summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-01-042.2.x] Bumped version for 2.2.26 release.2.2.26Carlton Gibson
2022-01-04[2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage ↵Florian Apolloner
subsystem. Thanks to Dennis Brinkrolf for the report.
2022-01-04[2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in ↵Florian Apolloner
dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2022-01-04[2.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in ↵Florian Apolloner
UserAttributeSimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2021-12-28[2.2.x] Added stub release notes for 2.2.26 release.Carlton Gibson
2021-12-15[2.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in ↵Mariusz Felisiak
Django 2.2.25, 3.1.14, and 3.2.10. Follow up to d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6. Backport of 5de12a369a7b2231e668e0460c551c504718dbf6 from main
2021-12-07[2.2.x] Added CVE-2021-44420 to security archive.Mariusz Felisiak
Backport of 8747052411275d290b2152ffcb8dee11afbb82cd from main
2021-12-07[2.2.x] Post-release version bump.Mariusz Felisiak
2021-12-07[2.2.x] Bumped version for 2.2.25 release.2.2.25Mariusz Felisiak
2021-12-07[2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an ↵Florian Apolloner
upstream access control based on URL paths. Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
2021-11-30[2.2.x] Added requirements.txt to files ignored by Sphinx builds.Mariusz Felisiak
Backport of 0cf2d48ba83543b16bdf390d941eb98e8d34f3bd from stable/3.2.x.
2021-11-30[2.2.x] Added stub release notes for 2.2.25.Mariusz Felisiak
Backport of ae4077e13ea2e4c460c3f21b9aab93a696590851 from main.
2021-11-18[2.2.x] Fixed crash building HTML docs since Sphinx 4.3.Mariusz Felisiak
See https://github.com/sphinx-doc/sphinx/commit/dd2ff3e911c751c06c81f494128fba56d8ecbafd. Backport of f0480ddd2d3cb04b784cf7ea697f792b45c689cc from main
2021-11-18[2.2.x] Configured Read The Docs to build all formats.Adam Johnson
`all` acts as an alias for all formats ([docs](https://docs.readthedocs.io/en/stable/config-file/v2.html#formats)). Whilst there are only three formats right now, this would auto expand to other formats in the future, which seems desirable? Backport of 1fe23bdd29a8f2f6802c2038702ff7a5d0e21a0d from main
2021-11-03[2.2.x] Refs #33247 -- Corrected configuration for Read The Docs.Carlton Gibson
This pins Sphinx version, because the default Sphinx version used by RTD is not compatible with Python 3.8+. This also, sets Python 3.8 for RTD builds which is compatible with all current versions of Django. Thanks to Mariusz Felisiak for the suggestion. Backport of 447b6c866f0741bb68c92dc925a65fb15bfe7995 from main.
2021-11-03[2.2.x] Fixed #33247 -- Added configuration for Read The Docs.Carlton Gibson
Co-authored-by: Andrew Neitsch <andrew@neitsch.ca> Backport of 0da7a2e9dab81b622a2000536c6a96de7f46e237 from main
2021-11-03[2.2.x] Refs #32856 -- Clarified that psycopg2 < 2.9 is required.Mariusz Felisiak
Follow up to 837ffcfa681d0f65f444d881ee3d69aec23770be.
2021-10-12[2.2.x] Added 'formatter' to spelling wordlist.Mariusz Felisiak
Backport of e43a131887e2a316d4fb829c3a272ef0cbbeea80 from main
2021-09-02[2.2.x] Fixed #33082 -- Fixed CommandTests.test_subparser_invalid_option on ↵Mariusz Felisiak
Python 3.9.7+. Thanks Michał Górny for the report. Backport of 50ed545e2fa02c51e0d1559b83624f256e4b499b from main.
2021-07-30[2.2.x] Refs #31676 -- Updated technical board description in organization docs.Mariusz Felisiak
According to DEP 0010. Backport of f2ed2211c26ba375390cb76725c95ae970a0fd1d from main.
2021-07-30[2.2.x] Refs #31676 -- Added Mergers and Releasers to organization docs.Mariusz Felisiak
According to DEP 0010. Backport of 228ec8e015bac9751c8aef3107358fbb2cb3301b from main
2021-07-30[2.2.x] Refs #31676 -- Removed Core team from organization docs.Mariusz Felisiak
According to DEP 0010. Backport of caa2dd08c4722c8702588f5dfe1fa4c506aa66fc from main
2021-07-13[2.2.x] Refs #31676 -- Removed Django Core-Mentorship mailing list ↵Mariusz Felisiak
references in docs. Backport of 37e8367c359cd115f109d82f99ff32be219f4928 from main.
