summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
28 hours[6.0.x] Fixed typo in stub release notes for 5.2.14.stable/6.0.xJacob Walls
Backport of 8726605e2d48fd733ae224344a11cc2163012f2d from main.
2 days[6.0.x] Fixed #37067 -- Added trailing slash in django_file_prefixes().Fashad Ahmed
Ensure skip_file_prefixes does not match sibling packages like django*. Bug in f42b89f1bf49a5b89ed852b60f79342320a81c5e and 34bd3ed944bf38792c631b55e581963d44d52284. Backport of 60a9c70496e5d7b971928ce3da5b47c8836a4def from main.
3 days[6.0.x] Refs CVE-2026-25674 -- Clarified role of umask in upload permissions.Shai Berger
Backport of 604695cddb41981b84a8d976d1f4c74c39e112b0 from main.
3 days[6.0.x] Added stub release notes and release date for 6.0.5 and 5.2.14.Sarah Boyce
Backport of e8c6322b4f2ab4df610bb480003a54c88f32210e from main.
11 days[6.0.x] Refs #373, #34122 -- Removed warning that ForeignObject is an ↵Mariusz Felisiak
internal tool. ForeignObject should not be treated as an internal tool. In the past we made changes in its API with a proper deprecation, e.g. 8b1ff0da4b162e87edebd94e61f2cd153e9e159d. Backport of 2c87f519f48038398c8d8a840fa5bf5497c353bb from main.
12 days[6.0.x] Updated release procedure with new CVE workflows.Jacob Walls
Now that the DSF is a CVE Numbering Authority (CNA), we manage our own CVE assignments. Backport of 8ddc5b444c175c696c8197dc8f24273252b0de77 from main.
14 days[6.0.x] Clarified that reporters shouldn't set their own tickets as "Accepted".Jonathan Biemond
Backport of d687d412a9abd9c80e31945f16ce32c020512394 from main.
2026-04-14[6.0.x] Fixed #37029 -- Corrected placement of </div> in change_list.html's ↵Tim Graham
pagination block. Bug in 3f59711581bd22ebd0f13fb040b15b69c0eee21f. Backport of 8d326336c5fba4740114fea5294a7b426c96d65c from main.
2026-04-13[6.0.x] Removed unused code checkout step from labels.yml GitHub Action.Jacob Walls
Backport of f0b75f46fd0ee98c10887b3c5dc4593d2bccf821 from main.
2026-04-13[6.0.x] Clarified "Add another question" as the plus sign button.Sarah Boyce
Backport of 746f5fd23e50589ef3ad27b1dad46b569f600fa0 from main.
2026-04-13[6.0.x] Fixed #33113 -- Documented usage and caveats of HTML5 date input in ↵Samriddha9619
DateInput widget. Backport of 7dc826b9758d634623a6f5ca05d0ca2048a0ce48 from main.
2026-04-10[6.0.x] Fixed #37020 -- Removed guidance to edit fetched .po files by hand.Jacob Walls
Altering the .po files by hand was causing incorrect line numbers and plural forms. Since our fetching procedure does not recompile any hand-edited .po files to .mo files for production use, just accept Transifex's plural forms as a source of truth. https://forum.djangoproject.com/t/discourage-releasers-from-editing-po-files-by-hand/44441 Backport of 9391beeb8799a4b7deb4bb3048bd63465a0e96ef from main.
2026-04-09[6.0.x] Fixed typo in docs/howto/delete-app.txt.Jonathan Wu
Backport of 6f030e8e5d13ee94bf45d4322c17ca7c2d8aaffb from main
2026-04-08[6.0.x] Refs CVE-2026-4292 -- Isolated new test in AdminViewListEditable.Jacob Walls
As originally written, this test interfered with admin_views.tests.SeleniumTests.test_inline_uuid_pk_add_with_popup. To fix this, register the new ModelAdmin with a different AdminSite. Backport of 280256499c5b2d636949f3c8cb52159a8e4c26bb from main.
