File: 2.0.3.txt

package info (click to toggle)
python-django 3%3A3.2.19-1%2Bdeb12u2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 56,696 kB
  • sloc: python: 264,418; javascript: 18,362; xml: 193; makefile: 178; sh: 43
file content (56 lines) | stat: -rw-r--r-- 2,404 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
==========================
Django 2.0.3 release notes
==========================

*March 6, 2018*

Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the
latest string translations from Transifex are incorporated.

CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
===============================================================================================

The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to catastrophic backtracking vulnerabilities in two regular
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
``urlizetrunc`` template filters, which were thus vulnerable.

The problematic regular expressions are replaced with parsing logic that
behaves similarly.

CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
==================================================================================================================

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
passed the ``html=True`` argument, they were extremely slow to evaluate certain
inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
thus vulnerable.

The backtracking problem in the regular expression is fixed.

Bugfixes
========

* Fixed a regression that caused sliced ``QuerySet.distinct().order_by()``
  followed by ``count()`` to crash (:ticket:`29108`).

* Prioritized the datetime and time input formats without ``%f`` for the Thai
  locale to fix the admin time picker widget displaying "undefined"
  (:ticket:`29109`).

* Fixed crash with ``QuerySet.order_by(Exists(...))`` (:ticket:`29118`).

* Made ``Q.deconstruct()`` deterministic with multiple keyword arguments
  (:ticket:`29125`). You may need to modify ``Q``'s in existing migrations, or
  accept an autogenerated migration.

* Fixed a regression where a ``When()`` expression with a list argument crashes
  (:ticket:`29166`).

* Fixed crash when using a ``Window()`` expression in a subquery
  (:ticket:`29172`).

* Fixed ``AbstractBaseUser.normalize_username()`` crash if the ``username``
  argument isn't a string (:ticket:`29176`).