summaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2022-01-04[2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage ↵Florian Apolloner
subsystem. Thanks to Dennis Brinkrolf for the report.
2022-01-04[2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in ↵Florian Apolloner
dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2022-01-04[2.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in ↵Florian Apolloner
UserAttributeSimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2021-12-28[2.2.x] Added stub release notes for 2.2.26 release.Carlton Gibson
2021-12-15[2.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in ↵Mariusz Felisiak
Django 2.2.25, 3.1.14, and 3.2.10. Follow up to d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6. Backport of 5de12a369a7b2231e668e0460c551c504718dbf6 from main
2021-12-07[2.2.x] Added CVE-2021-44420 to security archive.Mariusz Felisiak
Backport of 8747052411275d290b2152ffcb8dee11afbb82cd from main
2021-12-07[2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an ↵Florian Apolloner
upstream access control based on URL paths. Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
2021-11-30[2.2.x] Added requirements.txt to files ignored by Sphinx builds.Mariusz Felisiak
Backport of 0cf2d48ba83543b16bdf390d941eb98e8d34f3bd from stable/3.2.x.
2021-11-30[2.2.x] Added stub release notes for 2.2.25.Mariusz Felisiak
Backport of ae4077e13ea2e4c460c3f21b9aab93a696590851 from main.
2021-11-18[2.2.x] Fixed crash building HTML docs since Sphinx 4.3.Mariusz Felisiak
See https://github.com/sphinx-doc/sphinx/commit/dd2ff3e911c751c06c81f494128fba56d8ecbafd. Backport of f0480ddd2d3cb04b784cf7ea697f792b45c689cc from main
2021-11-03[2.2.x] Refs #33247 -- Corrected configuration for Read The Docs.Carlton Gibson
This pins Sphinx version, because the default Sphinx version used by RTD is not compatible with Python 3.8+. This also, sets Python 3.8 for RTD builds which is compatible with all current versions of Django. Thanks to Mariusz Felisiak for the suggestion. Backport of 447b6c866f0741bb68c92dc925a65fb15bfe7995 from main.
2021-11-03[2.2.x] Refs #32856 -- Clarified that psycopg2 < 2.9 is required.Mariusz Felisiak
Follow up to 837ffcfa681d0f65f444d881ee3d69aec23770be.
2021-10-12[2.2.x] Added 'formatter' to spelling wordlist.Mariusz Felisiak
Backport of e43a131887e2a316d4fb829c3a272ef0cbbeea80 from main
2021-07-30[2.2.x] Refs #31676 -- Updated technical board description in organization docs.Mariusz Felisiak
According to DEP 0010. Backport of f2ed2211c26ba375390cb76725c95ae970a0fd1d from main.
2021-07-30[2.2.x] Refs #31676 -- Added Mergers and Releasers to organization docs.Mariusz Felisiak
According to DEP 0010. Backport of 228ec8e015bac9751c8aef3107358fbb2cb3301b from main
2021-07-30[2.2.x] Refs #31676 -- Removed Core team from organization docs.Mariusz Felisiak
According to DEP 0010. Backport of caa2dd08c4722c8702588f5dfe1fa4c506aa66fc from main
2021-07-13[2.2.x] Refs #31676 -- Removed Django Core-Mentorship mailing list ↵Mariusz Felisiak
references in docs. Backport of 37e8367c359cd115f109d82f99ff32be219f4928 from main.
2021-06-21[2.2.x] Refs #32856 -- Doc'd that psycopg2 < 2.9 is required.Mariusz Felisiak
2021-06-02[2.2.x] Fixed docs header underlines in security archive.Mariusz Felisiak
Backport of d9cee3f5f2f90938d2c2c0230be40c7d50aef53d from main
2021-06-02[2.2.x] Added CVE-2021-33203 and CVE-2021-33571 to security archive.Carlton Gibson
Backport of a39f235ca4cb7370dba3a3dedeaab0106d27792f from main
2021-06-02[2.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.Mariusz Felisiak
validate_ipv4_address() was affected only on Python < 3.9.5, see [1]. URLValidator() uses a regular expressions and it was affected on all Python versions. [1] https://bugs.python.org/issue36384
2021-06-02[2.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via ↵Florian Apolloner
admindocs' TemplateDetailView.
2021-06-02[2.2.x] Confirmed release date for Django 2.2.24.Carlton Gibson
Backport of f66ae7a2d5558fe88ddfe639a610573872be6628 from main.
2021-05-26[2.2.x] Added stub release notes and date for Django 2.2.24.Carlton Gibson
Backport of b46dbd4e3e255223078ae0028934ea986e19ebc1 from main
2021-05-20[2.2.x] Changed IRC references to Libera.Chat.Mariusz Felisiak
Backport of 66491f08fe86629fa25977bb3dddda06959f65e7 from main.
