mirror of
https://github.com/django/django.git
synced 2025-02-09 00:45:23 +00:00
93cae5cb2f
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.
24 lines
876 B
Plaintext
24 lines
876 B
Plaintext
===========================
|
|
Django 3.2.13 release notes
|
|
===========================
|
|
|
|
*April 11, 2022*
|
|
|
|
Django 3.2.13 fixes two security issues with severity "high" in
|
|
3.2.12 and a regression in 3.2.4.
|
|
|
|
CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
|
|
====================================================================================================
|
|
|
|
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
|
|
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
|
|
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
|
|
``**kwargs`` passed to these methods.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a regression in Django 3.2.4 that caused the auto-reloader to no longer
|
|
detect changes when the ``DIRS`` option of the ``TEMPLATES`` setting
|
|
contained an empty string (:ticket:`33628`).
|