===========================Django 3.1.13 release notes===========================*July 1, 2021*Django 3.1.13 fixes a security issue with severity "high" in 3.1.12.CVE-2021-35042: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input=====================================================================================Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intendedcolumn reference validation in path marked for deprecation resulting in apotential SQL injection even if a deprecation warning is emitted.As a mitigation the strict column reference validation was restored for theduration of the deprecation period. This regression appeared in 3.1 as a sideeffect of fixing :ticket:`31426`.The issue is not present in the main branch as the deprecated path has beenremoved.