File: 5.2.1.txt

package info (click to toggle)
python-django 3%3A5.2.5-1
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 61,236 kB
  • sloc: python: 361,585; javascript: 19,250; xml: 211; makefile: 182; sh: 28
file content (82 lines) | stat: -rw-r--r-- 3,635 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
==========================
Django 5.2.1 release notes
==========================

*May 7, 2025*

Django 5.2.1 fixes a security issue with severity "moderate" and several bugs
in 5.2.

This release was built using an upgraded :pypi:`setuptools`, producing
filenames compliant with :pep:`491` and :pep:`625` and thus addressing a PyPI
warning about non-compliant distribution filenames. This change only affects
the Django packaging process and does not impact Django's behavior.

CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================

:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.

:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.

Bugfixes
========

* Fixed a regression in Django 5.2 that caused a crash when annotating
  aggregate expressions over query that uses explicit grouping by transforms
  followed by field references (:ticket:`36292`).

* Fixed a regression in Django 5.2 that caused unnecessary queries when
  prefetching nullable foreign key relationships (:ticket:`36290`).

* Fixed a regression in Django 5.2 that caused a crash of
  ``QuerySet.bulk_create()`` with nullable geometry fields on PostGIS
  (:ticket:`36289`).

* Fixed a regression in Django 5.2 that caused fields to be incorrectly
  selected when using ``QuerySet.alias()`` after ``values()``
  (:ticket:`36299`).

* Fixed a data corruption possibility in ``file_move_safe()`` when
  ``allow_overwrite=True``, where leftover content from a previously larger
  file could remain after overwriting with a smaller one due to lack of
  truncation (:ticket:`36298`).

* Fixed a regression in Django 5.2 that caused a crash when using
  ``QuerySet.select_for_update(of=(…))`` with ``values()/values_list()``
  including expressions (:ticket:`36301`).

* Fixed a regression in Django 5.2 that caused improper values to be returned
  from ``QuerySet.values_list()`` when duplicate field names were specified
  (:ticket:`36288`).

* Fixed a regression in Django 5.2 where the password validation error message
  from ``MinimumLengthValidator`` was not translated when using non-English
  locales (:ticket:`36314`).

* Fixed a regression in Django 5.2 that caused the ``object-tools`` block to be
  rendered twice when using custom admin templates with overridden blocks due
  to changes in the base admin page block structure (:ticket:`36331`).

* Fixed a regression in Django 5.2, introduced when fixing :cve:`2025-26699`,
  where the :tfilter:`wordwrap` template filter did not preserve empty lines
  between paragraphs after wrapping text (:ticket:`36341`).

* Fixed a regression in Django 5.2 that caused a crash when serializing email
  alternatives or attachments due to named tuple mismatches (:ticket:`36309`).

* Fixed a regression in Django 5.2 that caused a crash when using ``update()``
  on a ``QuerySet`` filtered against a related model and including references
  to annotations through ``values()`` (:ticket:`36360`).

* Fixed a bug in Django 5.2 that caused composite primary key introspection to
  wrongly identify ``IntegerField`` as ``AutoField`` on SQLite
  (:ticket:`36358`).

* Fixed a bug in Django 5.2 that caused a redundant ``unique_together``
  constraint to be generated for composite primary keys when using
  :djadmin:`inspectdb` (:ticket:`36357`).