|
|
|
|
Changelog for python310-Django-5.0.8-1.0.2.1.sr20240803.noarch.rpm :
* Wed Aug 07 2024 Alberto Planas Dominguez - Update to 5.0.8 * CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat() * CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize() * CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget * CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() * Added missing validation for UniqueConstraint(nulls_distinct=False) when using *expressions * Fixed a regression in Django 5.0 where ModelAdmin.action_checkbox could break the admin changelist HTML page when rendering a model instance with a __html__ method * Fixed a crash when creating a model with a Field.db_default and a Meta.constraints constraint composed of __endswith, __startswith, or __contains lookups * Fixed a regression in Django 5.0.7 that caused a crash in LocaleMiddleware when processing a language code over 500 characters * Fixed a bug in Django 5.0 that caused a system check crash when ModelAdmin.date_hierarchy was a GeneratedField with an output_field of DateField or DateTimeField * Fixed a bug in Django 5.0 which caused constraint validation to either crash or incorrectly raise validation errors for constraints referring to fields using Field.db_default * Fixed a crash in Django 5.0 when saving a model containing a FileField with a db_default set * Tue Jul 09 2024 Markéta Machová - Update to 5.0.7 * Supports Python >= 3.10. * Facet counts are now shown for applied filters in the admin changelist when toggled on via the UI. This behavior can be changed via the new ModelAdmin.show_facets attribute. * Django 5.0 introduces the concept of a field group, and field group templates. This simplifies rendering of the related elements of a Django form field such as its label, widget, help text, and errors. * The new Field.db_default parameter sets a database-computed default value. * The new GeneratedField allows creation of database generated columns. This field can be used on all supported database backends to create a field that is always computed from other fields. * More options for declaring field choices * Few backwards-incompatible changes in the database backend API, django.contrib.gis and django.contrib.sitemaps * Dropped support for MySQL < 8.0.11 * Using create_defaults__exact may now be required with QuerySet.update_or_create() * Migrating existing UUIDField on MariaDB 10.7+- This release also fixes several security issues: * bsc#1227590 (CVE-2024-38875) * bsc#1227593 (CVE-2024-39329) * bsc#1227594 (CVE-2024-39330) * bsc#1227595 (CVE-2024-39614)- Drop no-longer-needed patches: * dirty-hack-remove-assert.patch * sanitize_address.patch * Wed May 08 2024 Alberto Planas Dominguez - Update to 4.2.13 + Django 4.2.13 fixes a packaging error in 4.2.12.- Update to 4.2.12 + Django 4.2.12 fixes a compatibility issue with Python 3.11.9+ and 3.12.3+. + Fixed a crash in Django 4.2 when validating email max line lengths with content decoded using the surrogateescape error handling scheme- Drop fix-safemimetext-set_payload.patch, already merged upstream * Thu Apr 18 2024 Daniel Garcia - Add fix-safemimetext-set_payload.patch, to support python 3.11.9+ (gh#django/djangoAATTb231bcd19e57, bsc#1222880) * Mon Mar 04 2024 Alberto Planas Dominguez - Update to 4.2.11 (CVE-2024-27351, bsc#1220358) * CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words() * Fixed a regression in Django 4.2.10 where intcomma template filter could return a leading comma for string representation of floats- Remove python3122.patch, already upstream * Fri Feb 09 2024 Daniel Garcia - Add python3122.patch to fix tests with python 3.12.2 gh#django/django#17843- Update to 4.2.10 (bsc#1219683, CVE-2024-24680): - Django 4.2.10 fixes a security issue with severity \"moderate\" in 4.2.9. CVE-2024-24680: Potential denial-of-service in intcomma template filter The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. * Thu Jan 04 2024 Alberto Planas Dominguez - Update to 4.2.9: * Fixed a regression in Django 4.2.8 where admin fields on the same line could overflow the page and become non-interactive * Mon Dec 04 2023 Alberto Planas Dominguez - Update to 4.2.8 * Fixed a regression in Django 4.2 that caused makemigrations - -check to stop displaying pending migrations * Fixed a regression in Django 4.2 that caused a crash of QuerySet.aggregate() with aggregates referencing other aggregates or window functions through conditional expressions * Fixed a regression in Django 4.2 that caused a crash when annotating a QuerySet with a Window expressions composed of a partition_by clause mixing field types and aggregation expressions * Fixed a regression in Django 4.2 where the admin’s change list page had misaligned pagination links and inputs when using list_editable * Fixed a regression in Django 4.2 where checkboxes in the admin would be centered on narrower screen widths * Fixed a regression in Django 4.2 that caused a crash of querysets with aggregations on MariaDB when the ONLY_FULL_GROUP_BY SQL mode was enabled * Fixed a regression in Django 4.2 where the admin’s read-only password widget and some help texts were incorrectly aligned at tablet widths * Fixed a regression in Django 4.2 that caused a migration crash on SQLite when altering unsupported Meta.db_table_comment * Mon Nov 27 2023 Dirk Müller - add dirty-hack-remove-assert.patch from fedora to fix minor test failure with python 3.12 * Wed Nov 01 2023 Alberto Planas Dominguez - Update to 4.2.7 * Fixed a regression in Django 4.2 that caused a crash of QuerySet.aggregate() with aggregates referencing expressions containing subqueries * Restored, following a regression in Django 4.2, creating varchar/text_pattern_ops indexes on CharField and TextField with deterministic collations on PostgreSQL * Mon Oct 16 2023 Daniel Garcia Moreno - Update to 4.2.6 (bsc#1215978, CVE-2023-43665) * CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues. * Fixed a regression in Django 4.2.5 where overriding the deprecated DEFAULT_FILE_STORAGE and STATICFILES_STORAGE settings in tests caused the main STORAGES to mutate (#34821). * Fixed a regression in Django 4.2 that caused unnecessary casting of string based fields (CharField, EmailField, TextField, CICharField, CIEmailField, and CITextField) used with the __isnull lookup on PostgreSQL. As a consequence, indexes using an __isnull expression or condition created before Django 4.2 wouldn’t be used by the query planner, leading to a performance regression (#34840). * Mon Sep 04 2023 Alberto Planas Dominguez - Update to 4.2.5 (CVE-2023-41164) + Bugfixes * Fixed a regression in Django 4.2 that caused an incorrect validation of CheckConstraints on __isnull lookups against JSONField * Fixed a bug in Django 4.2 where the deprecated DEFAULT_FILE_STORAGE and STATICFILES_STORAGE settings were not synced with STORAGES * Fixed a regression in Django 4.2.2 that caused an unnecessary selection of a non-nullable ManyToManyField without a natural key during serialization * Fixed a regression in Django 4.2 that caused a crash of a queryset when filtering against deeply nested OuterRef() annotations * Wed Aug 02 2023 Alberto Planas Dominguez - Update to 4.2.4 + Bugfixes * Fixed a regression in Django 4.2 that caused a crash of QuerySet.aggregate() with aggregates referencing window functions * Fixed a regression in Django 4.2 that caused a crash when grouping by a reference in a subquery * Fixed a regression in Django 4.2 that caused aggregation over query that uses explicit grouping by multi-valued annotations to group against the wrong columns * Tue Jul 18 2023 Markéta Machová - Add upstream sanitize_address.patch * fixes build with yet another CPython upstream fix (bsc#1210638) * Mon Jul 10 2023 Alberto Planas Dominguez - Update to 4.2.3 (bsc#1212742, CVE-2023-36053) + CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator + Bugfixes * Fixed a regression in Django 4.2 that caused incorrect alignment of timezone warnings