diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-07 08:51:05 -0400 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-07 08:52:15 -0400 |
| commit | 97aa3b7f08f51669e118f3af5ca91026e39664c3 (patch) | |
| tree | 831a219b1063ef5e3beedc923d061b1e9cb8e8b9 /docs | |
| parent | a255ce3bc9306e713114de83da9b6d45c48a562d (diff) | |
[4.2.x] Added CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, and CVE-2026-33034 to security archive.stable/4.2.x
Backport of 3330dc2dd97f60ab32d3c912d2649859d063265c from main.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/security.txt | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/docs/releases/security.txt b/docs/releases/security.txt index 24a1549007..bec0ed56b0 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -36,6 +36,63 @@ Issues under Django's security process All security issues have been handled under versions of Django's security process. These are listed below. +April 7, 2026 - :cve:`2026-3902` +-------------------------------- + +ASGI header spoofing via underscore/hyphen conflation. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <a623c3982857e80324448f85c7faf9a6710330ef>` +* Django 5.2 :commit:`(patch) <1cc2a7612f97c109b92415fc11ba9bd0501852e0>` +* Django 4.2 :commit:`(patch) <4412731aa64d62a6dd7edae79e0c15b72666d7ca>` + +April 7, 2026 - :cve:`2026-4277` +-------------------------------- + +Privilege abuse in ``GenericInlineModelAdmin``. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <08a752c1cd8f378b4c64d96c319da23726df6ed3>` +* Django 5.2 :commit:`(patch) <60ffa957c427e10a2eb0fc80d1674a8a8ccc30b0>` +* Django 4.2 :commit:`(patch) <051f3909e820360bbe84a21350e82f4961e3d917>` + +April 7, 2026 - :cve:`2026-4292` +-------------------------------- + +Privilege abuse in ``ModelAdmin.list_editable``. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <428c48f358c5a0ed5ca2834fb721d615eb2b0e11>` +* Django 5.2 :commit:`(patch) <397c22048244db2cd4bb78f570e6c72a3967bf36>` +* Django 4.2 :commit:`(patch) <abfe1a1c57a57cfaf6dd4a0571c029401a0fe743>` + +April 7, 2026 - :cve:`2026-33033` +--------------------------------- + +Potential denial-of-service vulnerability in ``MultiPartParser`` via +base64-encoded file upload. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <0910af60468216c856dfbcac1177372c225deb76>` +* Django 5.2 :commit:`(patch) <0b467893bdde69a2d23034338e76021a1e4f4322>` +* Django 4.2 :commit:`(patch) <f13c20f81b56108ac477213fa5ada2524b5e5c98>` + +April 7, 2026 - :cve:`2026-33034` +--------------------------------- + +Potential denial-of-service vulnerability in ASGI requests via memory upload +limit bypass. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <393dbc53e848876fdba92fbf02e10ee6a6eace6b>` +* Django 5.2 :commit:`(patch) <49e1e2b548999a35a025f9682598946bda9e9921>` +* Django 4.2 :commit:`(patch) <ed4dfda62718a0bb644b80ac8b1d3099861f2295>` + March 3, 2026 - :cve:`2026-25673` --------------------------------- |