mirror of
https://github.com/django/django.git
synced 2024-12-23 09:36:06 +00:00
c87bfaacf8
Thanks Eyal (eyalgabay) for the report.
68 lines
3.0 KiB
Plaintext
68 lines
3.0 KiB
Plaintext
==========================
|
|
Django 5.0.8 release notes
|
|
==========================
|
|
|
|
*August 6, 2024*
|
|
|
|
Django 5.0.8 fixes three security issues with severity "moderate", one security
|
|
issue with severity "high", and several bugs in 5.0.7.
|
|
|
|
CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
|
|
================================================================================
|
|
|
|
If :tfilter:`floatformat` received a string representation of a number in
|
|
scientific notation with a large exponent, it could lead to significant memory
|
|
consumption.
|
|
|
|
To avoid this, decimals with more than 200 digits are now returned as is.
|
|
|
|
CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
|
|
===========================================================================================
|
|
|
|
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
|
|
denial-of-service attack via very large inputs with a specific sequence of
|
|
characters.
|
|
|
|
CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
|
|
=======================================================================================================================
|
|
|
|
:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
|
|
subject to a potential denial-of-service attack via certain inputs with a very
|
|
large number of Unicode characters.
|
|
|
|
CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
|
|
======================================================================================
|
|
|
|
:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
|
|
with a ``JSONField`` were subject to SQL injection in column aliases, via a
|
|
crafted JSON object key as a passed ``*arg``.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when
|
|
using ``*expressions`` (:ticket:`35594`).
|
|
|
|
* Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could
|
|
break the admin changelist HTML page when rendering a model instance with a
|
|
``__html__`` method (:ticket:`35606`).
|
|
|
|
* Fixed a crash when creating a model with a ``Field.db_default`` and a
|
|
``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``,
|
|
or ``__contains`` lookups (:ticket:`35625`).
|
|
|
|
* Fixed a regression in Django 5.0.7 that caused a crash in
|
|
``LocaleMiddleware`` when processing a language code over 500 characters
|
|
(:ticket:`35627`).
|
|
|
|
* Fixed a bug in Django 5.0 that caused a system check crash when
|
|
``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an
|
|
``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`).
|
|
|
|
* Fixed a bug in Django 5.0 which caused constraint validation to either crash
|
|
or incorrectly raise validation errors for constraints referring to fields
|
|
using ``Field.db_default`` (:ticket:`35638`).
|
|
|
|
* Fixed a crash in Django 5.0 when saving a model containing a ``FileField``
|
|
with a ``db_default`` set (:ticket:`35657`).
|