django/docs/releases/5.1.5.txt

==========================
Django 5.1.5 release notes
==========================

*January 14, 2025*

Django 5.1.5 fixes a security issue with severity "moderate" and one bug in
5.1.4.

CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
============================================================================

Lack of upper bound limit enforcement in strings passed when performing IPv6
validation could lead to a potential denial-of-service attack. The undocumented
and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
vulnerable, as was the  :class:`django.forms.GenericIPAddressField` form field,
which has now been updated to define a ``max_length`` of 39 characters.

The :class:`django.db.models.GenericIPAddressField` model field was not
affected.

Bugfixes
========

* Fixed a crash when applying migrations with references to the removed
  ``Meta.index_together`` option (:ticket:`34856`).
Added stub release notes for 5.1.5. 2024-12-04 16:23:59 +01:00			`==========================`
			`Django 5.1.5 release notes`
			`==========================`

Added stub release notes and release date for 5.1.5, 5.0.11, and 4.2.18. 2025-01-07 12:28:39 -03:00			`January 14, 2025`
Added stub release notes for 5.1.5. 2024-12-04 16:23:59 +01:00
Made cosmetic edits to 5.1.5 release notes. 2025-01-14 08:33:03 -03:00			`Django 5.1.5 fixes a security issue with severity "moderate" and one bug in`
			`5.1.4.`
Added stub release notes for 5.1.5. 2024-12-04 16:23:59 +01:00
Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation. Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> 2024-12-11 21:39:32 -05:00			`CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation`
			`============================================================================`

			`Lack of upper bound limit enforcement in strings passed when performing IPv6`
			`validation could lead to a potential denial-of-service attack. The undocumented`
			and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
			vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
			which has now been updated to define a ``max_length`` of 39 characters.

			The :class:`django.db.models.GenericIPAddressField` model field was not
			`affected.`

Added stub release notes for 5.1.5. 2024-12-04 16:23:59 +01:00			`Bugfixes`
			`========`

Fixed #34856 -- Fixed references to index_together in historical migrations. While AlterUniqueTogether has been documented to be still allowed in historical migrations for the foreseeable future it has been crashing since 2abf417c815c20 was merged because the latter removed support for Meta.index_together which the migration framework uses to render models to perform schema changes. CreateModel(options["unique_together"]) was also affected. Refs #27236. Co-authored-by: Simon Charette <charette.s@gmail.com> 2024-12-16 13:54:51 +01:00			`* Fixed a crash when applying migrations with references to the removed`
			``Meta.index_together`` option (:ticket:`34856`).