blob: a3eef1b1af4ed7c985ba9295333d1e04c2dd6d8c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
==========================
Django 5.2.6 release notes
==========================
*September 3, 2025*
Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5.
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
Bugfixes
========
* Fixed a bug where using ``QuerySet.values()`` or ``values_list()`` with a
``ForeignObject`` composed of multiple fields returned incorrect results
instead of tuples of the referenced fields (:ticket:`36431`).
|
