627. Just like `OrderByList` the `ExpressionList` expression used to wrap `Window.partition_by` must implement `get_group_by_cols` to ensure the necessary grouping when mixing window expressions with aggregate annotations is performed against the partition members and not the partition expression itself. This is necessary because while `partition_by` is implemented as a source expression of `Window` it's actually a fragment of the WINDOW expression at the SQL level and thus it should result in a group by its members and not the sum of them. Thanks ElRoberto538 for the report. Backport of e76cc93b0168fa3abbafb9af1ab4535814b751f0 from main
2023-11-19[4.2.x] Refs #34118 -- Fixed stacklevel in complex_setting_changed on Python ↵Mariusz Felisiak
3.12. This fix is unnecessary in Django 5.0 since e83a88566a71a2353cebc35992c110be0f8628af because signals no longer use sync_to_async().