Sarah Boyce
97c753741a
[5.1.x] Added follow-up to CVE-2025-48432 to security archive.
...
Backport of 2714bc3f2c
2025-06-10 15:15:14 +02:00
Jake Howard
31f4bd31fa
[5.1.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.
...
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9579517552
2025-06-06 09:09:06 -03:00
Natalia
976e34a2a5
[5.1.x] Added CVE-2025-48432 to security archive.
...
Backport of 51923c576a
2025-06-04 10:58:49 -03:00
Natalia
596542ddb4
[5.1.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in log_response().
...
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/ ) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec559
2025-06-04 08:46:07 -03:00
Natalia
a70841bc03
[5.1.x] Added stub release notes and release date for 5.1.10 and 4.2.22.
...
Backport of 1a74434399
2025-05-28 10:19:23 -03:00
Jason Judkins
129750a807
[5.1.x] Fixed #36402 , Refs #35980 -- Updated built package name in reusable apps tutorial for PEP 625.
...
Backport of 1307b8a1cb
2025-05-26 12:37:29 -03:00
Natalia
85bdeb31e2
[5.1.x] Refs #35980 -- Added release note about changes in release artifacts filenames.
...
Backport of 42ab99309d
2025-05-09 13:31:53 -03:00
Natalia
503128a7d1
[5.1.x] Removed "Expected" from release date for 5.1.9 and 4.2.21.
...
Backport of c86156378d
2025-05-09 13:30:58 -03:00
Natalia
73f70b5cc8
[5.1.x] Cleaned up CVE-2025-32873 security archive description.
...
Backport of 37f2a77c72
2025-05-07 11:37:34 -03:00
Natalia
05fab4e394
[5.1.x] Added CVE-2025-32873 to security archive.
...
Backport of fdabda4e05
2025-05-07 11:09:35 -03:00
Sarah Boyce
0b42f6a528
[5.1.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().
...
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9f3419b519
2025-05-06 22:31:16 -03:00
Natalia
1520d18e9c
[5.1.x] Added upcoming security release to release notes.
...
Backport of 0f5dd0dff3
2025-04-30 14:56:53 -03:00
nessita
660067f8e7
[5.1.x] Refs #36341 -- Added release notes for 5.1.9 and 4.2.21 for fix in wordwrap template filter.
...
Revision 1e9db3583655d89e25f4c86242d61f
2025-04-23 17:30:05 -03:00
Baptiste Mispelon
af6d305fc7
[5.1.x] Fixed #36320 -- Ignored "duplicated_toc_entry" for ePub docs build.
...
Backport of ac16d2876d
2025-04-12 19:40:16 +02:00
Sarah Boyce
39b144badd
[5.1.x] Fixed #36298 -- Truncated the overwritten file content in file_move_safe().
...
Regression in 58cd4902a78ad3e80e88
2025-04-07 16:15:25 +02:00
Sarah Boyce
be13608613
[5.1.x] Added CVE-2025-27556 to security archive.
...
Backport of b83dab7d8d
2025-04-02 13:33:19 +02:00
Sarah Boyce
edc2716d01
[5.1.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.
...
Thank you sw0rd1ight for the report.
Backport of 39e2297210
2025-04-02 10:28:26 +02:00
Babak Mahmoudy
b3b09dc6ce
[5.1.x] Fixed #36213 -- Doc'd MySQL's handling of self-select updates in QuerySet.update().
...
Co-authored-by: Andro Ranogajec <ranogaet@gmail.com>
Backport of be1b776ad8
2025-04-02 08:48:02 +02:00
Clifford Gama
3fdc8c31da
[5.1.x] Clarified pre_delete and post_delete's origin attributes.
...
Backport of 9d5d0e8135
2025-03-31 16:13:06 +02:00
Carlton Gibson
5805d1c346
[5.1.x] Simplified Intersphinx configuration example.
...
docs.djangoproject.com had been updated to serve the object.inv file
from the default location, so the second tuple element can be None
(the "default" value).
Backport of 5df512e53a
2025-03-28 09:38:46 +01:00
Carlton Gibson
31262b37d4
[5.1.x] Doc'd how to use Intersphinx in the reusable apps tutorial.
...
Backport of 6e54e20cc3
2025-03-27 17:37:46 +01:00
Sarah Boyce
451ba1f3cf
[5.1.x] Added stub release notes and release date for 5.1.8 and 5.0.14.
...
Backport of c75fbe8430
2025-03-26 09:04:34 +01:00
dr-rompecabezas
3266f2516c
[5.1.x] Updated ogrinfo output in GIS tutorial.
...
Backport of fb65c52040
2025-03-23 21:36:57 +01:00
mguegnol
659f88e4c9
[5.1.x] Fixed typo in docs/topics/signals.txt.
...
Backport of e2b9a17913
2025-03-23 20:06:39 +01:00
Sarah Boyce
f581b0b5c2
[5.1.x] Documented the updating of translation catalogs in post-release tasks.
...
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 922c1c732a
2025-03-21 14:56:44 +01:00
Clifford Gama
f927c9f2aa
[5.1.x] Fixed #36095 -- Introduced lazy references in "Models across files" section.
...
