and clean, pragmatic design. Django was designed to make common Web-development
2025-06-10 16:41:50 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django: updated to 5.2.3
Django 5.2.3 fixes several bugs in 5.2.2. Also, the latest string translations \
from Transifex are incorporated.
Bugfixes
Fixed a log injection possibility by migrating remaining response logging to \
django.utils.log.log_response(), which safely escapes arguments such as the \
request path to prevent unsafe log output (CVE 2025-48432).
Fixed a regression in Django 5.2 that caused QuerySet.bulk_update() to \
incorrectly convert None to JSON null instead of SQL NULL for JSONField
Fixed a regression in Django 5.2.2 where the q parameter was removed from the \
internal django.http.MediaType.params property
|
2025-06-09 12:20:19 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django: updated to 5.2.2
Django 5.2.2 fixes a security issue with severity “low” and several bugs in \
5.2.1.
CVE-2025-48432: Potential log injection via unescaped request path
Internal HTTP response logging used request.path directly, allowing control \
characters (e.g. newlines or ANSI escape sequences) to be written unescaped into \
logs. This could enable log injection or forgery, letting attackers manipulate \
log appearance or structure, especially in logs processed by external systems or \
viewed in terminals.
Although this does not directly impact Django’s security model, it poses risks \
when logs are consumed or interpreted by other tools. To fix this, the internal \
django.utils.log.log_response() function now escapes all positional formatting \
arguments using a safe encoding.
Bugfixes
Fixed a crash when using select_related against a ForeignObject originating from \
a model with a CompositePrimaryKey
Fixed a bug in Django 5.2 where subqueries using "pk" to reference \
models with a CompositePrimaryKey failed to raise ValueError when too many or \
too few columns were selected
Fixed a regression in Django 5.2 that caused a crash when no arguments were \
passed into QuerySet.union()
Fixed a regression in Django 5.2 where subclasses of RemoteUserMiddleware that \
had overridden process_request() were no longer supported
Fixed a regression in Django 5.2 that caused a crash when using OuterRef in the \
filter argument of an Aggregate expression
Fixed a regression in Django 5.2 that caused a crash when using OuterRef in \
PostgreSQL aggregate functions ArrayAgg, StringAgg, and JSONBAgg
Fixed a regression in Django 5.2 where admin’s filter_horizontal buttons \
lacked type="button", causing them to intercept form submission when \
pressing the Enter key
Fixed a bug in Django 5.2 where calling QuerySet.in_bulk() with an id_list \
argument on models with a CompositePrimaryKey failed to observe database \
parameter limits
Fixed a bug in Django 5.2 where HttpRequest.get_preferred_type() did not account \
for media type parameters in Accept headers, reducing specificity in content \
negotiation
Fixed a regression in Django 5.2 that caused a crash when using \
QuerySet.prefetch_related() to prefetch a foreign key with a Prefetch queryset \
for a subclass of the foreign target
|
2025-05-10 20:20:17 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django: updated to 5.2.1
Django 5.2.1 fixes a security issue with severity “moderate” and several \
bugs in 5.2.
