File: 5.2.6.txt

package info (click to toggle)
python-django 3%3A6.0-1
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 62,104 kB
  • sloc: python: 371,210; javascript: 19,376; xml: 211; makefile: 187; sh: 28
file content (21 lines) | stat: -rw-r--r-- 801 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
==========================
Django 5.2.6 release notes
==========================

*September 3, 2025*

Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5.

CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================

:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

Bugfixes
========

* Fixed a bug where using ``QuerySet.values()`` or ``values_list()`` with a
  ``ForeignObject`` composed of multiple fields returned incorrect results
  instead of tuples of the referenced fields (:ticket:`36431`).