[4.2.x] Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookups via band index.

Thanks Tarek Nakkouch for the report, and Simon Charette for the initial triage and review. Backport of 81aa5292967cd09319c45fe2c1a525ce7b6684d8 from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-01-19 15:42:33 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-02-03 08:25:13 -0500
commit: a14363102d98fa29b8cced578eb3a0fadaa5bcb7 (patch)
tree: 2bdc10fc99f861027d3dcc8cd483d0030a2571c3 /docs
parent: f578acc8c54530fffabd52d2db654c8669b011af (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/releases/4.2.28.txt b/docs/releases/4.2.28.txt
index 67d398308c..aa06882806 100644
--- a/docs/releases/4.2.28.txt
+++ b/docs/releases/4.2.28.txt
@@ -29,3 +29,15 @@ produced super-linear computation resulting in service degradation or outage.
 
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
+
+CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
+====================================================================
+
+:ref:`Raster lookups <spatial-lookup-raster>` on GIS fields (only implemented
+on PostGIS) were subject to SQL injection if untrusted data was used as a band
+index.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "high" according to the :ref:`Django security policy
+<security-disclosure>`.
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-01-19 15:42:33 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 08:25:13 -0500
commit	a14363102d98fa29b8cced578eb3a0fadaa5bcb7 (patch)
tree	2bdc10fc99f861027d3dcc8cd483d0030a2571c3 /docs
parent	f578acc8c54530fffabd52d2db654c8669b011af (diff)