Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.

Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-04-01 08:10:22 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-04-11 08:59:33 +0200
commit: 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch)
tree: e5ea1e69aa37a0ce632480095229fe5afaa47b2f /docs/releases/3.2.13.txt
parent: 62739b6e2630e37faa68a86a59fad135cc788cd7 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/3.2.13.txt b/docs/releases/3.2.13.txt
index c26a969f95..ee20aa2ca1 100644
--- a/docs/releases/3.2.13.txt
+++ b/docs/releases/3.2.13.txt
@@ -7,6 +7,14 @@ Django 3.2.13 release notes
 Django 3.2.13 fixes two security issues with severity "high" in
 3.2.12 and a regression in 3.2.4.
 
+CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
+====================================================================================================
+
+:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
+:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
+aliases, using a suitably crafted dictionary, with dictionary expansion, as the
+``**kwargs`` passed to these methods.
+
 Bugfixes
 ========
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-04-01 08:10:22 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-04-11 08:59:33 +0200
commit	93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch)
tree	e5ea1e69aa37a0ce632480095229fe5afaa47b2f /docs/releases/3.2.13.txt
parent	62739b6e2630e37faa68a86a59fad135cc788cd7 (diff)