pkgsrc.se | The NetBSD package collection

./www/py-django, Django, a high-level Python Web framework

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 5.2.3, Package name: py312-django-5.2.3, Maintainer: pkgsrc-users

Django is a high-level Python Web framework that encourages rapid development
and clean, pragmatic design. Django was designed to make common Web-development
tasks fast and easy.

DEINSTALL [+/-]

Required to run:
[devel/py-setuptools] [time/py-pytz] [lang/python37]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 10595.999 KB

Version history: (Expand)

(2025-06-10) Updated to version: py312-django-5.2.3
(2025-06-09) Updated to version: py312-django-5.2.2
(2025-05-10) Updated to version: py312-django-5.2.1
(2025-04-14) Updated to version: py312-django-5.2
(2025-03-06) Updated to version: py312-django-5.1.7
(2025-03-05) Updated to version: py312-django-5.1.6nb1

CVS history: (Expand)

2025-06-10 16:41:50 by Adam Ciarcinski | Files touched by this commit (2) | Package updated

Log message:
py-django: updated to 5.2.3

Django 5.2.3 fixes several bugs in 5.2.2. Also, the latest string translations \ 
from Transifex are incorporated.

Bugfixes

Fixed a log injection possibility by migrating remaining response logging to \ 
django.utils.log.log_response(), which safely escapes arguments such as the \ 
request path to prevent unsafe log output (CVE 2025-48432).

Fixed a regression in Django 5.2 that caused QuerySet.bulk_update() to \ 
incorrectly convert None to JSON null instead of SQL NULL for JSONField

Fixed a regression in Django 5.2.2 where the q parameter was removed from the \ 
internal django.http.MediaType.params property

2025-06-09 12:20:19 by Adam Ciarcinski | Files touched by this commit (2) | Package updated

Log message:
py-django: updated to 5.2.2

Django 5.2.2 fixes a security issue with severity “low” and several bugs in \ 
5.2.1.

CVE-2025-48432: Potential log injection via unescaped request path

Internal HTTP response logging used request.path directly, allowing control \ 
characters (e.g. newlines or ANSI escape sequences) to be written unescaped into \ 
logs. This could enable log injection or forgery, letting attackers manipulate \ 
log appearance or structure, especially in logs processed by external systems or \ 
viewed in terminals.

Although this does not directly impact Django’s security model, it poses risks \ 
when logs are consumed or interpreted by other tools. To fix this, the internal \ 
django.utils.log.log_response() function now escapes all positional formatting \ 
arguments using a safe encoding.

Bugfixes

Fixed a crash when using select_related against a ForeignObject originating from \ 
a model with a CompositePrimaryKey

Fixed a bug in Django 5.2 where subqueries using "pk" to reference \ 
models with a CompositePrimaryKey failed to raise ValueError when too many or \ 
too few columns were selected

Fixed a regression in Django 5.2 that caused a crash when no arguments were \ 
passed into QuerySet.union()

Fixed a regression in Django 5.2 where subclasses of RemoteUserMiddleware that \ 
had overridden process_request() were no longer supported

Fixed a regression in Django 5.2 that caused a crash when using OuterRef in the \ 
filter argument of an Aggregate expression

Fixed a regression in Django 5.2 that caused a crash when using OuterRef in \ 
PostgreSQL aggregate functions ArrayAgg, StringAgg, and JSONBAgg

Fixed a regression in Django 5.2 where admin’s filter_horizontal buttons \ 
lacked type="button", causing them to intercept form submission when \ 
pressing the Enter key

Fixed a bug in Django 5.2 where calling QuerySet.in_bulk() with an id_list \ 
argument on models with a CompositePrimaryKey failed to observe database \ 
parameter limits

Fixed a bug in Django 5.2 where HttpRequest.get_preferred_type() did not account \ 
for media type parameters in Accept headers, reducing specificity in content \ 
negotiation

Fixed a regression in Django 5.2 that caused a crash when using \ 
QuerySet.prefetch_related() to prefetch a foreign key with a Prefetch queryset \ 
for a subclass of the foreign target

2025-05-10 20:20:17 by Adam Ciarcinski | Files touched by this commit (2) | Package updated

Log message:
py-django: updated to 5.2.1

Django 5.2.1 fixes a security issue with severity “moderate” and several \ 
bugs in 5.2.