CVE-2025-32873: Denial-of-service possibility in strip_tags()
Bugfixes
Fixed a regression in Django 5.2 that caused a crash when annotating aggregate \
expressions over query that uses explicit grouping by transforms followed by \
field references
Fixed a regression in Django 5.2 that caused unnecessary queries when \
prefetching nullable foreign key relationships
Fixed a regression in Django 5.2 that caused a crash of QuerySet.bulk_create() \
with nullable geometry fields on PostGIS
Fixed a regression in Django 5.2 that caused fields to be incorrectly selected \
when using QuerySet.alias() after values()
Fixed a data corruption possibility in file_move_safe() when \
allow_overwrite=True, where leftover content from a previously larger file could \
remain after overwriting with a smaller one due to lack of truncation
Fixed a regression in Django 5.2 that caused a crash when using \
QuerySet.select_for_update(of=(…)) with values()/values_list() including \
expressions
Fixed a regression in Django 5.2 that caused improper values to be returned from \
QuerySet.values_list() when duplicate field names were specified
Fixed a regression in Django 5.2 where the password validation error message \
from MinimumLengthValidator was not translated when using non-English locales
Fixed a regression in Django 5.2 that caused the object-tools block to be \
rendered twice when using custom admin templates with overridden blocks due to \
changes in the base admin page block structure
Fixed a regression in Django 5.2, introduced when fixing CVE 2025-26699, where \
the wordwrap template filter did not preserve empty lines between paragraphs \
after wrapping text
Fixed a regression in Django 5.2 that caused a crash when serializing email \
alternatives or attachments due to named tuple mismatches
Fixed a regression in Django 5.2 that caused a crash when using update() on a \
QuerySet filtered against a related model and including references to \
annotations through values()
Fixed a bug in Django 5.2 that caused composite primary key introspection to \
wrongly identify IntegerField as AutoField on SQLite
Fixed a bug in Django 5.2 that caused a redundant unique_together constraint to \
be generated for composite primary keys when using inspectdb
|
2025-04-14 16:20:54 by Adam Ciarcinski | Files touched by this commit (3) |  |
Log message:
py-django: updated to 5.2
Django 5.2.
The release notes showcase a composite of new features. A few highlights are:
All models are automatically imported in the shell by default.
Django now supports composite primary keys! The new \
django.db.models.CompositePrimaryKey allows tables to be created with a primary \
key consisting of multiple fields.
Overriding a BoundField got a lot easier: this can now be set on a form, field \
or project level.
|
2025-03-06 17:05:55 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django: updated to 5.1.7
Django 5.1.7 fixes a security issue with severity “moderate” and several \
bugs in 5.1.6.
CVE-2025-26699: Potential denial-of-service vulnerability in django.utils.text.wrap()
The wrap() and wordwrap template filter were subject to a potential \
denial-of-service attack when used with very long strings.
Bugfixes
Fixed a bug in Django 5.1 where the {% querystring %} template tag returned an \
empty string rather than "?" when all parameters had been removed from \
the query string
Fixed a bug in Django 5.1 where FileSystemStorage, with allow_overwrite set to \
True, did not truncate the overwritten file content
Fixed a regression in Django 5.1 where the count and exists methods of \
ManyToManyField related managers would always return 0 and False when the \
intermediary model back references used to_field
Fixed a regression in Django 5.1 where the pre_save and post_save signals for \
LogEntry were not sent when deleting a single object in the admin
|
2025-03-05 11:40:59 by Thomas Klausner | Files touched by this commit (1) |
Log message:
py-django: fix wheel name for latest setuptools and depend on it
Bump PKGREVISION.
|
2025-02-05 21:51:59 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django: updated to 5.1.6
Django 5.1.6 fixes several bugs in 5.1.5.
Bugfixes
Fixed a regression in Django 5.1.5 that caused validate_ipv6_address() and \
validate_ipv46_address() to crash when handling non-string values
Fixed a regression in Django 5.1 where password fields, despite being set to \
required=False, were still treated as required in forms derived from \
BaseUserCreationForm
|
2025-01-14 16:55:07 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django: updated to 5.1.5
Django 5.1.5 fixes a security issue with severity “moderate” and one bug in \
5.1.4.
CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
Lack of upper bound limit enforcement in strings passed when performing IPv6 \
validation could lead to a potential denial-of-service attack. The undocumented \
and private functions clean_ipv6_address and is_valid_ipv6_address were \
vulnerable, as was the django.forms.GenericIPAddressField form field, which has \
now been updated to define a max_length of 39 characters.
The django.db.models.GenericIPAddressField model field was not affected.
Bugfixes
Fixed a crash when applying migrations with references to the removed \
Meta.index_together option
|