django/docs/releases/3.0.4.txt

==========================
Django 3.0.4 release notes
==========================

*March 4, 2020*

Django 3.0.4 fixes a security issue and several bugs in 3.0.3.

CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle
============================================================================================================

GIS functions and aggregates on Oracle were subject to SQL injection,
using a suitably crafted ``tolerance``.

Bugfixes
========

* Fixed a data loss possibility when using caching from async code
  (:ticket:`31253`).

* Fixed a regression in Django 3.0 that caused a file response using a
  temporary file to be closed incorrectly (:ticket:`31240`).

* Fixed a data loss possibility in the
  :meth:`~django.db.models.query.QuerySet.select_for_update`. When using
  related fields or parent link fields with :ref:`multi-table-inheritance` in
  the ``of`` argument, the corresponding models were not locked
  (:ticket:`31246`).

* Fixed a regression in Django 3.0 that caused misplacing parameters in logged
  SQL queries on Oracle (:ticket:`31271`).

* Fixed a regression in Django 3.0.3 that caused misplacing parameters of SQL
  queries when subtracting ``DateField`` or ``DateTimeField`` expressions on
  MySQL (:ticket:`31312`).

* Fixed a regression in Django 3.0 that didn't include subqueries spanning
  multivalued relations in the ``GROUP BY`` clause (:ticket:`31150`).
Added stub release notes for 3.0.4. 2020-02-03 09:23:54 +00:00			`==========================`
			`Django 3.0.4 release notes`
			`==========================`

Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. Thanks to Norbert Szetei for the report. 2020-02-24 13:46:28 +00:00			`March 4, 2020`
Added stub release notes for 3.0.4. 2020-02-03 09:23:54 +00:00
Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. Thanks to Norbert Szetei for the report. 2020-02-24 13:46:28 +00:00			`Django 3.0.4 fixes a security issue and several bugs in 3.0.3.`

			CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle
			`============================================================================================================`

			`GIS functions and aggregates on Oracle were subject to SQL injection,`
			using a suitably crafted ``tolerance``.
Added "Bugfixes" section to release notes for 3.0.4. 2020-02-10 07:13:31 +00:00
			`Bugfixes`
			`========`

Fixed #31253 -- Fixed data loss possibility when using caching from async code. Case missed in a415ce70bef6d91036b00dd2c8544aed7aeeaaed. 2020-02-07 01:59:20 +00:00			`* Fixed a data loss possibility when using caching from async code`
			(:ticket:`31253`).
Fixed #31240 -- Properly closed FileResponse when wsgi.file_wrapper is used. Thanks to Oskar Persson for the report. 2020-02-07 11:55:59 +00:00
			`* Fixed a regression in Django 3.0 that caused a file response using a`
			temporary file to be closed incorrectly (:ticket:`31240`).
Fixed #31246 -- Fixed locking models in QuerySet.select_for_update(of=()) for related fields and parent link fields with multi-table inheritance. Partly regression in 0107e3d1058f653f66032f7fd3a0bd61e96bf782. 2020-02-08 04:52:09 +00:00
			`* Fixed a data loss possibility in the`
			:meth:`~django.db.models.query.QuerySet.select_for_update`. When using
			related fields or parent link fields with :ref:`multi-table-inheritance` in
			the ``of`` argument, the corresponding models were not locked
			(:ticket:`31246`).
Fixed #31271 -- Preserved ordering when unifying query parameters on Oracle. This caused misplacing parameters in logged SQL queries. Regression in 79065b55a70cd220820a260a1c54851b7be0615a. Thanks Hans Aarne Liblik for the report. 2020-02-18 10:45:12 +00:00
			`* Fixed a regression in Django 3.0 that caused misplacing parameters in logged`
			SQL queries on Oracle (:ticket:`31271`).
Fixed #31312 -- Properly ordered temporal subtraction params on MySQL. Regression in 9bcbcd599abac91ea853b2fe10b784ba32df043e. Thanks rick2ricks for the report. 2020-02-27 05:34:37 +00:00
			`* Fixed a regression in Django 3.0.3 that caused misplacing parameters of SQL`
			queries when subtracting ``DateField`` or ``DateTimeField`` expressions on
			MySQL (:ticket:`31312`).
Fixed #31150 -- Included subqueries that reference related fields in GROUP BY clauses. Thanks Johannes Hoppe for the report. Regression in fb3f034f1c63160c0ff13c609acd01c18be12f80. Co-authored-by: Simon Charette <charette.s@gmail.com> 2020-03-02 12:20:36 +00:00
			`* Fixed a regression in Django 3.0 that didn't include subqueries spanning`
			multivalued relations in the ``GROUP BY`` clause (:ticket:`31150`).