========================== Django 5.0.7 release notes ========================== *July 9, 2024* Django 5.0.7 fixes two security issues with severity "moderate", two security issues with severity "low", and several bugs in 5.0.6. CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` =========================================================================================== :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords ================================================================================================ The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. Bugfixes ======== * Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on unsaved model instances with a ``GeneratedField`` and certain defined :attr:`Meta.constraints ` (:ticket:`35560`).