Skip to content

[pull] main from django:main #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pull merged 4 commits into from
Dec 2, 2025
Merged

[pull] main from django:main #207

pull merged 4 commits into from
Dec 2, 2025

Conversation

@pull
Copy link

@pull pull bot commented Dec 2, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

jacobtylerwalls and others added 4 commits December 2, 2025 09:21
@jacobtylerwalls @nessita
Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL inject…
5b90ca1 
…ion in column aliases on PostgreSQL.

Follow-up to CVE-2025-57833.

Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak
for the reviews.
@shaib @jacobtylerwalls @nessita
Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation i…
50efb71 
…n XML serializer.

Previously, `getInnerText()` recursively used `list.extend()` on strings,
which added each character from child nodes as a separate list element.
On deeply nested XML content, this caused the overall deserialization
work to grow quadratically with input size, potentially allowing
disproportionate CPU consumption for crafted XML.

The fix separates collection of inner texts from joining them, so that
each subtree is joined only once, reducing the complexity to linear in
the size of the input. These changes also include a mitigation for a
xml.dom.minidom performance issue.

Thanks Seokchan Yoon (https://ch4n3.kr/) for report.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
@nessita
Added stub release notes for 5.2.10.
8d4ec99
@nessita
Added CVE-2025-13372 and CVE-2025-64460 to security archive.
d0d5960
@pull pull bot locked and limited conversation to collaborators Dec 2, 2025
@pull pull bot added the ⤵️ pull label Dec 2, 2025
@pull pull bot merged commit d0d5960 into threatcode:main Dec 2, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jacobtylerwalls @shaib @nessita