summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-12-02[4.2.x] Bumped version for 4.2.27 release.4.2.27Natalia
2025-12-02[4.2.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation ↵Shai Berger
in XML serializer. Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main.
2025-12-02[4.2.x] Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL ↵Jacob Walls
injection in column aliases on PostgreSQL. Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews. Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main.
2025-11-26[4.2.x] Added script to archive EOL stable branches.Natalia
This also fixed a small bash issue in `confirm_release.sh` script. Backport of 532c1058a7dd2616181259c94eb92f2477038d2c from main.
2025-11-26[4.2.x] Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27.Natalia
The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of the security release for CVE-2025-64458. Backport of 18b13cf6c48ff0a20b2a74d3b90d1fc1602608e4 from main.
2025-11-26[4.2.x] Fixed #36743 -- Increased URL max length enforced in ↵varunkasyap
HttpResponseRedirectBase. Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
2025-11-26[4.2.x] Added timeout-minutes directive to all GitHub Actions workflows.Natalia
GitHub Actions defaults to a 360-minute (6-hour) timeout. We've had jobs hang due to issues in the parallel test runner, causing them to run for the full 6 hours. This wastes resources and negatively impacts CI availability, so explicit timeouts have been added to prevent long-running hangs. Backport of e48527f91d341c85a652499a5baaf725d36ae54f from main.
2025-11-25[4.2.x] Added stub release notes and release date for 4.2.27.Natalia
Backport of d62e811acfc6a056e847bfcc460092a98511ed00 from main.
2025-11-21[4.2.x] Configured dangerous-triggers zizmor rule.Jacob Walls
Backport of 846613e521104fa2f2e1c2023e4a1a9886a2ff48 from main.
2025-11-21[4.2.x] Addressed unpinned-uses zizmor finding.Jacob Walls
Backport of 86b8058b40145fb5ba4fd859676225f533eca986 from main.
2025-11-21[4.2.x] Simplified actions after applying zizmor auto-fixes.Jacob Walls
Backport of 08f4901b3fd3f352ef9cea830d000aee73152556 from main.
2025-11-21[4.2.x] Applied auto-fixes from zizmor findings.Jacob Walls
Backport of e8958c4690faef27b6715524ecb5c49c3ecb6a09 from main.
2025-11-21[4.2.x] Added GitHub Actions linter (zizmor).Jacob Walls
At the direction of the Security Team. Thanks Markus Holtermann, Jake Howard, and Natalia Bidart for reviews. Backport of 09d4bf5cd9c95c588d3ec22edea5db1f5f146900 from main.
2025-11-21[4.2.x] Added scripts for building and releasing Django artifacts.Natalia
Backport of a523d5c8336f5f7f5e24a1cc8034ce65aedec3c6 from main.
2025-11-21[4.2.x] Skipped scripts/ folder from built release artifacts.Natalia
Backport of 971c76f735d2d61051d887b62a244d743794699a from main.
2025-11-10[4.2.x] Fixed unsafe variable interpolation in GitHub Action workflow.Markus Holtermann
Thank you Davide Netti for the report and initial patch. Co-authored-by: Davide Netti <davide.netti4@gmail.com> Backport of 01c70ba14899409e86dc3f6c6bcae0afc48094e7 from main.
2025-11-05[4.2.x] Added CVE-2025-64458 and CVE-2025-64459 to security archive.Natalia
Backport of c5a107e8248813f07325ae65232b5e53e9ac4238 from main.
2025-11-05[4.2.x] Post-release version bump.Natalia
2025-11-05[4.2.x] Bumped version for 4.2.26 release.4.2.26Natalia
2025-11-05[4.2.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on ↵Jacob Walls
dictionary expansion. Backport of 3c3f46357718166069948625354b8315a8505262 from main.
2025-11-05[4.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via ↵Jacob Walls
the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-05[4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in ↵Jacob Walls
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-03[4.2.x] Skipped test_compressed_file_based_raster_creation() test on GDAL 3.5+.Mariusz Felisiak
2025-11-03[4.2.x] Fixed RelatedGeoModelTest.test_related_union_aggregate() crash on ↵Mariusz Felisiak
Python < 3.10. Regression in 321af4877b62be6849f44e00d1c7e75928e7d3a2.
2025-10-29[4.2.x] Added stub release notes and release date for 4.2.26.Jacob Walls
Backport of ab108bf94dfc06c311d7dc81866b848fe5b5ee6c from main.