2021-05-13[2.2.x] Fixed #32718 -- Relaxed file name validation in FileField.Mariusz Felisiak
- Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main.
2021-05-12[2.2.x] Refs #32718 -- Corrected CVE-2021-31542 release notes.Mariusz Felisiak
Backport of d1f1417caed648db2f81a1ec28c47bf958c01958 from main.
2021-05-06[2.2.x] Added CVE-2021-32052 to security archive.Mariusz Felisiak
Backport of efebcc429f048493d6bc710399e65d98081eafd5 from main
2021-05-06[2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs ↵Mariusz Felisiak
from being accepted in URLValidator on Python 3.9.5+. In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
2021-05-04[2.2.x] Added CVE-2021-31542 to security archive.Carlton Gibson
Backport of 607ebbfba915de2d84eb943aa93654f31817a709 and 62b2e8b37e37a313c63be40e3223ca4e830ebde3 from main
2021-04-27[2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in ↵Florian Apolloner
file uploads.
2021-04-06[2.2.x] Added CVE-2021-28658 to security archive.Mariusz Felisiak
Backport of 1eac8468cbde790fecb51dd055a439f4947d01e9 from main
2021-04-06[2.2.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via ↵Mariusz Felisiak
uploaded files. Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report. Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.
2021-02-19[2.2.x] Added CVE-2021-23336 to security archive.Carlton Gibson
Backport of ab58f072502e86dfe21b2bd5cccdc5e94dce8d26 from master
2021-02-18[2.2.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via ↵Nick Pope
django.utils.http.limited_parse_qsl().
2021-02-17[2.2.x] Added documentation extlink for bugs.python.org.Nick Pope
Backport of d02d60eb0f032c9395199fb73c6cd29ee9bb2646 from master
2021-02-01[2.2.x] Added CVE-2021-3281 to security archive.Mariusz Felisiak
Backport of f749148d62ece28d208ab66b109f858215ba090a from master
2021-02-01[2.2.x] Fixed CVE-2021-3281 -- Fixed potential directory-traversal via ↵Mariusz Felisiak
archive.extract(). Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews. Thanks Wang Baohua for the report. Backport of 05413afa8c18cdb978fcdf470e09f7a12b234a23 from master.
2021-01-02[2.2.x] Updated CVE URL.Tim Graham
Backport of 656b331b13e08e82bbf0b88d39080c5b1a02109c from master
2020-11-02[2.2.x] Set release date for 2.2.17.Carlton Gibson
Backport of 7fc07b9b2ba0c5c62a8840325d21b414a099fda0 from master
2020-10-13[2.2.x] Refs #31040 -- Doc'd Python 3.9 compatibility.Mariusz Felisiak
Backport of e18156b6c35908f2a4026287b5225a6a4da8af1a from master.
2020-10-06[2.2.x] Skipped GetImageDimensionsTests.test_webp when WEBP is not installed.Mariusz Felisiak
Bumped minimum Pillow version to 4.2.0 in test requirements. Backport of fce389af7cf95151118c9fc7cafd777a31f94946 from master
2020-09-01[2.2.x] Added CVE-2020-24583 & CVE-2020-24584 to security archive.Carlton Gibson
Backport of d5b526bf78a9e5d9760e0c0f7647622bf47782fe from master
2020-09-01[2.2.x] Added CVE-2020-13254 and CVE-2020-13596 to security archive.Carlton Gibson
Backport of 54975780ee2e4017844ecad94835fdce43d97377 from master
2020-09-01[2.2.x] Added release date for 2.2.16.Carlton Gibson
Backport of 976e2b7420c0f7e3060a13792b97511a9aad31d7 from master
2020-08-25[2.2.x] Fixed CVE-2020-24584 -- Fixed permission escalation in ↵Mariusz Felisiak
intermediate-level directories of the file system cache on Python 3.7+. Backport of f56b57976133129b0b351a38bba4ac882badabf0 from master.
2020-08-25[2.2.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on ↵Mariusz Felisiak
intermediate-level static and storage directories on Python 3.7+. Thanks WhiteSage for the report. Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
2020-08-13[2.2.x] Refs #31863 -- Added release notes for ↵Mariusz Felisiak
94ea79be137f3cb30949bf82198e96e094f2650d. Backport of 21768a99f47ee73a2f93405151550ef7c3d9c8a2 from master
2020-08-11[2.2.x] Fixed #31866 -- Fixed locking proxy models in ↵Daniel Hillier
QuerySet.select_for_update(of=()). Backport of 60626162f76f26d32a38d18151700cb041201fb3 from master
2020-08-11[2.2.x] Added stub release notes for 2.2.16.Mariusz Felisiak
Backport of 8a5683b6b2aede38edcff070686ed1fce470dec5 from master