mirror of https://github.com/django/django.git
43 lines
1.8 KiB
Plaintext
43 lines
1.8 KiB
Plaintext
==========================
|
|
Django 5.0.3 release notes
|
|
==========================
|
|
|
|
*March 4, 2024*
|
|
|
|
Django 5.0.3 fixes a security issue with severity "moderate" and several bugs
|
|
in 5.0.2.
|
|
|
|
CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
|
|
=========================================================================================================
|
|
|
|
``django.utils.text.Truncator.words()`` method (with ``html=True``) and
|
|
:tfilter:`truncatewords_html` template filter were subject to a potential
|
|
regular expression denial-of-service attack using a suitably crafted string
|
|
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a regression in Django 5.0.2 where ``intcomma`` template filter could
|
|
return a leading comma for string representation of floats (:ticket:`35172`).
|
|
|
|
* Fixed a bug in Django 5.0 that caused a crash of ``Signal.asend()`` and
|
|
``asend_robust()`` when all receivers were asynchronous functions
|
|
(:ticket:`35174`).
|
|
|
|
* Fixed a regression in Django 5.0.1 where :meth:`.ModelAdmin.lookup_allowed`
|
|
would prevent filtering against foreign keys using lookups like ``__isnull``
|
|
when the field was not included in :attr:`.ModelAdmin.list_filter`
|
|
(:ticket:`35173`).
|
|
|
|
* Fixed a regression in Django 5.0 that caused a crash of
|
|
``@sensitive_variables`` and ``@sensitive_post_parameters`` decorators on
|
|
functions loaded from ``.pyc`` files (:ticket:`35187`).
|
|
|
|
* Fixed a regression in Django 5.0 that caused a crash when reloading a test
|
|
database and a base queryset for a base manager used ``prefetch_related()``
|
|
(:ticket:`35238`).
|
|
|
|
* Fixed a bug in Django 5.0 where facet filters in the admin would crash on a
|
|
``SimpleListFilter`` using a queryset without primary keys (:ticket:`35198`).
|