for DateField and TimeField in the admin * Fixed a regression in Django 4.2 that caused incorrect highlighting of rows in the admin changelist view when ModelAdmin.list_editable contained a BooleanField * Fri Jun 09 2023 ecsos - Add %{?sle15_python_module_pythons} * Tue Jun 06 2023 Alberto Planas Dominguez - Update to 4.2.2 + Bugfixes * Fixed a regression in Django 4.2 that caused an unnecessary DBMS_LOB.SUBSTR() wrapping in the __isnull and __exact=None lookups for TextField()/BinaryField() on Oracle * Restored, following a regression in Django 4.2, get_prep_value() call in JSONField subclasses * Fixed a regression in Django 4.2 that caused a crash of QuerySet.defer() when passing a ManyToManyField or GenericForeignKey reference. While doing so is a no-op, it was allowed in older version * Fixed a regression in Django 4.2 that caused a crash of QuerySet.only() when passing a reverse OneToOneField reference * Fixed a bug in Django 4.2 where makemigrations --update didn’t respect the --name option * Fixed a performance regression in Django 4.2 when compiling queries without ordering * Fixed a regression in Django 4.2 where nonexistent stylesheet was linked on a “Congratulations!” page * Fixed a regression in Django 4.2 that caused a crash of QuerySet.aggregate() with expressions referencing other aggregates * Fixed a regression in Django 4.2 that caused a crash of QuerySet.aggregate() with aggregates referencing subqueries * Fixed a regression in Django 4.2 that caused a crash of querysets on SQLite when filtering on DecimalField against values outside of the defined range * Fixed a regression in Django 4.2 that caused a serialization crash on a ManyToManyField without a natural key when its Manager’s base QuerySet used select_related() * Thu May 04 2023 Alberto Planas Dominguez - Update to 4.2.1 + CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field (bsc#1210866) + Bugfixes * Fixed a regression in Django 4.2 that caused a crash of QuerySet.defer() when deferring fields by attribute names * Fixed a regression in Django 4.2 that caused a crash of SearchVector function with % characters * Fixed a regression in Django 4.2 that caused aggregation over query that uses explicit grouping to group against the wrong columns * Reallowed, following a regression in Django 4.2, setting the \"cursor_factory\" option in OPTIONS on PostgreSQL * Enforced UTF-8 client encoding on PostgreSQL, following a regression in Django 4.2 * Fixed a regression in Django 4.2 where i18n_patterns() didn’t respect the prefix_default_language argument when a fallback language of the default language was used * Fixed a regression in Django 4.2 where translated URLs of the default language from i18n_patterns() with prefix_default_language set to False raised 404 errors for a request with a different language * Fixed a regression in Django 4.2 where creating copies and deep copies of HttpRequest, HttpResponse, and their subclasses didn’t always work correctly * Fixed a regression in Django 4.2 where timesince and timeuntil template filters returned incorrect results for a datetime with a non-UTC timezone when a time difference is less than 1 day * Fixed a regression in Django 4.2 that caused a crash of SearchHeadline function with psycopg 3 * Fixed a regression in Django 4.2 that caused incorrect ClearableFileInput margins in the admin * Fixed a regression in Django 4.2 where breadcrumbs didn’t appear on admin site app index views * Made squashing migrations reduce AddIndex, RemoveIndex, RenameIndex, and CreateModel operations which allows removing a deprecated Meta.index_together option from historical migrations and use Meta.indexes instead * Thu Apr 06 2023 David Anes - Update minimal dependency versions. * Tue Apr 04 2023 David Anes - Update to 4.2: This is just a summary. Full release notes are available at https://docs.djangoproject.com/en/4.2/releases/4.2/ + Psycopg 3 support + Comments on columns and tables + Mitigation for the BREACH attack + In-memory file storage + Custom file storages + For backwards incompatible changes in 4.2 see https://docs.djangoproject.com/en/4.2/releases/4.2/#backwards-incompatible-changes-in-4-2- Update of keyring file * Tue Feb 14 2023 Alberto Planas Dominguez - Update to 4.1.7: + CVE-2023-24580: Potential denial-of-service vulnerability in file uploads (bsc#1208082) + Fixed a bug in Django 4.1 that caused a crash of model validation on ValidationError with no code * Wed Feb 01 2023 Alberto Planas Dominguez - Update to 4.1.6: + CVE-2023-23969: Potential denial-of-service via Accept-Language headers Bugfixes + Fixed a bug in Django 4.1 that caused a crash of model validation on UniqueConstraint with ordered expressions * Mon Jan 02 2023 David Anes - Update to 4.1.5: + Fixed a long standing bug in the __len lookup for ArrayField that caused a crash of model validation on Meta.constraints.- Update keyring file. * Wed Dec 21 2022 Daniel Garcia - Recommends python-pymemcache instead of the deprecated python-python-memcached. This is the module used in Django since 3.2 https://docs.djangoproject.com/en/3.2/releases/3.2/#pymemcache-support * Tue Dec 06 2022 Alberto Planas Dominguez - Update to 4.1.4 + Fixed a regression in Django 4.1 that caused an unnecessary table rebuild when adding a ManyToManyField on SQLite + Fixed a bug in Django 4.1 that caused a crash of the sitemap index view with an empty Sitemap.items() and a callable lastmod + Fixed a bug in Django 4.1 that caused a crash using acreate(), aget_or_create(), and aupdate_or_create() asynchronous methods of related managers + Fixed a bug in Django 4.1 that caused a crash of QuerySet.bulk_create() with \"pk\" in unique_fields + Fixed a bug in Django 4.1 that caused a crash of QuerySet.bulk_create() on fields with db_column * Wed Nov 02 2022 Alberto Planas Dominguez - Update to 4.1.3 + Fixed a bug in Django 4.1 that caused non-Python files created by startproject and startapp management commands from custom templates to be incorrectly formatted using the black command * Tue Oct 04 2022 Alberto Planas Dominguez - Update to 4.1.2 (bsc#1203793, CVE-2022-41323) + Fixed a regression in Django 4.1 that caused a migration crash on PostgreSQL when adding a model with ExclusionConstraint + Fixed a regression in Django 4.1 that caused aggregation over a queryset that contained an Exists annotation to crash due to too many selected columns + Fixed a bug in Django 4.1 that caused an incorrect validation of CheckConstraint on NULL values + Fixed a regression in Django 4.1 that caused a QuerySet.values()/values_list() crash on ArrayAgg() and JSONBAgg() + Fixed a bug in Django 4.1 that caused ModelAdmin.autocomplete_fields to be incorrectly selected after adding/changing related instances via popups + Fixed a regression in Django 4.1 where the app registry was not populated when running parallel tests with the multiprocessing start method spawn + Fixed a regression in Django 4.1 where the --debug-mode argument to test did not work when running parallel tests with the multiprocessing start method spawn + Fixed a regression in Django 4.1 that didn’t alter a sequence type when altering type of pre-Django 4.1 serial columns on PostgreSQL + Fixed a regression in Django 4.1 that caused a crash for View subclasses with asynchronous handlers when handling non-allowed HTTP methods + Reverted caching related managers for ForeignKey, ManyToManyField, and GenericRelation that caused the incorrect refreshing of related objects + Relaxed the system check added in Django 4.1 for the same name used for multiple template tag modules to a warning * Mon Sep 05 2022 Alberto Planas Dominguez - Update to 4.1.1 + Reallowed, following a regression in Django 4.1, using GeoIP2() when GEOS is not installed + Fixed a regression in Django 4.1 that caused a crash of admin’s autocomplete widgets when translations are deactivated + Fixed a regression in Django 4.1 that caused a crash of the test management command when running in