File: 5.0.8.txt

package info (click to toggle)
python-django 3%3A5.2.5-1
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 61,236 kB
  • sloc: python: 361,585; javascript: 19,250; xml: 211; makefile: 182; sh: 28
file content (67 lines) | stat: -rw-r--r-- 3,031 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
==========================
Django 5.0.8 release notes
==========================

*August 6, 2024*

Django 5.0.8 fixes three security issues with severity "moderate", one security
issue with severity "high", and several bugs in 5.0.7.

CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================

If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================

:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================

:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.

Bugfixes
========

* Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when
  using ``*expressions`` (:ticket:`35594`).

* Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could
  break the admin changelist HTML page when rendering a model instance with a
  ``__html__`` method (:ticket:`35606`).

* Fixed a crash when creating a model with a ``Field.db_default`` and a
  ``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``,
  or ``__contains`` lookups (:ticket:`35625`).

* Fixed a regression in Django 5.0.7 that caused a crash in
  ``LocaleMiddleware`` when processing a language code over 500 characters
  (:ticket:`35627`).

* Fixed a bug in Django 5.0 that caused a system check crash when
  ``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an
  ``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`).

* Fixed a bug in Django 5.0 which caused constraint validation to either crash
  or incorrectly raise validation errors for constraints referring to fields
  using ``Field.db_default`` (:ticket:`35638`).

* Fixed a crash in Django 5.0 when saving a model containing a ``FileField``
  with a ``db_default`` set (:ticket:`35657`).