2024-12-04 21:19:44 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 5.1.4
5.1.4
Django 5.1.4 fixes one security issue with severity “high”, one security \
issue with severity “moderate”, and several bugs in 5.1.3.
CVE-2024-53907: Denial-of-service possibility in strip_tags()
strip_tags() would be extremely slow to evaluate certain inputs containing large \
sequences of nested incomplete HTML entities. The strip_tags() method is used to \
implement the corresponding striptags template filter, which was thus also \
vulnerable.
strip_tags() now has an upper limit of recursive calls to HTMLParser before \
raising a SuspiciousOperation exception.
Remember that absolutely NO guarantee is provided about the results of \
strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() \
call without escaping it first, for example with django.utils.html.escape().
CVE-2024-53908: Potential SQL injection via HasKey(lhs, rhs) on Oracle
Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle was \
subject to SQL injection if untrusted data was used as a lhs value.
Applications that use the has_key lookup through the __ syntax are unaffected.
Bugfixes
Fixed a crash in createsuperuser on Python 3.13+ caused by an unhandled OSError \
when the username could not be determined
Fixed a regression in Django 5.1 where relational fields were not updated when \
calling Model.refresh_from_db() on instances with deferred fields
|
2024-11-11 08:29:31 by Thomas Klausner | Files touched by this commit (862) |
Log message:
py-*: remove unused tool dependency
py-setuptools includes the py-wheel functionality nowadays
|
2024-11-05 09:35:58 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 5.1.3
Django 5.1.3 fixes several bugs in 5.1.2 and adds compatibility with Python 3.13.
Bugfixes
Fixed a bug in Django 5.1 where DomainNameValidator accepted any input value \
that contained a valid domain name, rather than only input values that were a \
valid domain name
Fixed a regression in Django 5.1 that prevented the use of DB-IP databases with \
GeoIP2
Fixed a regression in Django 5.1 where non-ASCII fieldset names were not \
displayed when rendering admin fieldsets
|
2024-10-14 08:46:10 by Thomas Klausner | Files touched by this commit (325) |
Log message:
*: clean-up after python38 removal
|
2024-10-08 19:42:20 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
py-django: updated to 5.1.2
5.1.2
Fixed a regression in Django 5.1 that caused a crash when using the PostgreSQL \
lookup trigram_similar on output fields from Concat
Fixed a regression in Django 5.1 that caused a crash of JSONObject() when using \
server-side binding with PostgreSQL 16+
Fixed a regression in Django 5.1 that made selected items in multi-select \
widgets indistinguishable from non-selected items in the admin dark theme
|
2024-05-07 20:16:55 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 5.0.6
Django 5.0.6 fixes a packaging error in 5.0.5.
|
2024-05-07 05:55:16 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 5.0.5
Django 5.0.5 fixes several bugs in 5.0.4.
Fixed a bug in Django 5.0 that caused a crash of Model.save() when creating an \
instance of a model with a GeneratedField and providing a primary key
Fixed a compatibility issue encountered in Python 3.11.9+ and 3.12.3+ when \
validating email max line lengths with content decoded using the surrogateescape \
error handling scheme
Fixed a bug in Django 5.0 that caused a crash when applying migrations including \
alterations to GeneratedField such as setting db_index=True on SQLite
Allowed importing aprefetch_related_objects from django.db.models
Fixed a bug in Django 5.0 that caused a migration crash when a GeneratedField \
was added before any of the referenced fields from its expression definition
Fixed a bug in Django 5.0 that caused a migration crash when altering a \
GeneratedField referencing a renamed field
Fixed a bug in Django 5.0 where the querysets argument of GenericPrefetch was \
not required
|
2024-04-05 12:40:17 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 5.0.4
Django 5.0.4 fixes several bugs in 5.0.3.
Bugfixes
Fixed a bug in Django 5.0 that caused a crash of Model.full_clean() on fields \
with expressions in db_default. As a consequence, Model.full_clean() no longer \
validates for empty values in fields with db_default
Fixed a regression in Django 5.0 where the AdminFileWidget could be rendered \
with two id attributes on the “Clear” checkbox
Fixed a bug in Django 5.0 that caused a migration crash on PostgreSQL 15+ when \
adding a partial UniqueConstraint with nulls_distinct
Fixed a crash in Django 5.0 when performing queries involving table aliases and \
lookups on a GeneratedField of the aliased table
Fixed a bug in Django 5.0 that caused a migration crash when adding a \
GeneratedField relying on the __contains or __icontains lookups or using a Value \
containing a "%"
|
2024-03-04 16:49:51 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django: updated to 5.0.3
Django 5.0.3 fixes a security issue with severity “moderate” and several \
bugs in 5.0.2.
CVE-2024-27351: Potential regular expression denial-of-service in \
django.utils.text.Truncator.words()
django.utils.text.Truncator.words() method (with html=True) and \
truncatewords_html template filter were subject to a potential regular \
expression denial-of-service attack using a suitably crafted string (follow up \
to CVE-2019-14232 and CVE-2023-43665).
Bugfixes
Fixed a regression in Django 5.0.2 where intcomma template filter could return a \
leading comma for string representation of floats.
Fixed a bug in Django 5.0 that caused a crash of Signal.asend() and \
asend_robust() when all receivers were asynchronous functions.
Fixed a regression in Django 5.0.1 where ModelAdmin.lookup_allowed() would \
prevent filtering against foreign keys using lookups like __isnull when the \
field was not included in ModelAdmin.list_filter.
Fixed a regression in Django 5.0 that caused a crash of @sensitive_variables and \
@sensitive_post_parameters decorators on functions loaded from .pyc files.
Fixed a regression in Django 5.0 that caused a crash when reloading a test \
database and a base queryset for a base manager used prefetch_related().
Fixed a bug in Django 5.0 where facet filters in the admin would crash on a \
SimpleListFilter using a queryset without primary keys.
|
2024-02-09 11:34:29 by Adam Ciarcinski | Files touched by this commit (4) |
Log message:
Replace databases/py-mysqldb with databases/py-mysqlclient
|