2026-04-07[6.0.x] Updated Apache links to the current docs.Mariusz Felisiak
Backport of 74e73dc1315d696330621a7f08310a2e87ea0eba from main
2026-04-07[6.0.x] Removed outdated note about uwsgi LTS from docs.Mariusz Felisiak
projects.unbit.it has an invalid certificate and provides old packages. Backport of 8cf3114defb3678c5dd2710e0a7d8502de73f071 from main
2026-04-07[6.0.x] Fixed two issues in release helper scripts/verify_release.sh.Natalia
The artifacts downloaded from media.djangoproject.com use a lowercase "django-" prefix but the script searched for capital D. Error was: "ls: cannot access 'Django-*.tar.gz': No such file or directory" The tarball and wheel smoke-tests used the same `test_one` folder inside the same working directory, so the second invocation failed with "CommandError: '/tmp/tmp.1234567890' already exists". Backport of 78a3ffbb4cec25ed003f16cf4b1aa0b4bcdc2590 from main.
2026-04-07[6.0.x] Refs CVE-2026-33034 -- Improved security documentation on handling ↵Jake Howard
large request bodies. Notably that the limit can be bypassed under ASGI. Backport of 1c584b0b1edd1def1e9aa4aef25fc5754f485616 from main.
2026-04-07[6.0.x] Added CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, ↵Jacob Walls
and CVE-2026-33034 to security archive. Backport of 3330dc2dd97f60ab32d3c912d2649859d063265c from main.
2026-04-07[6.0.x] Added stub release notes for 6.0.5.Jacob Walls
Backport of 2dbec935315b3face62d60097b853be2d3d26908 from main.
2026-04-07[6.0.x] Post-release version bump.Jacob Walls
2026-04-07[6.0.x] Bumped version for 6.0.4 release.6.0.4Jacob Walls
2026-04-07[6.0.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ↵Natalia
size in ASGI requests. The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.
2026-04-07[6.0.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.Natalia
When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch. Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.
2026-04-07[6.0.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ↵Jacob Walls
ModelAdmin.list_editable. Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
2026-04-07[6.0.x] Fixed CVE-2026-4277 -- Checked add permissions in ↵Jacob Walls
GenericInlineModelAdmin. Edit permissions were still checked as part of ordinary form validation, but because GenericInlineModelAdmin overrides get_formset(), it lacked InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic for checking permissions server-side, leaving the add case unaddressed. This change reimplements the relevant part of InlineModelAdmin.get_formset(). Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart, Markus Holtermann, and Simon Charette for reviews. Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main.
2026-04-07[6.0.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.Jacob Walls
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews. Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main.
2026-04-03[6.0.x] Refs #36949 -- Removed hardcoded pks in modeladmin tests.Tim Graham
Backport of 123fa3a3f38abdb73055acc9a2cbbe3537f9323a from main.
2026-04-02[6.0.x] Fixed #36973 -- Made fields.E348 check detect further clashes ↵Clifford Gama
between managers and related_names. Clashes were only detected for self-referential relationships, i.e. ForeignKey("self"). Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011. Thanks JaeHyuckSa for the thorough review! Backport of fcf916884d25ed430bd7cedaea2b10035c2aa3b6 from main.
2026-04-02[6.0.x] Refs #36862 -- Reiterated security note on both variants of ↵Jacob Walls
RemoteUserMiddleware. Backport of 04bcc9913319e50b376a27c29cf9aa4e7b8247bf from main.
2026-04-02[6.0.x] Fixed #36949 -- Improved RelatedFieldWidgetWrapper <label>s.David Smith
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 253f552c5809fa096116b601bd842ca4f3504860 from main.
2026-04-02[6.0.x] Added section for respecting maintainer time to the security policy.Natalia
This follows a post from Seth Larson (Security Developer-in-Residence at the PSF): https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies Backport of 90cd510b3b033605907f6521ef98f35d2bd6c3a0 from main.
2026-04-02[6.0.x] Fixed #36862 -- Doc'd the need for a proxy when deploying ↵Jacob Walls
RemoteUserMiddleware under ASGI. We have a flood of nuisance security reports describing ASGI deployments using RemoteUserMiddleware without a fronting proxy, which is not realistic. Backport of 2ee757ee502d5663f932dc5c35175c39af4640ce from main.
