1
0
mirror of https://github.com/django/django.git synced 2025-07-10 04:39:13 +00:00

3 Commits

Author SHA1 Message Date
Mariusz Felisiak
9e19accb6e [3.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL.
Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
2022-04-11 09:12:58 +02:00
Mariusz Felisiak
2044dac5c6 [3.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.

Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
2022-04-11 09:12:06 +02:00
Mariusz Felisiak
70035fb044 [3.2.x] Added stub release notes for 3.2.13 and 2.2.28.
Backport of 78277faafd38d8360efc1fd0c9c52d7bb5eec002 from main
2022-04-04 10:51:06 +02:00