2022-04-01 14:37:19 +08:00
|
|
|
===========================
|
|
|
|
Django 2.2.28 release notes
|
|
|
|
===========================
|
|
|
|
|
|
|
|
*April 11, 2022*
|
|
|
|
|
|
|
|
Django 2.2.28 fixes two security issues with severity "high" in 2.2.27.
|
2022-04-01 14:10:22 +08:00
|
|
|
|
|
|
|
CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
|
|
|
|
====================================================================================================
|
|
|
|
|
|
|
|
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
|
|
|
|
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
|
|
|
|
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
|
|
|
|
``**kwargs`` passed to these methods.
|