Log message:
py-django3: updated to 3.2.5

Django 3.2.5 fixes a security issue with severity “high” and several bugs in \ 
3.2.4. Also, the latest string translations from Transifex are incorporated.

CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input

Unsanitized user input passed to QuerySet.order_by() could bypass intended \ 
column reference validation in path marked for deprecation resulting in a \ 
potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the \ 
duration of the deprecation period. This regression appeared in 3.1.

The issue is not present in the main branch as the deprecated path has been removed.

Bugfixes

Fixed a regression in Django 3.2 that caused a crash of \ 
QuerySet.values_list(…, named=True) after prefetch_related().
Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when \ 
altering BinaryField, JSONField, or TextField to non-nullable.
Fixed a regression in Django 3.2 that caused a migration crash on MySQL 8.0.13+ \ 
when adding nullable BinaryField, JSONField, or TextField with a default value.
Fixed a bug in Django 3.2 where a system check would crash on a model with an \ 
invalid app_label

Log message:
py-django3: updated to 3.2.4

Django 3.2.4 fixes two security issues and several bugs in 3.2.3.

CVE-2021-33203: Potential directory traversal via admindocs

Staff members could use the admindocs TemplateDetailView view to check the \ 
existence of arbitrary files. Additionally, if (and only if) the default \ 
admindocs templates have been customized by the developers to also expose the \ 
file contents, then not only the existence but also the file contents would have \ 
been exposed.

As a mitigation, path sanitation is now applied and only files within the \ 
template root directories can be loaded.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since \ 
validators accepted leading zeros in IPv4 addresses¶

URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t \ 
prohibit leading zeros in octal literals. If you used such values you could \ 
suffer from indeterminate SSRF, RFI, and LFI attacks.

validate_ipv4_address() and validate_ipv46_address() validators were not \ 
affected on Python 3.9.5+.

Bugfixes

Fixed a bug in Django 3.2 where a final catch-all view in the admin didn’t \ 
respect the server-provided value of SCRIPT_NAME when redirecting \ 
unauthenticated users to the login page
Fixed a bug in Django 3.2 where a system check would crash on an abstract model
Prevented unnecessary initialization of unused caches following a regression in \ 
Django 3.2
Fixed a crash in Django 3.2 that could occur when running mod_wsgi with the \ 
recommended settings while the Windows colorama library was installed
Fixed a bug in Django 3.2 that would trigger the auto-reloader for template \ 
changes when directory paths were specified with strings
Fixed a regression in Django 3.2 that caused a crash of auto-reloader with \ 
AttributeError, e.g. inside a Conda environment
Fixed a regression in Django 3.2 that caused a loss of precision for operations \ 
with DecimalField on MySQL

Log message:
py-django3: updated to 3.2.3

Django 3.2.3 fixes several bugs in 3.2.2.

Bugfixes

Prepared for mysqlclient > 2.0.3 support.
Fixed a regression in Django 3.2 that caused the incorrect filtering of \ 
querysets combined with the | operator.
Fixed a regression in Django 3.2.1 where saving FileField would raise a \ 
SuspiciousFileOperation even when a custom upload_to returns a valid file path.

Django 3.2.2 fixes a security issue and a bug in 3.2.1.

CVE-2021-32052: Header injection possibility since URLValidator accepted \ 
newlines in input on Python 3.9.5+

On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used \ 
values with newlines in HTTP response, you could suffer from header injection \ 
attacks. Django itself wasn’t vulnerable because HttpResponse prohibits \ 
newlines in HTTP headers.

Moreover, the URLField form field which uses URLValidator silently removes \ 
newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your \ 
data only existed if you are using this validator outside of the form fields.

This issue was introduced by the bpo-43882 fix.

Log message:
py-django3: updated to 3.2.1

Django 3.2.1

CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via \ 
uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now \ 
applied. Specifically, empty file names and paths with dot segments will be \ 
rejected.