CVE-2025-32873: Denial-of-service possibility in strip_tags()

Bugfixes

Fixed a regression in Django 5.2 that caused a crash when annotating aggregate \ 
expressions over query that uses explicit grouping by transforms followed by \ 
field references

Fixed a regression in Django 5.2 that caused unnecessary queries when \ 
prefetching nullable foreign key relationships

Fixed a regression in Django 5.2 that caused a crash of QuerySet.bulk_create() \ 
with nullable geometry fields on PostGIS

Fixed a regression in Django 5.2 that caused fields to be incorrectly selected \ 
when using QuerySet.alias() after values()

Fixed a data corruption possibility in file_move_safe() when \ 
allow_overwrite=True, where leftover content from a previously larger file could \ 
remain after overwriting with a smaller one due to lack of truncation

Fixed a regression in Django 5.2 that caused a crash when using \ 
QuerySet.select_for_update(of=(…)) with values()/values_list() including \ 
expressions

Fixed a regression in Django 5.2 that caused improper values to be returned from \ 
QuerySet.values_list() when duplicate field names were specified

Fixed a regression in Django 5.2 where the password validation error message \ 
from MinimumLengthValidator was not translated when using non-English locales

Fixed a regression in Django 5.2 that caused the object-tools block to be \ 
rendered twice when using custom admin templates with overridden blocks due to \ 
changes in the base admin page block structure

Fixed a regression in Django 5.2, introduced when fixing CVE 2025-26699, where \ 
the wordwrap template filter did not preserve empty lines between paragraphs \ 
after wrapping text

Fixed a regression in Django 5.2 that caused a crash when serializing email \ 
alternatives or attachments due to named tuple mismatches

Fixed a regression in Django 5.2 that caused a crash when using update() on a \ 
QuerySet filtered against a related model and including references to \ 
annotations through values()

Fixed a bug in Django 5.2 that caused composite primary key introspection to \ 
wrongly identify IntegerField as AutoField on SQLite

Fixed a bug in Django 5.2 that caused a redundant unique_together constraint to \ 
be generated for composite primary keys when using inspectdb

2025-04-14 16:20:54 by Adam Ciarcinski | Files touched by this commit (3) | Package updated

Log message:
py-django: updated to 5.2

Django 5.2.

The release notes showcase a composite of new features. A few highlights are:

All models are automatically imported in the shell by default.
Django now supports composite primary keys! The new \ 
django.db.models.CompositePrimaryKey allows tables to be created with a primary \ 
key consisting of multiple fields.
Overriding a BoundField got a lot easier: this can now be set on a form, field \ 
or project level.

2025-03-06 17:05:55 by Adam Ciarcinski | Files touched by this commit (2) | Package updated

Log message:
py-django: updated to 5.1.7

Django 5.1.7 fixes a security issue with severity “moderate” and several \ 
bugs in 5.1.6.

CVE-2025-26699: Potential denial-of-service vulnerability in django.utils.text.wrap()

The wrap() and wordwrap template filter were subject to a potential \ 
denial-of-service attack when used with very long strings.

Bugfixes

Fixed a bug in Django 5.1 where the {% querystring %} template tag returned an \ 
empty string rather than "?" when all parameters had been removed from \ 
the query string

Fixed a bug in Django 5.1 where FileSystemStorage, with allow_overwrite set to \ 
True, did not truncate the overwritten file content

Fixed a regression in Django 5.1 where the count and exists methods of \ 
ManyToManyField related managers would always return 0 and False when the \ 
intermediary model back references used to_field

Fixed a regression in Django 5.1 where the pre_save and post_save signals for \ 
LogEntry were not sent when deleting a single object in the admin

2025-03-05 11:40:59 by Thomas Klausner | Files touched by this commit (1)

Log message:
py-django: fix wheel name for latest setuptools and depend on it

Bump PKGREVISION.

2025-02-05 21:51:59 by Adam Ciarcinski | Files touched by this commit (2) | Package updated

Log message:
py-django: updated to 5.1.6

Django 5.1.6 fixes several bugs in 5.1.5.

Bugfixes

Fixed a regression in Django 5.1.5 that caused validate_ipv6_address() and \ 
validate_ipv46_address() to crash when handling non-string values

Fixed a regression in Django 5.1 where password fields, despite being set to \ 
required=False, were still treated as required in forms derived from \ 
BaseUserCreationForm

2025-01-14 16:55:07 by Adam Ciarcinski | Files touched by this commit (2) | Package updated

Log message:
py-django: updated to 5.1.5

Django 5.1.5 fixes a security issue with severity “moderate” and one bug in \ 
5.1.4.

CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation

Lack of upper bound limit enforcement in strings passed when performing IPv6 \ 
validation could lead to a potential denial-of-service attack. The undocumented \ 
and private functions clean_ipv6_address and is_valid_ipv6_address were \ 
vulnerable, as was the django.forms.GenericIPAddressField form field, which has \ 
now been updated to define a max_length of 39 characters.

The django.db.models.GenericIPAddressField model field was not affected.

Bugfixes

Fixed a crash when applying migrations with references to the removed \ 
Meta.index_together option