2021-06-21[2.2.x] Refs #32856 -- Doc'd that psycopg2 < 2.9 is required.Mariusz Felisiak
2021-06-02[2.2.x] Fixed docs header underlines in security archive.Mariusz Felisiak
Backport of d9cee3f5f2f90938d2c2c0230be40c7d50aef53d from main
2021-06-02[2.2.x] Added CVE-2021-33203 and CVE-2021-33571 to security archive.Carlton Gibson
Backport of a39f235ca4cb7370dba3a3dedeaab0106d27792f from main
2021-06-02[2.2.x] Post-release version bump.Carlton Gibson
2021-06-02[2.2.x] Bumped version for 2.2.24 release.2.2.24Carlton Gibson
2021-06-02[2.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.Mariusz Felisiak
validate_ipv4_address() was affected only on Python < 3.9.5, see [1]. URLValidator() uses a regular expressions and it was affected on all Python versions. [1] https://bugs.python.org/issue36384
2021-06-02[2.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via ↵Florian Apolloner
admindocs' TemplateDetailView.
2021-06-02[2.2.x] Confirmed release date for Django 2.2.24.Carlton Gibson
Backport of f66ae7a2d5558fe88ddfe639a610573872be6628 from main.
2021-05-26[2.2.x] Added stub release notes and date for Django 2.2.24.Carlton Gibson
Backport of b46dbd4e3e255223078ae0028934ea986e19ebc1 from main
2021-05-20[2.2.x] Changed IRC references to Libera.Chat.Mariusz Felisiak
Backport of 66491f08fe86629fa25977bb3dddda06959f65e7 from main.
2021-05-14[2.2.x] Refs #32718 -- Fixed file_storage.test_generate_filename and ↵Mariusz Felisiak
model_fields.test_filefield tests on Python 3.5.
2021-05-13[2.2.x] Post-release version bump.Mariusz Felisiak
2021-05-13[2.2.x] Bumped version for 2.2.23 release.2.2.23Mariusz Felisiak
2021-05-13[2.2.x] Fixed #32718 -- Relaxed file name validation in FileField.Mariusz Felisiak
- Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main.
2021-05-12[2.2.x] Refs #32718 -- Corrected CVE-2021-31542 release notes.Mariusz Felisiak
Backport of d1f1417caed648db2f81a1ec28c47bf958c01958 from main.
2021-05-06[2.2.x] Added CVE-2021-32052 to security archive.Mariusz Felisiak
Backport of efebcc429f048493d6bc710399e65d98081eafd5 from main
2021-05-06[2.2.x] Post-release version bump.Mariusz Felisiak
2021-05-06[2.2.x] Bumped version for 2.2.22 release.2.2.22Mariusz Felisiak
2021-05-06[2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs ↵Mariusz Felisiak
from being accepted in URLValidator on Python 3.9.5+. In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
2021-05-06[2.2.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows.Carlton Gibson
The validate_file_name() sanitation introduced in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 correctly rejects the example file name as containing path elements on Windows. This breaks the test introduced in 914c72be2abb1c6dd860cb9279beaa66409ae1b2 to allow path components for storages that may allow them. Test is skipped pending a discussed storage refactoring to support this use-case. Backport of a708f39ce67af174df90c5b5e50ad1976cec7cb8 from main
2021-05-04[2.2.x] Added CVE-2021-31542 to security archive.Carlton Gibson
Backport of 607ebbfba915de2d84eb943aa93654f31817a709 and 62b2e8b37e37a313c63be40e3223ca4e830ebde3 from main
2021-05-04[2.2.x] Post-release version bump.Carlton Gibson
2021-05-04[2.2.x] Bumped version for 2.2.21 release.2.2.21Carlton Gibson
2021-04-27[2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in ↵Florian Apolloner
file uploads.
2021-04-06[2.2.x] Added CVE-2021-28658 to security archive.Mariusz Felisiak
Backport of 1eac8468cbde790fecb51dd055a439f4947d01e9 from main
2021-04-06[2.2.x] Post-release version bump.Mariusz Felisiak
2021-04-06[2.2.x] Bumped version for 2.2.20 release.2.2.20Mariusz Felisiak
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 20:54:21 +0000