Bugfixes

Corrected detection of GDAL 3.2 on Windows.
Fixed a bug in Django 3.2 where subclasses of BigAutoField and SmallAutoField \ 
were not allowed for the DEFAULT_AUTO_FIELD setting.
Fixed a regression in Django 3.2 that caused a crash of \ 
QuerySet.values()/values_list() after QuerySet.union(), intersection(), and \ 
difference() when it was ordered by an unannotated field.
Restored, following a regression in Django 3.2, displaying an exception message \ 
on the technical 404 debug page.
Fixed a bug in Django 3.2 where a system check would crash on a reverse \ 
one-to-one relationships in CheckConstraint.check or UniqueConstraint.condition.
Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields \ 
when searching against phrases with unbalanced quotes.
Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the \ 
sitemap template if alternates were not defined.
Fixed a regression in Django 3.2 that caused a crash when combining Q() objects \ 
which contains boolean expressions.
Fixed a regression in Django 3.2 that caused a crash of QuerySet.update() on a \ 
queryset ordered by inherited or joined fields on MySQL and MariaDB.
Fixed a regression in Django 3.2 that caused a crash when decoding a cookie \ 
value, used by django.contrib.messages.storage.cookie.CookieStorage, in the \ 
pre-Django 3.2 format.
Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting \ 
multiple rows in the admin changelist.
Fixed a bug in Django 3.2 where a system check would crash on the \ 
STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path).
Fixed a long standing bug involving queryset bitwise combination when used with \ 
subqueries that began manifesting in Django 3.2, due to a separate fix using \ 
Exists to exclude() multi-valued relationships.
Fixed a bug in Django 3.2 where variable lookup errors were logged when \ 
rendering some admin templates.
Fixed a bug in Django 3.2 where an admin changelist would crash when deleting \ 
objects filtered against multi-valued relationships. The admin changelist now \ 
uses Exists() instead QuerySet.distinct() because calling delete() after \ 
distinct() is not allowed in Django 3.2 to address a data loss possibility.
Fixed a regression in Django 3.2 where the calling process environment would not \ 
be passed to the dbshell command on PostgreSQL.
Fixed a performance regression in Django 3.2 when building complex filters with \ 
subqueries. As a side-effect the private API to check django.db.sql.query.Query \ 
equality is removed.

Django 3.2.0:
Automatic AppConfig discovery simplifies configuration of pluggable applications.
Customizing the type of auto-created primary keys begins a process of migrating \ 
to BigAutoField primary key fields by default.
Functional indexes can now be created on expressions and database functions.

Log message:
py-django3: updated to 3.1.7

Django 3.1.7 fixes a security issue and a bug in 3.1.6.

CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

Django contains a copy of urllib.parse.parse_qsl() which was added to backport \ 
some security fixes. A further security fix has been issued recently such that \ 
parse_qsl() no longer allows using ; as a query parameter separator by default. \ 
Django now includes this fix. See bpo-42967 for further details.

Bugfixes

Fixed a regression in Django 3.1 that caused RuntimeError instead of connection \ 
errors when using only the 'postgres' database

Log message:
py-django3: updated to 3.1.6

Django 3.1.6 fixes a security issue with severity “low” and a bug in 3.1.5.

CVE-2021-3281: Potential directory-traversal via archive.extract()

The django.utils.archive.extract() function, used by startapp --template and \ 
startproject --template, allowed directory-traversal via an archive with \ 
absolute paths or relative paths with dot segments.

Bugfixes

Fixed an admin layout issue in Django 3.1 where changelist filter controls would \ 
become squashed

Log message:
py-django3: updated to 3.1.5

Django 3.1.5 fixes several bugs in 3.1.4.

Fixed __isnull=True lookup on key transforms for JSONField with Oracle and SQLite.
Fixed a bug in Django 3.1 that caused a crash when processing middlewares in an \ 
async context with a middleware that raises a MiddlewareNotUsed exception.
Fixed a regression in Django 3.1 that caused the incorrect prefixing of \ 
STATIC_URL and MEDIA_URL settings, by the server-provided value of SCRIPT_NAME \ 
(or / if not set), when set to a URL specifying the protocol but without a \ 
top-level domain, e.g. http://myhost/

Log message:
py-django: updated to 3.1.4

Django 3.1.4 fixes several bugs in 3.1.3.

Bugfixes

Fixed setting the Content-Length HTTP header in AsyncRequestFactory.
Fixed passing extra HTTP headers to AsyncRequestFactory request methods.
Fixed crash of key transforms for JSONField on PostgreSQL when using on a \ 
Subquery() annotation.
Fixed a regression in Django 3.1 that caused a crash of auto-reloader for \ 
certain invocations of runserver on Windows with Python 3.7 and below.
Fixed a regression in Django 3.1 that caused the incorrect grouping by a Q \ 
object annotation.
Fixed a regression in Django 3.1 that caused suppressing connection errors when \ 
JSONField is used on SQLite.
Fixed a crash on SQLite, when QuerySet.values()/values_list() contained key \ 
transforms for JSONField returning non-string primitive values