Backport of 6a2c296e70
2025-03-21 14:12:23 +01:00
Clifford Gama
bd8bbc8c1a
[5.1.x] Refs #36095 -- Doc'd that ManyToManyField.through supports lazy relationships.
...
Backport of eb4ea9c3ef
2025-03-21 14:11:55 +01:00
Carlton Gibson
ab4bb5b2f9
[5.1.x] Fixed #33497 -- Doc'd that persistent DB connections should be disabled in ASGI and async modes.
...
Backport of 8713e4ae96
2025-03-18 21:28:43 -03:00
Clifford Gama
e9acb05b63
[5.1.x] Fixed #36202 -- Added examples of JSONField __contains and __contained_by lookups with nested arrays to docs.
...
Backport of 304e9f3d6a
2025-03-18 21:56:20 +01:00
Clifford Gama
d05cf7c35f
[5.1.x] Fixed #36078 -- Doc'd that Postgres normalizes a range field with no points to empty.
...
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 611e7bc3a0
2025-03-18 16:53:01 +01:00
YQ
71558701df
[5.1.x] Fixed #36254 -- Fixed template dictionary unpacking in docs/topics/i18n/timezones.txt.
...
Backport of 30e0a43937
2025-03-17 09:49:54 +01:00
Clifford Gama
8cb8820fbf
[5.1.x] Fixed pronoun disagreement in docs/ref/models/querysets.txt.
...
Backport of ef6a83789b
2025-03-14 10:51:30 +01:00
Clifford Gama
67fc5805db
[5.1.x] Corrected aggregation example in docs/ref/models/querysets.txt.
...
Backport of 3235e76eb5
2025-03-14 10:50:54 +01:00
hesham hatem
d752ec8259
[5.1.x] Fixed #36249 -- Fixed typo in docs/topics/db/queries.txt.
...
Backport of e03440291b
2025-03-12 18:10:11 -03:00
Adam Johnson
cfc33d146e
[5.1.x] Fixed #36234 -- Restored single_object argument to LogEntry.objects.log_actions().
...
Thank you Adam Johnson for the report and fix. Thank you Sarah Boyce for
your spot on analysis.
Regression in c09bceef6827b68bcadf
2025-03-12 16:39:14 -03:00
samruddhiDharankar
ccd5867ae6
[5.1.x] Fixed #36066 -- Documented that Q objects can be used directly in annotations.
...
Backport of 9120a19c4e
2025-03-10 12:57:37 +01:00
Sarah Boyce
74d41970af
[5.1.x] Added CVE-2025-26699 to security archive.
...
Backport of bad1a18ff2
2025-03-06 14:07:09 +01:00
Sarah Boyce
4b2ddd015a
[5.1.x] Added stub release notes for 5.1.8.
...
Backport of 193e3446e3
2025-03-06 13:33:23 +01:00
Sarah Boyce
8dbb44d342
[5.1.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template filter.
...
Thanks sw0rd1ight for the report.
Backport of 55d89e25f4
2025-03-06 09:42:06 +01:00
hesham942
d7dc1f6db0
[5.1.x] Fixed typo in docs/ref/checks.txt.
...
Backport of 8f942f1c1d
2025-03-05 16:23:43 +01:00
hesham942
dbd94e7ac9
[5.1.x] Fixed #36227 -- Fixed outdated PostgreSQL documentation links.
...
Backport of 3ecaa85a24
2025-03-05 15:18:24 +01:00
Clifford Gama
cc405e1546
[5.1.x] Fixed #36128 -- Clarified auto-generated unique constraint on m2m through models.
...
Backport of ae2736ca3b
2025-03-04 13:08:01 +01:00
antoliny0919
03ace756ea
[5.1.x] Fixed #36217 -- Restored pre_save/post_save signal emission via LogEntry.save() for single-object deletion in the admin.
...
Regression in 40b3975e7dc09bceef68
2025-03-04 10:38:15 +01:00
Tim Graham
76a9f12b60
[5.1.x] Added some heading labels to to docs/topics/cache.txt.
...
Backport of 6d1cf5375f
2025-03-02 19:56:11 +01:00
Sarah Boyce
558c616c95
[5.1.x] Added stub release notes and release date for 5.1.7, 5.0.13, and 4.2.20.
...
Backport of ea1e3703be
2025-02-27 16:08:13 +01:00
Sarah Boyce
11243cc8f3
[5.1.x] Added security guideline on reasonable size limitations when rendering content via the DTL.
...
This also removes the need to add warnings for every Django template filter.
Backport of 582ba18d56
2025-02-24 08:59:00 +01:00
Sarah Boyce
b80288a16d
[5.1.x] Added security reporting guidelines.
...
Backport of 5935336059
2025-02-24 08:58:11 +01:00
Sarah Boyce
ce8dd44285
[5.1.x] Updated expectations for when security reports will receive a reply.
...
Backport of cecb76a942
2025-02-24 08:57:25 +01:00
Joonas Häkkinen
914cde19c2
[5.1.x] Fixed #36200 -- Clarified MIDDLEWARE setting updates when using a custom RemoteUserMiddleware.
...
Backport of 87c5de3b7f
2025-02-20 16:16:29 +01:00
Adam Zapletal
f8b72f8547
[5.1.x] Clarified admonition in GeneratedField docs.
...
Backport of 43766c70bd
2025-02-20 14:43:22 +01:00