parallel and multiprocessing start method is spawn + Fixed a regression in Django 4.1 that caused an incorrect redirection to the admin changelist view when using \"Save and continue editing\" and \"Save and add another\" options + Fixed a regression in Django 4.1 that caused a crash of Window expressions with ArrayAgg + Fixed a regression in Django 4.1 that caused a migration crash on SQLite 3.35.5+ when removing an indexed field + Fixed a bug in Django 4.1 that caused a crash of model validation on UniqueConstraint() with field names in expressions + Fixed a bug in Django 4.1 that caused an incorrect validation of CheckConstraint() with range fields on PostgreSQL + Fixed a regression in Django 4.1 that caused an incorrect migration when adding AutoField, BigAutoField, or SmallAutoField on PostgreSQL + Fixed a regression in Django 4.1 that caused a migration crash on PostgreSQL when altering AutoField, BigAutoField, or SmallAutoField to OneToOneField + Fixed a migration crash on ManyToManyField fields with through referencing models in different apps + Fixed a regression in Django 4.1 that caused an incorrect migration when renaming a model with ManyToManyField and db_table + Reallowed, following a regression in Django 4.1, creating reverse foreign key managers on unsaved instances + Fixed a regression in Django 4.1 that caused a migration crash on SQLite < 3.20 + Fixed a regression in Django 4.1 that caused an admin crash when the admindocs app was used- Remove 0001-Fixed-33887-Added-version-in-asserted-test-URL.patch (already upstream)- Verify the tarball with gpg * Wed Aug 03 2022 Alberto Planas Dominguez - Update to 4.1: This is just a summary. Full release notes are available at https://docs.djangoproject.com/en/4.1/releases/4.1/ + Django 4.1 supports Python 3.8, 3.9, and 3.10 + Asynchronous handlers for class-based views + Asynchronous ORM interface + Validation of Constraints + Form rendering accessibility + CSRF_COOKIE_MASKED setting- Drop fix_test_custom_fields_SQLite.patch (already merged)- Add 0001-Fixed-33887-Added-version-in-asserted-test-URL.patch to fix test * Wed Aug 03 2022 Alberto Planas Dominguez - Update to 4.0.7 (CVE-2022-36359, bsc#1201923): + Django 4.0.7 fixes a security issue with severity “high” in 4.0.6. * Tue Jul 05 2022 Alberto Planas Dominguez - Update to 4.0.6 + CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments * Thu Jun 02 2022 Alberto Planas Dominguez - Update to 4.0.5 + Fixed a bug in Django 4.0 where not all OPTIONS were passed to a Redis client + Fixed a bug in Django 4.0 that caused a crash of QuerySet.filter() on IsNull() expressions + Fixed a bug in Django 4.0 where a hidden quick filter toolbar in the admin’s navigation sidebar was focusable * Mon Apr 11 2022 Alberto Planas Dominguez - Update to 4.0.4 + CVE-2022-28346: Potential SQL injection in \"QuerySet.annotate()\", \"aggregate()\", and \"extra()\" + CVE-2022-28347: Potential SQL injection via \"QuerySet.explain( * *options)\" on PostgreSQL * Tue Mar 01 2022 Alberto Planas Dominguez - Update to 4.0.3 + Prevented, following a regression in Django 4.0.1, makemigrations from generating infinite migrations for a model with ManyToManyField to a lowercased swappable model such as \'auth.user\' + Fixed a regression in Django 4.0 that caused a crash when rendering invalid inlines with readonly_fields in the admin * Tue Feb 01 2022 Alberto Planas Dominguez - Update to 4.0.2 (CVE-2022-22818, bsc#1195086) (CVE-2022-23833, bsc#1195088) + CVE-2022-22818: Possible XSS via {% debug %} template tag + CVE-2022-23833: Denial-of-service possibility in file uploads + Fixed a bug in Django 4.0 where TestCase.captureOnCommitCallbacks() could execute callbacks multiple times + Fixed a regression in Django 4.0 where help_text was HTML-escaped in automatically-generated forms + Fixed a regression in Django 4.0 that caused displaying an incorrect name for class-based views on the technical 404 debug page + Fixed a regression in Django 4.0 that