./www/py-django3, Django, a high-level Python Web framework

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.2.8, Package name: py39-django-3.2.8, Maintainer: pkgsrc-users

Django is a high-level Python Web framework that encourages rapid development
and clean, pragmatic design. Django was designed to make common Web-development
tasks fast and easy.


Required to run:
[devel/py-setuptools] [time/py-pytz] [databases/py-sqlparse] [www/py-asgiref] [lang/python37]

Required to build:
[pkgtools/cwrappers]

Master sites:

RMD160: 7afdd615f5c0a67ab59a25891de5c8c8f40b3f7f
Filesize: 9590.776 KB

Version history: (Expand)


CVS history: (Expand)


   2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033)
Log message:
www: Remove SHA1 hashes for distfiles
   2021-10-05 20:33:49 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.8

Django 3.2.8 fixes two bugs in 3.2.7.

Bugfixes

Fixed a bug in Django 3.2 that caused incorrect links on read-only fields in the \ 
admin.
Fixed a regression in Django 3.2 that caused incorrect selection of items across \ 
all pages when actions were placed both on the top and bottom of the admin \ 
change-list view.
   2021-08-02 22:33:58 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.6

Django 3.2.6

Bugfixes

Fixed a regression in Django 3.2 that caused a crash validating "NaN" \ 
input with a forms.DecimalField when additional constraints, e.g. max_value, \ 
were specified.
Fixed a bug in Django 3.2 where a system check would crash on a model with a \ 
reverse many-to-many relation inherited from a parent class.
   2021-07-06 07:57:43 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.5

Django 3.2.5 fixes a security issue with severity “high” and several bugs in \ 
3.2.4. Also, the latest string translations from Transifex are incorporated.

CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input

Unsanitized user input passed to QuerySet.order_by() could bypass intended \ 
column reference validation in path marked for deprecation resulting in a \ 
potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the \ 
duration of the deprecation period. This regression appeared in 3.1.

The issue is not present in the main branch as the deprecated path has been removed.

Bugfixes

Fixed a regression in Django 3.2 that caused a crash of \ 
QuerySet.values_list(…, named=True) after prefetch_related().
Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when \ 
altering BinaryField, JSONField, or TextField to non-nullable.
Fixed a regression in Django 3.2 that caused a migration crash on MySQL 8.0.13+ \ 
when adding nullable BinaryField, JSONField, or TextField with a default value.
Fixed a bug in Django 3.2 where a system check would crash on a model with an \ 
invalid app_label
   2021-06-05 09:22:03 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.4

Django 3.2.4 fixes two security issues and several bugs in 3.2.3.

CVE-2021-33203: Potential directory traversal via admindocs

Staff members could use the admindocs TemplateDetailView view to check the \ 
existence of arbitrary files. Additionally, if (and only if) the default \ 
admindocs templates have been customized by the developers to also expose the \ 
file contents, then not only the existence but also the file contents would have \ 
been exposed.

As a mitigation, path sanitation is now applied and only files within the \ 
template root directories can be loaded.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since \ 
validators accepted leading zeros in IPv4 addresses¶

URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t \ 
prohibit leading zeros in octal literals. If you used such values you could \ 
suffer from indeterminate SSRF, RFI, and LFI attacks.

validate_ipv4_address() and validate_ipv46_address() validators were not \ 
affected on Python 3.9.5+.

Bugfixes

Fixed a bug in Django 3.2 where a final catch-all view in the admin didn’t \ 
respect the server-provided value of SCRIPT_NAME when redirecting \ 
unauthenticated users to the login page
Fixed a bug in Django 3.2 where a system check would crash on an abstract model
Prevented unnecessary initialization of unused caches following a regression in \ 
Django 3.2
Fixed a crash in Django 3.2 that could occur when running mod_wsgi with the \ 
recommended settings while the Windows colorama library was installed
Fixed a bug in Django 3.2 that would trigger the auto-reloader for template \ 
changes when directory paths were specified with strings
Fixed a regression in Django 3.2 that caused a crash of auto-reloader with \ 
AttributeError, e.g. inside a Conda environment
Fixed a regression in Django 3.2 that caused a loss of precision for operations \ 
with DecimalField on MySQL
   2021-05-14 20:54:38 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.3

Django 3.2.3 fixes several bugs in 3.2.2.

