diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.2.22.txt | 14 | ||||
| -rw-r--r-- | docs/releases/5.1.10.txt | 14 | ||||
| -rw-r--r-- | docs/releases/5.2.2.txt | 14 |
3 files changed, 42 insertions, 0 deletions
diff --git a/docs/releases/4.2.22.txt b/docs/releases/4.2.22.txt index 83c49b787b..ba3cc33248 100644 --- a/docs/releases/4.2.22.txt +++ b/docs/releases/4.2.22.txt @@ -5,3 +5,17 @@ Django 4.2.22 release notes *June 4, 2025* Django 4.2.22 fixes a security issue with severity "low" in 4.2.21. + +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. diff --git a/docs/releases/5.1.10.txt b/docs/releases/5.1.10.txt index 7f2d4c2499..b5cc1f89a1 100644 --- a/docs/releases/5.1.10.txt +++ b/docs/releases/5.1.10.txt @@ -5,3 +5,17 @@ Django 5.1.10 release notes *June 4, 2025* Django 5.1.10 fixes a security issue with severity "low" in 5.1.9. + +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. diff --git a/docs/releases/5.2.2.txt b/docs/releases/5.2.2.txt index 56efb69bfb..556e5b3d50 100644 --- a/docs/releases/5.2.2.txt +++ b/docs/releases/5.2.2.txt @@ -7,6 +7,20 @@ Django 5.2.2 release notes Django 5.2.2 fixes a security issue with severity "low" and several bugs in 5.2.1. +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. + Bugfixes ======== |