2025-10-22[4.2.x] Made RemoteTestResultTest.test_pickle_errors_detection() compatible ↵Mariusz Felisiak
with tblib 3.2+. tblib 3.2+ makes exception subclasses with __init__() and the default __reduce__() picklable. This broke the test for RemoteTestResult._confirm_picklable(), which expects a specific exception to fail unpickling. https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21 This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj)) raises TypeError. Refs #27301. This preserves the intent of the regression test from 52188a5ca6bafea0a66f17baacb315d61c7b99cd without skipping it. Backport of 548209e620b3ca34396a360453f07c8dbb8aa6c7 from main.
2025-10-20[4.2.x] Fixed RelatedGeoModelTest.test_related_union_aggregate() test on ↵Mariusz Felisiak
Oracle and GEOS 3.12+. Backport of 344ae16e1e21ab7c0b594d755519738f7f16eaf1 from main
2025-10-01[4.2.x] Rewrapped security archive at 79 chars.Mariusz Felisiak
Backport of 1499c95d990fb776c39ad60e43228cbbbfcad3a8 from main.
2025-10-01[4.2.x] Added CVE-2025-59681 and CVE-2025-59682 to security archive.Jacob Walls
Backport of 43d84aef04a9e71164c21a74885996981857e66e from main.
2025-10-01[4.2.x] Post-release version bump.Jacob Walls
2025-10-01[4.2.x] Bumped version for 4.2.25 release.4.2.25Jacob Walls
2025-10-01[4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal ↵Sarah Boyce
via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
2025-10-01[4.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-24[4.2.x] Added stub release notes and release date for 4.2.25.Mariusz Felisiak
Backport of 00174507f8a91e9577ae233c58af561b379f2695 from main.
2025-09-04[4.2.x] Added missing backticks in docs/releases/security.txt.Mariusz Felisiak
Backport of 686a8a62ae7faba9c3b17080c3532b821e8cb1f3 from main
2025-09-03[4.2.x] Added CVE-2025-57833 to security archive.Sarah Boyce
Backport of f0c05a40d27d69ef3a7b4e5e0199b5dba5b11feb from main.
2025-09-03[4.2.x] Post-release version bump.Sarah Boyce
2025-09-03[4.2.x] Bumped version for 4.2.24 release.4.2.24Sarah Boyce
2025-09-03[4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2025-08-27[4.2.x] Added stub release notes and release date for 4.2.24.Sarah Boyce
Backport of 4c71e334401a3e83c013419d0e2211543e7e873b from main.
2025-08-13[4.2.x] Fixed #36499 -- Adjusted ↵Natalia
utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior. Python fixed a quadratic complexity processing for HTMLParser in: https://github.com/python/cpython/commit/6eb6c5db. Backport of 2980627502c84a9fd09272e1349dc574a2ff1fb1 from main.
2025-08-13[4.2.x] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors following ↵Natalia
Python's HTMLParser fixed parsing. Further details about Python changes can be found in: https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3. Refs #36499. Thank you Clifford Gama for the thorough review! Backport of e4515dad7a6d953c0bd2414127ba36e1446ff41a from main.
2025-08-04[4.2.x] Refs #36535 -- Doc'd that docutils < 0.22 is required.Natalia
Backport of 9d9b3bc71702e4bd4b7f8e1602d83fd69f871e94 from stable/5.1.x.
2025-07-16[4.2.x] Fixed GitHub Action that checks commit prefixes to fetch PR head ↵nessita
correctly. Backport of 8499fba0e18826a77fe32cbc13a3d951d9ca8924 from main.
2025-07-16[4.2.x] Added GitHub Action to enforce stable branch commit message prefix.nessita
Backport of 10386fac00be55e73279459f00f1959c3ef30a1c from main.
2025-06-10[4.2.x] Added follow-up to CVE-2025-48432 to security archive.Sarah Boyce
Backport of 2714bc3f2c8675d32caae764c874ac381c836c7f from main.
2025-06-10[4.2.x] Post-release version bump.Sarah Boyce
2025-06-10[4.2.x] Bumped version for 4.2.23 release.4.2.23Sarah Boyce
2025-06-06[4.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response ↵Jake Howard
logging. Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 957951755259b412d5113333b32bf85871d29814 from main.
2025-06-06[4.2.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use ↵Natalia
log_response() for consistency. Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 20:54:29 +0000