| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2025-03-06 | [4.2.x] Bumped version for 4.2.20 release.4.2.20 | Sarah Boyce | |
| 2025-03-06 | [4.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template ↵ | Sarah Boyce | |
| filter. Thanks sw0rd1ight for the report. Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main. | |||
| 2025-02-05 | [4.2.x] Post-release version bump. | Natalia | |
| 2025-02-05 | [4.2.x] Bumped version for 4.2.19 release.4.2.19 | Natalia | |
| 2025-01-16 | [4.2.x] Refs #36098 -- Fixed validate_ipv4_address() crash for non-string ↵ | Sarah Boyce | |
| values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf. | |||
| 2025-01-15 | [4.2.x] Fixed #36098 -- Fixed ↵ | Mariusz Felisiak | |
| validate_ipv6_address()/validate_ipv46_address() crash for non-string values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf. Backport of b3c5830769d8a5dbf2f974da7116fe503c9454d9 from main. | |||
| 2025-01-14 | [4.2.x] Post-release version bump. | Natalia | |
| 2025-01-14 | [4.2.x] Bumped version for 4.2.18 release.4.2.18 | Natalia | |
| 2025-01-14 | [4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation. | Natalia | |
| Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2024-12-04 | [4.2.x] Post-release version bump. | Sarah Boyce | |
| 2024-12-04 | [4.2.x] Bumped version for 4.2.17 release.4.2.17 | Sarah Boyce | |
| 2024-12-04 | [4.2.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct ↵ | Simon Charette | |
| HasKeyLookup usage on Oracle. Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews. | |||
| 2024-12-04 | [4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags(). | Sarah Boyce | |
| Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews. | |||
| 2024-12-03 | [4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to properly ↵ | Mariusz Felisiak | |
| validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. https://github.com/python/cpython/pull/103849 | |||
| 2024-09-03 | [4.2.x] Post-release version bump. | Natalia | |
| 2024-09-03 | [4.2.x] Bumped version for 4.2.16 release.4.2.16 | Natalia | |
| 2024-09-03 | [4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵ | Natalia | |
| email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews. | |||
| 2024-09-03 | [4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵ | Sarah Boyce | |
| urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. | |||
| 2024-08-06 | [4.2.x] Post-release version bump. | Sarah Boyce | |
| 2024-08-06 | [4.2.x] Bumped version for 4.2.15 release.4.2.15 | Sarah Boyce | |
| 2024-07-31 | [4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵ | Simon Charette | |
| attacks against JSON fields. Thanks Eyal (eyalgabay) for the report. | |||
| 2024-07-31 | [4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵ | Mariusz Felisiak | |
| django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | |||
| 2024-07-31 | [4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵ | Sarah Boyce | |
| urlizetrunc template filters. Thanks to MProgrammer for the report. | |||
| 2024-07-31 | [4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in ↵ | Sarah Boyce | |
| floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com> | |||
| 2024-07-25 | [4.2.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵ | Lorenzo Peña | |
| ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main. | |||
| 2024-07-09 | [4.2.x] Post-release version bump. | Natalia | |
| 2024-07-09 | [4.2.x] Bumped version for 4.2.14 release.4.2.14 | Natalia | |
| 2024-07-09 | [4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵ | Sarah Boyce | |
| get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report. | |||
| 2024-07-09 | [4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in ↵ | Natalia | |
| Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews. | |||
| 2024-07-09 | [4.2.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵ | Michael Manfre | |
| checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review. | |||
| 2024-07-09 | [4.2.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and ↵ | Adam Johnson | |
| urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | |||
| 2024-05-07 | [4.2.x]Post-release version bump. | Natalia | |
| 2024-05-07 | [4.2.x] Bumped version for 4.2.13 release.4.2.13 | Sarah Boyce | |
| 2024-05-06 | [4.2.x] Post-release version bump. | Natalia | |
| 2024-05-06 | [4.2.x] Bumped version for 4.2.12 release.4.2.12 | Sarah Boyce | |
| 2024-04-19 | [4.2.x] Reverted "Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS ↵ | Sarah Boyce | |
| class unconditionally in Admin." This reverts commit 0fc832676cd585fa420d583937b5b2318bc2c629. | |||
| 2024-04-19 | [4.2.x] Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS class ↵ | Adam Johnson | |
| unconditionally in Admin. Backport of bdd76c4c3817d8e3ed5b0450d5e18e4eae096f16 from main. | |||
| 2024-04-10 | [4.2.x] Refs #34900, Refs #35361 -- Fixed SafeMIMEText.set_payload() crash ↵ | Mariusz Felisiak | |
| on Python 3.13. Payloads with surrogates are passed to the set_payload() since https://github.com/python/cpython/commit/f97f25ef5dfcdfec0d9a359fd970abd139cf3428 Backport of b231bcd19e57267ce1fc21d42d46f0b65fdcfcf8 from main. | |||
| 2024-03-04 | [4.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2024-03-04 | [4.2.x] Bumped version for 4.2.11 release.4.2.11 | Mariusz Felisiak | |
| 2024-03-04 | [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words(). | Shai Berger | |
| Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2024-02-08 | [4.2.x] Fixed #35172 -- Fixed intcomma for string floats. | Mariusz Felisiak | |
| Thanks Warwick Brown for the report. Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9. Backport of 2f14c2cedc9c92373471c1f98a80c81ba299584a from main. | |||
| 2024-02-06 | [4.2.x] Post release version bump. | Natalia | |
| 2024-02-06 | [4.2.x] Bumped version for 4.2.10 release.4.2.10 | Natalia | |
| 2024-02-06 | [4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ↵ | Adam Johnson | |
| filter. Thanks Seokchan Yoon for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Shai Berger <shai@platonix.com> | |||
| 2024-01-02 | [4.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2024-01-02 | [4.2.x] Bumped version for 4.2.9 release.4.2.9 | Mariusz Felisiak | |
| 2023-12-13 | [4.2.x] Fixed #35012 -- Restored wrapping admin fieldsets with multiple ↵ | Tom Carrick | |
| fields per line. Thanks James Gillard for the report. Regression in 729266c6f29c7a0677b24926a86a767ef3078b26. Backport of 4aae864463b149393a36e0b18345cf6ed392634d from main | |||
| 2023-12-04 | [4.2.x] Post-release version bump. | Mariusz Felisiak | |
| 2023-12-04 | [4.2.x] Bumped version for 4.2.8 release.4.2.8 | Mariusz Felisiak | |
