django.git - django

Age	Commit message (Collapse)	Author
2024-09-03	[4.2.x] Bumped version for 4.2.16 release.4.2.16	Natalia

2024-09-03	[4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵	Natalia
	email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-03	[4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵	Sarah Boyce
	urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-27	[4.2.x] Fixed grammatical error in stub release notes for upcoming security ↵	Natalia
	release. Backport of b941de340daed4ce88f04a8012b9dba00ccb1359 from main.
2024-08-27	[4.2.x] Added stub release notes and release date for 4.2.16.	Natalia
	Backport of 67efd42517af0faf24872df4295b39e98ce826af from main.
2024-08-06	[4.2.x] Added CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and ↵	Sarah Boyce
	CVE-2024-42005 to security archive. Backport of fdc638bf4a35b5497d0b3b4faedaf552da792f99 from main.
2024-08-06	[4.2.x] Post-release version bump.	Sarah Boyce

2024-08-06	[4.2.x] Bumped version for 4.2.15 release.4.2.15	Sarah Boyce

2024-07-31	[4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵	Simon Charette
	attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-07-31	[4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵	Mariusz Felisiak
	django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-31	[4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵	Sarah Boyce
	urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-07-31	[4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in ↵	Sarah Boyce
	floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
2024-07-31	[4.2.x] Added stub release notes and release date for 4.2.15.	Sarah Boyce
	Backport of 3f880890699d4412cf23b59dba425111f62afb3a from main.
2024-07-25	[4.2.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵	Lorenzo Peña
	ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
2024-07-11	[4.2.x] Fixed auth_tests and file_storage tests on Python 3.8.	Mariusz Felisiak

2024-07-09	[4.2.x] Added CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and ↵	Natalia
	CVE-2024-39614 to security archive. Backport of e095c7612d49dbe371e9c7edd76ba99b6bc4f9f6 from main.
2024-07-09	[4.2.x] Post-release version bump.	Natalia

2024-07-09	[4.2.x] Bumped version for 4.2.14 release.4.2.14	Natalia

2024-07-09	[4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵	Sarah Boyce
	get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09	[4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in ↵	Natalia
	Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
2024-07-09	[4.2.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵	Michael Manfre
	checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-09	[4.2.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and ↵	Adam Johnson
	urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-03	[4.2.x] Added stub release notes for 4.2.14.	Natalia

2024-05-07	[4.2.x]Post-release version bump.	Natalia

2024-05-07	[4.2.x] Bumped version for 4.2.13 release.4.2.13	Sarah Boyce

2024-05-07	[4.2.x] Added release notes for 4.2.13.	Sarah Boyce
	Backport of 90175e110e7cfcf07f4ccdaadc45d7ed6302ce00 from main.
2024-05-06	[4.2.x] Post-release version bump.	Natalia

2024-05-06	[4.2.x] Bumped version for 4.2.12 release.4.2.12	Sarah Boyce

2024-05-06	[4.2.x] Added release date for 4.2.12.	Sarah Boyce
	Backport of 34a503162fe222033a1cd3249bccad014fcd1d20 from main.
2024-04-19	[4.2.x] Reverted "Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS ↵	Sarah Boyce
	class unconditionally in Admin." This reverts commit 0fc832676cd585fa420d583937b5b2318bc2c629.
2024-04-19	[4.2.x] Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS class ↵	Adam Johnson
	unconditionally in Admin. Backport of bdd76c4c3817d8e3ed5b0450d5e18e4eae096f16 from main.
2024-04-12	[4.2.x] Refs #35361 -- Clarified release notes for 4.2.12.	Natalia
	Backport of cd823778e66307b82469858cfd8d1aa75613b49a from main.
2024-04-10	[4.2.x] Fixed #35361 -- Added release notes for 4.2.12 for backport of ↵	Natalia
	b231bcd19e57267ce1fc21d42d46f0b65fdcfcf8. Backport of 42435fc55cbf7c04c1389ee46cc50e2565b40e37 from main.
2024-04-10	[4.2.x] Refs #34900, Refs #35361 -- Fixed SafeMIMEText.set_payload() crash ↵	Mariusz Felisiak
	on Python 3.13. Payloads with surrogates are passed to the set_payload() since https://github.com/python/cpython/commit/f97f25ef5dfcdfec0d9a359fd970abd139cf3428 Backport of b231bcd19e57267ce1fc21d42d46f0b65fdcfcf8 from main.
2024-03-04	[4.2.x] Added CVE-2024-27351 to security archive.	Mariusz Felisiak
	Backport of da39ae4b5f056a332b5c48402a2ae11767e7d577 from main
2024-03-04	[4.2.x] Post-release version bump.	Mariusz Felisiak

2024-03-04	[4.2.x] Bumped version for 4.2.11 release.4.2.11	Mariusz Felisiak

2024-03-04	[4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().	Shai Berger
	Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-02-26	[4.2.x] Added release date for 4.2.11 and 3.2.25.	Mariusz Felisiak
	Backport of 977d25416954a72ad100b01762078bf1ceb89a63 from main
2024-02-10	[4.2.x] Refs #34900, Refs #34118 -- Updated assertion in ↵	Daniel Garcia Moreno
	test_skip_class_unless_db_feature() test on Python 3.12.2+. Python 3.12.2 bring back the skipped tests in the number of running tests. Refs https://github.com/python/cpython/commit/0a737639dcd3b7181250f5d56694b192eaddeef0 Backport of bc8471f0aac8f0c215b9471b594d159783bac19b from main
2024-02-08	[4.2.x] Fixed #35172 -- Fixed intcomma for string floats.	Mariusz Felisiak
	Thanks Warwick Brown for the report. Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9. Backport of 2f14c2cedc9c92373471c1f98a80c81ba299584a from main.
2024-02-06	[4.2.x] Added CVE-2024-24680 to security archive.	Natalia
	Backport of c650c1412d1933e339cc93f9b6745c3eedb1c25b from main
2024-02-06	[4.2.x] Post release version bump.	Natalia

2024-02-06	[4.2.x] Bumped version for 4.2.10 release.4.2.10	Natalia

2024-02-06	[4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ↵	Adam Johnson
	filter. Thanks Seokchan Yoon for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Shai Berger <shai@platonix.com>
2024-01-30	[4.2.x] Pinned black == 23.12.1 for blacken-docs checks.	nessita

2024-01-29	[4.2.x] Pinned black == 23.12.1 in GitHub actions, pre-commit and test ↵	nessita
	requirements.
2024-01-29	[4.2.x] Added stub release notes for 4.2.10 and 3.2.24.	Natalia
	Backport of 06d0a1bd56a9899c351ca047a05813e8dd6a4e17 from main
2024-01-02	[4.2.x] Post-release version bump.	Mariusz Felisiak

2024-01-02	[4.2.x] Bumped version for 4.2.9 release.4.2.9	Mariusz Felisiak