summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2025-11-05[4.2.x] Bumped version for 4.2.26 release.4.2.26Natalia
2025-11-05[4.2.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on ↵Jacob Walls
dictionary expansion. Backport of 3c3f46357718166069948625354b8315a8505262 from main.
2025-11-05[4.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via ↵Jacob Walls
the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-05[4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in ↵Jacob Walls
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-10-01[4.2.x] Post-release version bump.Jacob Walls
2025-10-01[4.2.x] Bumped version for 4.2.25 release.4.2.25Jacob Walls
2025-10-01[4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal ↵Sarah Boyce
via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
2025-10-01[4.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-03[4.2.x] Post-release version bump.Sarah Boyce
2025-09-03[4.2.x] Bumped version for 4.2.24 release.4.2.24Sarah Boyce
2025-09-03[4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2025-06-10[4.2.x] Post-release version bump.Sarah Boyce
2025-06-10[4.2.x] Bumped version for 4.2.23 release.4.2.23Sarah Boyce
2025-06-06[4.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response ↵Jake Howard
logging. Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 957951755259b412d5113333b32bf85871d29814 from main.
2025-06-06[4.2.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use ↵Natalia
log_response() for consistency. Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
2025-06-04[4.2.x] Post-release version bump.Natalia
2025-06-04[4.2.x] Bumped version for 4.2.22 release.4.2.22Natalia
2025-06-04[4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in ↵Natalia
`log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
2025-05-06[4.2.x] Post-release version bump.Natalia
2025-05-06[4.2.x] Bumped version for 4.2.21 release.4.2.21Natalia
2025-05-06[4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-04-23[4.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.Matti Pohjanvirta
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
2025-04-23[4.2.x] Fixed warnings per flake8 7.2.0.Mariusz Felisiak
https://github.com/PyCQA/flake8/releases/tag/7.2.0 Backport of 281910ff8e9ae98fa78ee5d26ae3f0b713ccf418 from main.
2025-04-07[4.2.x] Fixed #36298 -- Truncated the overwritten file content in ↵Sarah Boyce
file_move_safe(). Regression in 58cd4902a71a3695dd6c21dc957f59c333db364c. Thanks Baptiste Mispelon for the report. Backport of 8ad3e80e88201f4c557f6fa79fcfc0f8a0961830 from main.
2025-03-06[4.2.x] Post-release version bump.Sarah Boyce
2025-03-06[4.2.x] Bumped version for 4.2.20 release.4.2.20Sarah Boyce
2025-03-06[4.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template ↵Sarah Boyce
filter. Thanks sw0rd1ight for the report. Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
2025-02-05[4.2.x] Post-release version bump.Natalia
2025-02-05[4.2.x] Bumped version for 4.2.19 release.4.2.19Natalia
2025-01-16[4.2.x] Refs #36098 -- Fixed validate_ipv4_address() crash for non-string ↵Sarah Boyce
values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf.
2025-01-15[4.2.x] Fixed #36098 -- Fixed ↵Mariusz Felisiak
validate_ipv6_address()/validate_ipv46_address() crash for non-string values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf. Backport of b3c5830769d8a5dbf2f974da7116fe503c9454d9 from main.
2025-01-14[4.2.x] Post-release version bump.Natalia
2025-01-14[4.2.x] Bumped version for 4.2.18 release.4.2.18Natalia
2025-01-14[4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.Natalia
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-12-04[4.2.x] Post-release version bump.Sarah Boyce
2024-12-04[4.2.x] Bumped version for 4.2.17 release.4.2.17Sarah Boyce
2024-12-04[4.2.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct ↵Simon Charette
HasKeyLookup usage on Oracle. Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
2024-12-04[4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-12-03[4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to properly ↵Mariusz Felisiak
validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. https://github.com/python/cpython/pull/103849
2024-09-03[4.2.x] Post-release version bump.Natalia
2024-09-03[4.2.x] Bumped version for 4.2.16 release.4.2.16Natalia
2024-09-03[4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵Natalia
email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-03[4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-06[4.2.x] Post-release version bump.Sarah Boyce
2024-08-06[4.2.x] Bumped version for 4.2.15 release.4.2.15Sarah Boyce
2024-07-31[4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵Simon Charette
attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-07-31[4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-31[4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-07-31[4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in ↵Sarah Boyce
floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
2024-07-25[4.2.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵Lorenzo Peña
ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.