2026-04-02[6.0.x] Fixed #37017 -- Fixed setting or clearing of request.user after ↵Jacob Walls
alogin/alogout(). Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be. Backport of a32c7075cf634aee1f4f3deecd27f194097ec0c2 from main.
2026-04-01[6.0.x] Fixed #36799 -- Added a how-to guide for testing pre-releases.VIZZARD-X
Thanks Sarah Boyce for the idea and Tim McCurrach for the review. Co-authored-by: Timothy McCurrach <tim.mccurrach@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 6be668b0cc6524c9900181c5bd8273ef2f256a34 from main.
2026-03-31[6.0.x] Added stub release notes and release date for 6.0.4, 5.2.13, and 4.2.30.Jacob Walls
Backport of dff1980d61b1129c82757f70117dcea68e69a8c8 from main.
2026-03-30[6.0.x] Skipped check_commit_messages action on forks.Jacob Walls
This was causing permission errors on private forks, e.g. the one maintained by the Security Team for staging security patches. Follow-up to f8665b1a7ff5e98d84f66ad0e958c3f175aa5d8b. Backport of 455e787b9cc8bd3342f86ddcf8ef4103fd811bb5 from main.
2026-03-28[6.0.x] Fixed #29762 -- Doc'd how database routers fetch related objects.VIZZARD-X
Thanks James Bligh for the review. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of edd899786851f6285abbc3c272f4f5ec0e48a74c from main.
2026-03-28[6.0.x] Refs #36526 -- Fixed bulk_update() batching example in docs.Georgios Verigakis
Backport of 4fd9e85b6031e7ddf878b280f324da6b98f7b0ed from main.
2026-03-27[6.0.x] Corrected outdated links to gunicorn documentation.Sebastian Skonieczny
Backport of a1188fc76ae4d9ff3b82feacd1ddd7b38b3e6009 from main.
2026-03-24[6.0.x] Fixed #36999 -- Removed mention of Ruby on Rails from tutorial part 2.Vinay Datta
This comparison wasn't fleshed out, so it was distracting. Backport of f3bdfd2065373272ebb637785cea2313582a8b8c from main.
2026-03-20[6.0.x] Made it clear that unreviewed tickets shouldn't be claimed or started.Jake Howard
Backport of d9adcfbd5e3ba5859cc0ce6e2e67f533efbc8f9b from main.
2026-03-19[6.0.x] Fixed #36904 -- Clarified how to hide form field labels in docs.Amar
Backport of 8401071c52d19a2bdd987a2dbe79c440f01dfae9 from main.
2026-03-16[6.0.x] Combined scripts confirm_release.sh and test_new_version.sh into ↵Natalia
verify_release.sh. This reuses the same download for both artifacts and checks both GPG signature and minimal correctness in the same script. Docs and script do_django_release.py were updated. Backport of 3abf89887993140d28676f26420ee0d46a617f51 from main.
2026-03-16[6.0.x] Corrected signature for EmailMessage.message() in email topics docs.Mike Edmunds
Fixed the EmailMessage.message() method signature in the docs to reinforce that the `policy` argument is keyword-only. (The text already describes it correctly as keyword-only.) Backport of 4b2edb3418851c09dd839f1a2cba74051fe9d420 from main.
2026-03-14[6.0.x] Fixed #35786 -- Removed outdated note about database defaults in ↵Ahmed Nassar
AddField/AlterField docs. Backport of 23f49c6b408d9b013e959f91c23813a7c0f6ed64 from main
2026-03-12[6.0.x] Removed third plural form from .po files for Romance languages.Jacob Walls
These were missed during manual review.
2026-03-12[6.0.x] Updated translations from Transifex.Jacob Walls
2026-03-10[6.0.x] Fixed #36391 -- Doc'd RawSQL usage in docs/topics/db/sql.txt.Amar
Backport of 14889d8cead6af22ef71360f26610711997915d1 from main.
2026-03-09[6.0.x] Fixed #36600 -- Clarified the use cases for dispatch_uid in signal ↵Amar
connection. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of e8ab2bb83fc6d3c0f5d998d1a41ebaebacaa1a28 from main.
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 18:16:04 +0000