caused an incorrect repr of ResolverMatch for class-based views + Fixed a regression in Django 4.0 that caused a crash of makemigrations on models without Meta.order_with_respect_to but with a field named _order + Fixed a regression in Django 4.0 that caused incorrect ModelAdmin.radio_fields layout in the admin + Fixed a duplicate operation regression in Django 4.0 that caused a migration crash when altering a primary key type for a concrete parent model referenced by a foreign key + Fixed a bug in Django 4.0 that caused a crash of QuerySet.aggregate() after annotate() on an aggregate function with a default + Fixed a regression in Django 4.0 that caused a crash of makemigrations when renaming a field of a renamed model * Wed Jan 12 2022 Matej Cepl - Add fix_test_custom_fields_SQLite.patch fixing issues with modern SQLite (gh#django/django#15168). * Mon Jan 10 2022 Alberto Planas Dominguez - Update to 4.0.1 (CVE-2021-45115, CVE-2021-45452, bsc#1194117) + CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator + CVE-2021-45452: Potential directory-traversal via Storage.save() + Fixed a regression in Django 4.0 that caused a crash of assertFormsetError() on a formset named form + Fixed a bug in Django 4.0 that caused a crash on booleans with the RedisCache backend + Relaxed the check added in Django 4.0 to reallow use of a duck-typed HttpRequest in django.views.decorators.cache.cache_control() and never_cache() decorators + Fixed a regression in Django 4.0 that caused creating bogus migrations for models that reference swappable models such as auth.User + Fixed a long standing bug in Geometry Collections and Polygon that caused a crash on some platforms (reported on macOS based on the ARM64 architecture) * Mon Dec 27 2021 Ben Greiner - Fix u-a scriptlet dependency.- Remove python36 conditional on numpy dep. * Fri Dec 24 2021 John Vandenberg - Avoid dependency on backports.zoneinfo except on Python 3.8 * Mon Dec 20 2021 Matej Cepl - Clean up PYTHONPATH to make test_extra_tests_build_suite pass. * Tue Dec 07 2021 Alberto Planas Dominguez - Update to 4.0 This is just a summary. Full release notes are available at https://docs.djangoproject.com/en/4.0/releases/4.0/. - Django 4.0 supports Python 3.8, 3.9, and 3.10. We highly recommend and only officially support the latest release of each series. The Django 3.2.x series is the last to support Python 3.6 and 3.7. - The Python standard library’s zoneinfo is now the default timezone implementation in Django. This is the next step in the migration from using pytz to using zoneinfo. Django 3.2 allowed the use of non-pytz time zones. Django 4.0 makes zoneinfo the default implementation. Support for pytz is now deprecated and will be removed in Django 5.0. - The new *expressions positional argument of UniqueConstraint() enables creating functional unique constraints on expressions and database functions. - The new scrypt password hasher is more secure and recommended over PBKDF2. However, it’s not the default as it requires OpenSSL 1.1+ and more memory. - Redis cache backend - Template based form rendering. Forms, Formsets, and ErrorList are now rendered using the template engine to enhance customization. * Tue Nov 02 2021 Alberto Planas Dominguez - Update to 3.2.9 + Fixed a bug in Django 3.2 that caused a migration crash on SQLite when altering a field with a functional index * Tue Oct 05 2021 Alberto Planas Dominguez - Update to 3.2.8 + Fixed a bug in Django 3.2 that caused incorrect links on read-only fields in the admin + Fixed a regression in Django 3.2 that caused incorrect selection of items across all pages when actions were placed both on the top and bottom of the admin change-list view- Drop failing_test_subparser_invalid_option.patch, as is already in the upstream code. * Thu Sep 09 2021 Matej Cepl - Add failing_test_subparser_invalid_option.patch fixing https://code.djangoproject.com/ticket/33082 * Wed Sep 01 2021 Alberto Planas Dominguez - Update to 3.2.7 + Fixed a regression