Corrected announcement link: https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
On Tue, Jun 10, 2025 at 3:28 PM Sarah Boyce <sarahbo...@djangoproject.com> wrote: > https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ > > Following the June 4, 2025 security release, the Django team is issuing > releases for > `Django 5.2.3 <https://docs.djangoproject.com/en/dev/releases/5.2.3/>`_, > `Django 5.1.11 <https://docs.djangoproject.com/en/dev/releases/5.1.11/>`_, > and > `Django 4.2.23 <https://docs.djangoproject.com/en/dev/releases/4.2.23/>`_ > to > complete mitigation for CVE-2025-48432: Potential log injection via > unescaped > request path (`full description < > https://www.djangoproject.com/weblog/2025/jun/04/security-releases/>`_). > > These follow-up releases migrate remaining response logging paths to a > safer > logging implementation, ensuring that all untrusted input is properly > escaped > before being written to logs. This update does not introduce a new CVE but > strengthens the original fix. > > We encourage all users of Django to upgrade as soon as possible. > > Affected supported versions > =========================== > > * Django main > * Django 5.2 > * Django 5.1 > * Django 4.2 > > Resolution > ========== > > Patches to resolve the issue have been applied to Django's > main, 5.2, 5.1, and 4.2 branches. > The patches may be obtained from the following changesets. > > CVE-2025-48432: Potential log injection via unescaped request path > ------------------------------------------------------------------ > > * On the `main branch < > https://github.com/django/django/commit/957951755259b412d5113333b32bf85871d29814/ > >`__ > * On the `5.2 branch < > https://github.com/django/django/commit/8fcc83953c350e158a484bf1da0aa1b79b69bb07/ > >`__ > * On the `5.1 branch < > https://github.com/django/django/commit/31f4bd31fa16f7f5302f65b9b8b7a49b69a7c4a6/ > >`__ > * On the `4.2 branch < > https://github.com/django/django/commit/b597d46bb19c8567615e62029210dab16c70db7d/ > >`__ > > > The following releases have been issued > ======================================= > > * Django 5.2.3 (`download Django 5.2.3 > <https://www.djangoproject.com/download/5.2.3/tarball/>`_ | > `5.2.3 checksums > <https://www.djangoproject.com/download/5.2.3/checksum/>`_) > * Django 5.1.11 (`download Django 5.1.11 > <https://www.djangoproject.com/download/5.1.11/tarball/>`_ | > `5.1.11 checksums > <https://www.djangoproject.com/download/5.1.11/checksum/>`_) > * Django 4.2.23 (`download Django 4.2.23 > <https://www.djangoproject.com/download/4.2.23/tarball/>`_ | > `4.2.23 checksums > <https://www.djangoproject.com/download/4.2.23/checksum/>`_) > > The PGP key ID used for this release is : `3955B19851EA96EF < > https://github.com/sarahboyce.gpg>`_ >