Bugfixes

Prepared for mysqlclient > 2.0.3 support.
Fixed a regression in Django 3.2 that caused the incorrect filtering of \ 
querysets combined with the | operator.
Fixed a regression in Django 3.2.1 where saving FileField would raise a \ 
SuspiciousFileOperation even when a custom upload_to returns a valid file path.

Django 3.2.2 fixes a security issue and a bug in 3.2.1.

CVE-2021-32052: Header injection possibility since URLValidator accepted \ 
newlines in input on Python 3.9.5+

On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used \ 
values with newlines in HTTP response, you could suffer from header injection \ 
attacks. Django itself wasn’t vulnerable because HttpResponse prohibits \ 
newlines in HTTP headers.

Moreover, the URLField form field which uses URLValidator silently removes \ 
newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your \ 
data only existed if you are using this validator outside of the form fields.

This issue was introduced by the bpo-43882 fix.
   2021-05-05 09:06:30 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-django3: updated to 3.2.1

Django 3.2.1

CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via \ 
uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now \ 
applied. Specifically, empty file names and paths with dot segments will be \ 
rejected.

Bugfixes

Corrected detection of GDAL 3.2 on Windows.
Fixed a bug in Django 3.2 where subclasses of BigAutoField and SmallAutoField \ 
were not allowed for the DEFAULT_AUTO_FIELD setting.
Fixed a regression in Django 3.2 that caused a crash of \ 
QuerySet.values()/values_list() after QuerySet.union(), intersection(), and \ 
difference() when it was ordered by an unannotated field.
Restored, following a regression in Django 3.2, displaying an exception message \ 
on the technical 404 debug page.
Fixed a bug in Django 3.2 where a system check would crash on a reverse \ 
one-to-one relationships in CheckConstraint.check or UniqueConstraint.condition.
Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields \ 
when searching against phrases with unbalanced quotes.
Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the \ 
sitemap template if alternates were not defined.
Fixed a regression in Django 3.2 that caused a crash when combining Q() objects \ 
which contains boolean expressions.
Fixed a regression in Django 3.2 that caused a crash of QuerySet.update() on a \ 
queryset ordered by inherited or joined fields on MySQL and MariaDB.
Fixed a regression in Django 3.2 that caused a crash when decoding a cookie \ 
value, used by django.contrib.messages.storage.cookie.CookieStorage, in the \ 
pre-Django 3.2 format.
Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting \ 
multiple rows in the admin changelist.
Fixed a bug in Django 3.2 where a system check would crash on the \ 
STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path).
Fixed a long standing bug involving queryset bitwise combination when used with \ 
subqueries that began manifesting in Django 3.2, due to a separate fix using \ 
Exists to exclude() multi-valued relationships.
Fixed a bug in Django 3.2 where variable lookup errors were logged when \ 
rendering some admin templates.
Fixed a bug in Django 3.2 where an admin changelist would crash when deleting \ 
objects filtered against multi-valued relationships. The admin changelist now \ 
uses Exists() instead QuerySet.distinct() because calling delete() after \ 
distinct() is not allowed in Django 3.2 to address a data loss possibility.
Fixed a regression in Django 3.2 where the calling process environment would not \ 
be passed to the dbshell command on PostgreSQL.
Fixed a performance regression in Django 3.2 when building complex filters with \ 
subqueries. As a side-effect the private API to check django.db.sql.query.Query \ 
equality is removed.

Django 3.2.0:
Automatic AppConfig discovery simplifies configuration of pluggable applications.
Customizing the type of auto-created primary keys begins a process of migrating \ 
to BigAutoField primary key fields by default.
Functional indexes can now be created on expressions and database functions.
   2021-03-01 13:43:26 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.1.7

Django 3.1.7 fixes a security issue and a bug in 3.1.6.

CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

Django contains a copy of urllib.parse.parse_qsl() which was added to backport \ 
some security fixes. A further security fix has been issued recently such that \ 
parse_qsl() no longer allows using ; as a query parameter separator by default. \ 
Django now includes this fix. See bpo-42967 for further details.

Bugfixes

Fixed a regression in Django 3.1 that caused RuntimeError instead of connection \ 
errors when using only the 'postgres' database