diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-02-03 09:11:06 -0500 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-02-03 09:12:15 -0500 |
| commit | e0896dfe83cce33b5cae3fcf0bbbef89e92b4bc6 (patch) | |
| tree | be8f05c3ae6c644db38cc8a72d25899025614ce7 /docs | |
| parent | 609d5526f0c4f8904ffabbce96cdb31953ffa92f (diff) | |
[4.2.x] Added CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312 to security archive.
Backport of af361d3be4725b9da1022c078b2db02b9d9b96e7 from main.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/security.txt | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/docs/releases/security.txt b/docs/releases/security.txt index b7bd09f17e..0d445669b5 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -36,6 +36,74 @@ Issues under Django's security process All security issues have been handled under versions of Django's security process. These are listed below. +February 3, 2026 - :cve:`2025-13473` +------------------------------------ + +Username enumeration through timing difference in mod_wsgi authentication +handler. +`Full description +<https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <d72cc3be3be0bbebdcaea5a8c8106b4d6f2a32bd>` +* Django 5.2 :commit:`(patch) <184e38ab0a061c365f5775676a074796d8abd02f>` +* Django 4.2 :commit:`(patch) <6dc23508f3395e1254c315084c7334ef81c4c09a>` + +February 3, 2026 - :cve:`2025-14550` +------------------------------------ + +Potential denial-of-service vulnerability via repeated headers when using ASGI. +`Full description +<https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <972dbdd4f7f69e9c405e6fe12a1b90e4713c1611>` +* Django 5.2 :commit:`(patch) <1ba90069c12836db46981bdf75b0e661db5849ce>` +* Django 4.2 :commit:`(patch) <f578acc8c54530fffabd52d2db654c8669b011af>` + +February 3, 2026 - :cve:`2026-1207` +----------------------------------- + +Potential SQL injection via raster lookups on PostGIS. +`Full description +<https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <8f77e7301174834573614ae90e1826fdf27f8a24>` +* Django 5.2 :commit:`(patch) <17a1d64a58ef24c0c3b78d66d86f5415075f18f0>` +* Django 4.2 :commit:`(patch) <a14363102d98fa29b8cced578eb3a0fadaa5bcb7>` + +February 3, 2026 - :cve:`2026-1285` +----------------------------------- + +Potential denial-of-service vulnerability in ``django.utils.text.Truncator`` +HTML methods. +`Full description +<https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <4b86ba51e486530db982341a23e53c7a1e1e6e71>` +* Django 5.2 :commit:`(patch) <9f2ada875bbee62ac46032e38ddb22755d67ae5a>` +* Django 4.2 :commit:`(patch) <b40cfc6052ced26dcd8166a58ea6f841d0d2cac8>` + +February 3, 2026 - :cve:`2026-1287` +----------------------------------- + +Potential SQL injection in column aliases via control characters. +`Full description +<https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <0c0f5c2178c01ada5410cd53b4b207bf7858b952>` +* Django 5.2 :commit:`(patch) <3e68ccdc11c127758745ddf0b4954990b14892bc>` +* Django 4.2 :commit:`(patch) <f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d>` + +February 3, 2026 - :cve:`2026-1312` +----------------------------------- + +Potential SQL injection via ``QuerySet.order_by`` and ``FilteredRelation``. +`Full description +<https://www.djangoproject.com/weblog/2026/feb/03/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <15e70cb83e6f7a9a2a2f651f30b28b5cb20febeb>` +* Django 5.2 :commit:`(patch) <e863ee273c6553e9b6fa4960a17acb535851857b>` +* Django 4.2 :commit:`(patch) <90f5b10784ba5bf369caed87640e2b4394ea3314>` + December 2, 2025 - :cve:`2025-13372` ------------------------------------ |