summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-11-05[5.2.x] Bumped version for 5.2.8 release.5.2.8Natalia
2025-11-05[5.2.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on ↵Jacob Walls
dictionary expansion. Backport of 3c3f46357718166069948625354b8315a8505262 from main.
2025-11-05[5.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via ↵Jacob Walls
the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-05[5.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in ↵Jacob Walls
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-04[5.2.x] Fixed #36704 -- Fixed system check error for proxy model with a ↵Hal Blackburn
composite pk. Proxy models subclassing a model with a CompositePrimaryKey were incorrectly reporting check errors because the check that requires only local fields to be used in a composite pk was evaluated against the proxy subclass, which has no fields. To fix this, composite pk field checks are not evaluated against proxy subclasses, as none of the checks are applicable to proxy subclasses. This also has the benefit of not double-reporting real check errors from an invalid superclass pk. Thanks Clifford Gama for the review. Backport of 74564946c3b42a2ef7d087047e49873847a7e1d9 from main.
2025-10-31[5.2.x] Fixed #36696 -- Fixed NameError when inspecting functions with ↵Patrick Rauscher
deferred annotations. In Python 3.14, annotations are deferred by default, so we should not assume that the names in them have been imported unconditionally.
2025-10-29[5.2.x] Added stub release notes and release date for 5.2.8, 5.1.14, and 4.2.26.Jacob Walls
Backport of ab108bf94dfc06c311d7dc81866b848fe5b5ee6c from main.
2025-10-27[5.2.x] Fixed #36681 -- Removed English pluralization bias from example in ↵Kasyap Pentamaraju
docs/topics/i18n/translation.txt. Backport of 0ea01101c3a35568bc43e9707ac058b9874bd425 from main.
2025-10-23[5.2.x] Fixed #35095 -- Clarified Swiss number formatting in ↵Annabelle Wiegart
docs/topics/i18n/formatting.txt. Co-authored-by: Ahmed Nassar <a.moh.nassar00@gmail.com> Backport of 74239181252ca73bebb84789856f5d8937d421b4 from main.
2025-10-21[5.2.x] Made RemoteTestResultTest.test_pickle_errors_detection() compatible ↵Mariusz Felisiak
with tblib 3.2+. tblib 3.2+ makes exception subclasses with __init__() and the default __reduce__() picklable. This broke the test for RemoteTestResult._confirm_picklable(), which expects a specific exception to fail unpickling. https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21 This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj)) raises TypeError. Refs #27301. This preserves the intent of the regression test from 52188a5ca6bafea0a66f17baacb315d61c7b99cd without skipping it. Backport of 548209e620b3ca34396a360453f07c8dbb8aa6c7 from main.
2025-10-20[5.2.x] Fixed RelatedGeoModelTest.test_related_union_aggregate() test on ↵Mariusz Felisiak
Oracle and GEOS 3.12+. Backport of 344ae16e1e21ab7c0b594d755519738f7f16eaf1 from main
2025-10-17[5.2.x] Refs #35844 -- Doc'd Python 3.14 compatibility.Mariusz Felisiak
Backport of 56977b466c33ca3da14a1ed2609172425a76a34e from main.
2025-10-17[5.2.x] Fixed #36669 -- Doc'd that negative indexes are not supported in F() ↵aj2s
slices. Backport of f715bc8990b5b8a1df948c2b71e8edbdda47e7db from main.
2025-10-15[5.2.x] Refs #36648 -- Removed hardcoded pk in CompositePKAggregateTests.Jacob Walls
Backport of bee64561a6e8cd22995c2b1254bab66dae892a6d from main.
2025-10-14[5.2.x] Fixed #36648, Refs #33772 -- Accounted for composite pks in ↵Jacob Walls
first()/last() when aggregating. Backport of 02eed4f37879b2077496f86bb1378a076b981233 from main.
2025-10-13[5.2.x] Fixed #36625 -- Mentioned exit() in tutorial's instruction to ↵arsalan64
restart the shell. Backport of 92d0c21e69901cb7b749040670d3e6611353e1fa from main.
2025-10-11[5.2.x] Fixed #36646 -- Added compatibility for oracledb 3.4.0.Simon Charette
The Database.Binary, Date, and Timestamp attributes were changed from aliases to bytes, datetime.date, and datetime.datetime to factory functions in oracle/python-oracledb@869a887819cdac7fcd610f9d9d463ade49ea7 which made their usage inadequate for isinstance checks. Thanks John Wagenleitner for the report and Natalia for the triage. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Backport of 315dbe675df338ae66c8fa43274a76ecbed7ef67 from main
2025-10-09[5.2.x] Corrected admin check IDs in docs.Mariusz Felisiak
Backport of 1167cd1d639c3fee69dbdef351d31e8a17d1fedf from main
2025-10-08[5.2.x] Fixed #36526 -- Doc'd QuerySet.bulk_update() memory usage when batching.Natalia
Thanks Simon Charette for the review. Backport of 608d3ebc8889863d43be1090d634b9507fe4a85e from main.
2025-10-08[5.2.x] Fixed #35961 -- Migrated license metadata in pyproject.toml to ↵Michiel W. Beijen
conform PEP 639. See https://peps.python.org/pep-0639/ and https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license-and-license-files. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 96a7a652166bece8acc96d6335ebb8091de2f496 from main.
