Subject: CVS commit: pkgsrc/www/py-django3
From: Adam Ciarcinski
Date: 2021-07-06 07:57:43
Message id: 20210706055743.6364BFA95@cvs.NetBSD.org

Log Message:
py-django3: updated to 3.2.5

Django 3.2.5 fixes a security issue with severity “high” and several bugs in \ 
3.2.4. Also, the latest string translations from Transifex are incorporated.

CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input

Unsanitized user input passed to QuerySet.order_by() could bypass intended \ 
column reference validation in path marked for deprecation resulting in a \ 
potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the \ 
duration of the deprecation period. This regression appeared in 3.1.

The issue is not present in the main branch as the deprecated path has been removed.

Bugfixes

Fixed a regression in Django 3.2 that caused a crash of \ 
QuerySet.values_list(…, named=True) after prefetch_related().
Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when \ 
altering BinaryField, JSONField, or TextField to non-nullable.
Fixed a regression in Django 3.2 that caused a migration crash on MySQL 8.0.13+ \ 
when adding nullable BinaryField, JSONField, or TextField with a default value.
Fixed a bug in Django 3.2 where a system check would crash on a model with an \ 
invalid app_label

Files:
RevisionActionfile
1.17modifypkgsrc/www/py-django3/Makefile
1.17modifypkgsrc/www/py-django3/distinfo