| Age | Commit message (Expand) | Author |
|---|
| 2026-04-07 | [4.2.x] Added CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, an...stable/4.2.x | Jacob Walls |
| 2026-04-07 | [4.2.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ... | Natalia |
| 2026-04-07 | [4.2.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser. | Natalia |
| 2026-04-07 | [4.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.li... | Jacob Walls |
| 2026-04-07 | [4.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelA... | Jacob Walls |
| 2026-04-07 | [4.2.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest. | Jacob Walls |
| 2026-03-31 | [4.2.x] Added stub release notes and release date for 4.2.30. | Jacob Walls |
| 2026-03-03 | [4.2.x] Added CVE-2026-25673 and CVE-2026-25674 to security archive. | Natalia |
| 2026-03-03 | [4.2.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions o... | Natalia |
| 2026-03-03 | [4.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection. | Natalia |
| 2026-02-24 | [4.2.x] Added stub release notes and release date for 4.2.29. | Natalia |
| 2026-02-03 | [4.2.x] Added CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, C... | Jacob Walls |
| 2026-02-03 | [4.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via al... | Jacob Walls |
| 2026-02-03 | [4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column alia... | Jake Howard |
| 2026-02-03 | [4.2.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in django.utils.text.T... | Natalia |
| 2026-02-03 | [4.2.x] Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookup... | Jacob Walls |
| 2026-02-03 | [4.2.x] Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI req... | Jake Howard |
| 2026-02-03 | [4.2.x] Fixed CVE-2025-13473 -- Standardized timing of check_password() in mo... | Jake Howard |
| 2026-01-27 | [4.2.x] Added stub release notes and release date for 4.2.28. | Jacob Walls |
| 2025-12-02 | [4.2.x] Added CVE-2025-13372 and CVE-2025-64460 to security archive. | Natalia |
| 2025-12-02 | [4.2.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation i... | Shai Berger |
| 2025-12-02 | [4.2.x] Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL inject... | Jacob Walls |
| 2025-11-26 | [4.2.x] Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27. | Natalia |
| 2025-11-25 | [4.2.x] Added stub release notes and release date for 4.2.27. | Natalia |
| 2025-11-21 | [4.2.x] Added GitHub Actions linter (zizmor). | Jacob Walls |
| 2025-11-05 | [4.2.x] Added CVE-2025-64458 and CVE-2025-64459 to security archive. | Natalia |
| 2025-11-05 | [4.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via th... | Jacob Walls |
| 2025-11-05 | [4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedire... | Jacob Walls |
| 2025-10-29 | [4.2.x] Added stub release notes and release date for 4.2.26. | Jacob Walls |
| 2025-10-01 | [4.2.x] Rewrapped security archive at 79 chars. | Mariusz Felisiak |
| 2025-10-01 | [4.2.x] Added CVE-2025-59681 and CVE-2025-59682 to security archive. | Jacob Walls |
| 2025-10-01 | [4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal v... | Sarah Boyce |
| 2025-10-01 | [4.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggre... | Mariusz Felisiak |
| 2025-09-24 | [4.2.x] Added stub release notes and release date for 4.2.25. | Mariusz Felisiak |
| 2025-09-04 | [4.2.x] Added missing backticks in docs/releases/security.txt. | Mariusz Felisiak |
| 2025-09-03 | [4.2.x] Added CVE-2025-57833 to security archive. | Sarah Boyce |
| 2025-09-03 | [4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL inject... | Jake Howard |
| 2025-08-27 | [4.2.x] Added stub release notes and release date for 4.2.24. | Sarah Boyce |
| 2025-08-04 | [4.2.x] Refs #36535 -- Doc'd that docutils < 0.22 is required. | Natalia |
| 2025-06-10 | [4.2.x] Added follow-up to CVE-2025-48432 to security archive. | Sarah Boyce |
| 2025-06-06 | [4.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response ... | Jake Howard |
| 2025-06-04 | [4.2.x] Added CVE-2025-48432 to security archive. | Natalia |
| 2025-06-04 | [4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response... | Natalia |
| 2025-05-28 | [4.2.x] Added stub release notes and release date for 4.2.22. | Natalia |
| 2025-05-26 | [4.2.x] Fixed #36402, Refs #35980 -- Updated built package name in reusable a... | Jason Judkins |
| 2025-05-09 | [4.2.x] Refs #35980 -- Added release note about changes in release artifacts ... | Natalia |
| 2025-05-09 | [4.2.x] Removed "Expected" from release date for 4.2.21. | Natalia |
| 2025-05-07 | [4.2.x] Cleaned up CVE-2025-32873 security archive description. | Natalia |
| 2025-05-07 | [4.2.x] Added CVE-2025-32873 to security archive. | Natalia |
| 2025-05-06 | [4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags(). | Sarah Boyce |