2025-10-08[5.2.x] Added missing backticks in docs/ref/models/fields.txt.Mariusz Felisiak
Backport of 4a8ca8bd6906b705c4445bc915d71beda2fc4b84 from main
2025-10-03[5.2.x] Fixed #36636, Refs #15902 -- Removed session-based storage reference ↵Dani Fornons
from set_language() docs. Backport of 2514857e3fae831106832cca8823237801cf2cad from main.
2025-10-03[5.2.x] Refs #36143, #28596 -- Avoided mentioning exact query parameter ↵Jacob Walls
limit in bulk_create() docs. Backport of 0a09c60e97166e0188717ff340b4d93b72207e96 from main.
2025-10-01[5.2.x] Rewrapped security archive at 79 chars.Mariusz Felisiak
Backport of 1499c95d990fb776c39ad60e43228cbbbfcad3a8 from main.
2025-10-01[5.2.x] Added CVE-2025-59681 and CVE-2025-59682 to security archive.Jacob Walls
Backport of 43d84aef04a9e71164c21a74885996981857e66e from main.
2025-10-01[5.2.x] Added stub release notes for 5.2.8.Jacob Walls
Backport of 1324d9037e9281ec0fdd88c15b20881c7a6ea8b9 from main.
2025-10-01[5.2.x] Post-release version bump.Jacob Walls
2025-10-01[5.2.x] Bumped version for 5.2.7 release.5.2.7Jacob Walls
2025-10-01[5.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal ↵Sarah Boyce
via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
2025-10-01[5.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-30[5.2.x] Made cosmetic edits to 5.2.7 release notes.Jacob Walls
Backport of 6c82b0bc91fc650891b0b411ac4a5a86cf0cf3e8 from main.
2025-09-29[5.2.x] Fixed #36587 -- Clarified usage of `list.insert()` for upload handlers.okaybro
Thanks Baptiste Mispelon for the report Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of afe6634146d0fe70498976c49d2eb4d745aa9064 from main.
2025-09-29[5.2.x] Fixed #35877, Refs #36128 -- Documented unique constraint when ↵Samriddha9619
migrating a m2m field to use a through model. Backport of daba609a9bdc7a97bcf327c7ba0a5f7b3540b46e from main.
2025-09-24[5.2.x] Added stub release notes and release date for 5.2.7, 5.1.13, and 4.2.25.Mariusz Felisiak
Backport of 00174507f8a91e9577ae233c58af561b379f2695 from main.
2025-09-23[5.2.x] Refs #25508 -- Used QuerySet.__repr__ in ↵Jacob Walls
docs/ref/contrib/postgres/search.txt. Backport of efb96138b4af774c22ae6e949410b45d69960357 from main.
2025-09-18[5.2.x] Fixed #36581 -- Updated serialization examples from XML to JSON.CodingWithSaksham
Backport of 762d3be8c559b0abf415be8d6117f04fb6347983 from main.
2025-09-18[5.2.x] Updated translations from Transifex.Natalia
2025-09-18[5.2.x] Fixed OGRInspectTest.test_time_field with memory Spatialite database.David Smith
Backport of 82b3b84a78055844ee07d5d97843a4fc72872e28 from main.
2025-09-17[5.2.x] Fixed #36601 -- Fixed color contrast of FilteredSelectMultiple ↵antoliny0919
widget chosen labels in TabularInlines. Regression in a0f50c2a483678d31bd1ad6f08fd3a0b8399e27b. Backport of 1e7728888dbbff437ad9847c82b84feb81f785df from main.
2025-09-13[5.2.x] Fixed typo in docs/ref/contrib/contenttypes.txt.Jacob Walls
Backport of c48904a225e2e8f02274257247d5b7d29c5fe183 from main.
2025-09-12[5.2.x] Fixed #36597 -- Corrected directives for functions from email module ↵Mridul Dhall
in docs. Thanks Mike Edmunds for the report. Backport of e183d6c26c8da4486c151f9ce973828e2404a796 from main.
2025-09-09[5.2.x] Fixed #36486 -- Added MongoDB to list of third-party DB backends.Salman
Backport of 46fdeb1373aa7e9089d14440987444493cc9c2e0 from main
2025-09-04[5.2.x] Refs #36588 -- Warned about using external templates in ↵Jake Howard
startapp/startproject commands. Clarified that custom templates provided via `--template` for `starapp` and `startproject` are used as-is, adding a warning that malicious or poorly constructed templates may introduce security issues. Backport of 4e7a991c12a113229e0927974d3bf94ea04eecf6 from main.
2025-09-04[5.2.x] Added missing backticks in docs/releases/security.txt.Mariusz Felisiak
Backport of 686a8a62ae7faba9c3b17080c3532b821e8cb1f3 from main
2025-09-03[5.2.x] Added CVE-2025-57833 to security archive.Sarah Boyce
Backport of f0c05a40d27d69ef3a7b4e5e0199b5dba5b11feb from main.
2025-09-03[5.2.x] Added stub release notes for 5.2.7.Sarah Boyce
Backport of ab7c7dd99b3ddc489d9f007b273d891973212aa3 from main.
2025-09-03[5.2.x] Post-release version bump.Sarah Boyce
2025-09-03[5.2.x] Bumped version for 5.2.6 release.5.2.6Sarah Boyce
2025-09-03[5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2025-09-03[5.2.x] Made cosmetic edits to 5.2.6 release notes.Sarah Boyce
Backport of d044e25dc2106b94ebdedf0bfde9238be1a3765c from main.
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 20:55:08 +0000