django/docs/releases/5.0.2.txt

==========================
Django 5.0.2 release notes
==========================

*February 6, 2024*

Django 5.0.2 fixes a security issue with severity "moderate" and several bugs
in 5.0.1. Also, the latest string translations from Transifex are incorporated.

CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.

Bugfixes
========

* Reallowed, following a regression in Django 5.0.1, filtering against local
  foreign keys not included in :attr:`.ModelAdmin.list_filter`
  (:ticket:`35087`).

* Fixed a regression in Django 5.0 where links in the admin had an incorrect
  color (:ticket:`35121`).

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
  models with a ``GeneratedField`` (:ticket:`35127`).

* Fixed a regression in Django 5.0 that caused a crash of
  ``FilteredRelation()`` with querysets as right-hand sides (:ticket:`35135`).
  ``FilteredRelation()`` now raises a ``ValueError`` on querysets as right-hand
  sides.

* Fixed a regression in Django 5.0 that caused a crash of the ``dumpdata``
  management command when a base queryset used ``prefetch_related()``
  (:ticket:`35159`).

* Fixed a regression in Django 5.0 that caused the ``request_finished`` signal to
  sometimes not be fired when running Django through an ASGI server, resulting
  in potential resource leaks (:ticket:`35059`).

* Fixed a bug in Django 5.0 that caused a migration crash on MySQL when adding
  a ``BinaryField``, ``TextField``, ``JSONField``, or ``GeometryField`` with a
  ``db_default`` (:ticket:`35162`).

* Fixed a bug in Django 5.0 that caused a migration crash on models with a
  literal ``db_default`` of a complex type such as ``dict`` instance of a
  ``JSONField``. Running ``makemigrations`` might generate no-op ``AlterField``
  operations for fields using ``db_default`` (:ticket:`35149`).
Added stub release notes for 5.0.2. 2024-01-02 09:28:34 +00:00			`==========================`
			`Django 5.0.2 release notes`
			`==========================`

Added stub release notes and release date for 5.0.2, 4.2.10, and 3.2.24. 2024-01-29 14:41:53 +00:00			`February 6, 2024`
Added stub release notes for 5.0.2. 2024-01-02 09:28:34 +00:00
Added stub release notes and release date for 5.0.2, 4.2.10, and 3.2.24. 2024-01-29 14:41:53 +00:00			`Django 5.0.2 fixes a security issue with severity "moderate" and several bugs`
			`in 5.0.1. Also, the latest string translations from Transifex are incorporated.`
Added stub release notes for 5.0.2. 2024-01-02 09:28:34 +00:00
Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template filter. Thanks Seokchan Yoon for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Shai Berger <shai@platonix.com> 2024-01-22 13:21:13 +00:00			CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
			`===========================================================================`

			The ``intcomma`` template filter was subject to a potential denial-of-service
			`attack when used with very long strings.`

Added stub release notes for 5.0.2. 2024-01-02 09:28:34 +00:00			`Bugfixes`
			`========`

Fixed #35087 -- Reallowed filtering against foreign keys not listed in ModelAdmin.list_filters. Regression in f80669d2f5a5f1db9e9b73ca893fefba34f955e7. 2024-01-05 13:08:25 +00:00			`* Reallowed, following a regression in Django 5.0.1, filtering against local`
			foreign keys not included in :attr:`.ModelAdmin.list_filter`
			(:ticket:`35087`).
Fixed #35121 -- Corrected color for links in the admin. Thanks Collin Anderson for the report. Regression in 6ad2738a8f32b94cbae742f212080fadf2dee421. 2024-01-18 09:21:12 +00:00
			`* Fixed a regression in Django 5.0 where links in the admin had an incorrect`
			color (:ticket:`35121`).
Fixed #35127 -- Made Model.full_clean() ignore GeneratedFields. Thanks Claude Paroz for the report. Regression in f333e3513e8bdf5ffeb6eeb63021c230082e6f95. 2024-01-19 07:55:50 +00:00
			* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
			models with a ``GeneratedField`` (:ticket:`35127`).
Fixed #35135 -- Made FilteredRelation raise ValueError on querysets as rhs. Regression in 59f475470494ce5b8cbff816b1e5dafcbd10a3a3. 2024-01-23 10:51:24 +00:00
			`* Fixed a regression in Django 5.0 that caused a crash of`
			``FilteredRelation()`` with querysets as right-hand sides (:ticket:`35135`).
			``FilteredRelation()`` now raises a ``ValueError`` on querysets as right-hand
			`sides.`
Fixed #35159 -- Fixed dumpdata crash when base querysets use prefetch_related(). Regression in 139135627650ed6aaaf4c755b82c3bd43f2b8f51 following deprecation in edbf930287cb72e9afab1f7208c24b1146b0c4ec. Thanks Andrea F for the report. 2024-01-31 15:10:05 +00:00
			* Fixed a regression in Django 5.0 that caused a crash of the ``dumpdata``
			management command when a base queryset used ``prefetch_related()``
			(:ticket:`35159`).
Fixed #35059 -- Ensured that ASGIHandler always sends the request_finished signal. Prior to this work, when async tasks that process the request are cancelled due to receiving an early "http.disconnect" ASGI message, the request_finished signal was not being sent, potentially leading to resource leaks (such as database connections). This branch ensures that the request_finished signal is sent even in the case of early termination of the response. Regression in 64cea1e48f285ea2162c669208d95188b32bbc82. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> 2024-01-04 13:14:30 +00:00
			* Fixed a regression in Django 5.0 that caused the ``request_finished`` signal to
			`sometimes not be fired when running Django through an ASGI server, resulting`
			in potential resource leaks (:ticket:`35059`).
Fixed #35162 -- Fixed crash when adding fields with db_default on MySQL. MySQL doesn't allow literal DEFAULT values to be used for BLOB, TEXT, GEOMETRY or JSON columns and requires expression to be used instead. Regression in 7414704e88d73dafbcfbb85f9bc54cb6111439d3. 2024-02-03 15:54:51 +00:00
			`* Fixed a bug in Django 5.0 that caused a migration crash on MySQL when adding`
			a ``BinaryField``, ``TextField``, ``JSONField``, or ``GeometryField`` with a
			``db_default`` (:ticket:`35162`).
Fixed #35149 -- Fixed crashes of db_default with unresolvable output field. Field.db_default accepts either literal Python values or compilables (as_sql) and wrap the former ones in Value internally. While 1e38f11 added support for automatic resolving of output fields for types such as str, int, float, and other unambigous ones it's cannot do so for all types such as dict or even contrib.postgres and contrib.gis primitives. When a literal, non-compilable, value is provided it likely make the most sense to bind its output field to the field its attached to avoid forcing the user to provide an explicit `Value(output_field)`. Thanks David Sanders for the report. 2024-01-28 17:02:33 +00:00
			`* Fixed a bug in Django 5.0 that caused a migration crash on models with a`
			literal ``db_default`` of a complex type such as ``dict`` instance of a
			``JSONField``. Running ``makemigrations`` might generate no-op ``AlterField``
			operations for fields using ``db_default`` (:ticket:`35149`).