File: 4.2.26.txt

package info (click to toggle)
python-django 3%3A4.2.26-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 58,640 kB
  • sloc: python: 334,821; javascript: 18,754; xml: 215; makefile: 178; sh: 27
file content (25 lines) | stat: -rw-r--r-- 1,290 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
===========================
Django 4.2.26 release notes
===========================

*November 5, 2025*

Django 4.2.26 fixes one security issue with severity "high" and one security
issue with severity "moderate" in 4.2.25.

CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
======================================================================================================================================

Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to :cve:`2025-27556`).

CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
===========================================================================

:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
and :class:`~.Q` were subject to SQL injection using a suitably crafted
dictionary, with dictionary expansion, as the ``_connector`` argument.