File: 2.0.2.txt

package info (click to toggle)
python-django 3%3A3.2.19-1%2Bdeb12u2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 56,696 kB
  • sloc: python: 264,418; javascript: 18,362; xml: 193; makefile: 178; sh: 43
file content (51 lines) | stat: -rw-r--r-- 2,124 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
==========================
Django 2.0.2 release notes
==========================

*February 1, 2018*

Django 2.0.2 fixes a security issue and several bugs in 2.0.1.

CVE-2018-6188: Information leakage in ``AuthenticationForm``
============================================================

A regression in Django 1.11.8 made
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
``confirm_login_allowed()`` method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
more sensitive details could be leaked.

This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ``ModelBackend``,
has done that since Django 1.10). This issue will be revisited for Django 2.1
as a fix to address the caveat will likely be too invasive for inclusion in
older versions.

Bugfixes
========

* Fixed hidden content at the bottom of the "The install worked successfully!"
  page for some languages (:ticket:`28885`).

* Fixed incorrect foreign key nullification if a model has two foreign keys to
  the same model and a target model is deleted (:ticket:`29016`).

* Fixed regression in the use of ``QuerySet.values_list(..., flat=True)``
  followed by ``annotate()`` (:ticket:`29067`).

* Fixed a regression where a queryset that annotates with geometry objects
  crashes (:ticket:`29054`).

* Fixed a regression where ``contrib.auth.authenticate()`` crashes if an
  authentication backend doesn't accept ``request`` and a later one does
  (:ticket:`29071`).

* Fixed a regression where ``makemigrations`` crashes if a migrations directory
  doesn't have an ``__init__.py`` file (:ticket:`29091`).

* Fixed crash when entering an invalid uuid in ``ModelAdmin.raw_id_fields``
  (:ticket:`29094`).