in Django 3.2 that caused the incorrect offset extraction from fixed offset timezones * Mon Aug 16 2021 Alberto Planas Dominguez - Update to 3.2.6 + Fixed a regression in Django 3.2 that caused a crash validating \"NaN\" input with a forms.DecimalField when additional constraints, e.g. max_value, were specified + Fixed a bug in Django 3.2 where a system check would crash on a model with a reverse many-to-many relation inherited from a parent class * Thu Jul 01 2021 Alberto Planas Dominguez - Update to 3.2.5 (CVE-2021-35042, bsc#1187785) + Fixed a regression in Django 3.2 that caused a crash of QuerySet.values_list(..., named=True) after prefetch_related() + Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when altering BinaryField, JSONField, or TextField to non-nullable + Fixed a regression in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when adding nullable BinaryField, JSONField, or TextField with a default value + Fixed a bug in Django 3.2 where a system check would crash on a model with an invalid app_label * Wed Jun 02 2021 Alberto Planas Dominguez - Update to 3.2.4 (CVE-2021-33203, CVE-2021-33571) + CVE-2021-33203: Potential directory traversal via admindocs + CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses + Fixed a bug in Django 3.2 where a final catch-all view in the admin didn’t respect the server-provided value of SCRIPT_NAME when redirecting unauthenticated users to the login page + Fixed a bug in Django 3.2 where a system check would crash on an abstract model + Prevented unnecessary initialization of unused caches following a regression in Django 3.2 + Fixed a crash in Django 3.2 that could occur when running mod_wsgi with the recommended settings while the Windows colorama library was installed + Fixed a bug in Django 3.2 that would trigger the auto-reloader for template changes when directory paths were specified with strings + Fixed a regression in Django 3.2 that caused a crash of auto-reloader with AttributeError, e.g. inside a Conda environment + Fixed a regression in Django 3.2 that caused a loss of precision for operations with DecimalField on MySQL * Mon May 17 2021 Alberto Planas Dominguez - Update to 3.2.3 + Prepared for mysqlclient > 2.0.3 support + Fixed a regression in Django 3.2 that caused the incorrect filtering of querysets combined with the | operator + Fixed a regression in Django 3.2.1 where saving FileField would raise a SuspiciousFileOperation even when a custom upload_to returns a valid file path * Thu May 06 2021 Alberto Planas Dominguez - Update to 3.2.2 (CVE-2021-32052) + CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+ + Prevented, following a regression in Django 3.2.1, makemigrations from generating infinite migrations for a model with Meta.ordering contained OrderBy expressions * Wed May 05 2021 Ben Greiner - Keep rpm runtime requirements in sync. Downstream packages often read the egg-info and fail if they are not fulfilled. * Wed May 05 2021 Alberto Planas Dominguez - Update to 3.2.1 (CVE-2021-31542) + CVE-2021-31542: Potential directory-traversal via uploaded files + Corrected detection of GDAL 3.2 on Windows + Fixed a bug in Django 3.2 where subclasses of BigAutoField and SmallAutoField were not allowed for the DEFAULT_AUTO_FIELD setting + Fixed a regression in Django 3.2 that caused a crash of QuerySet.values()/values_list() after QuerySet.union(), intersection(), and difference() when it was ordered by an unannotated field + Restored, following a regression in Django 3.2, displaying an exception message on the technical 404 debug page + Fixed a bug in Django 3.2 where a system check would crash on a reverse one-to-one relationships in CheckConstraint.check or UniqueConstraint.condition + Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields when searching against phrases with unbalanced quotes + Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the sitemap template if alternates were not defined + Fixed a regression in Django 3.2 that caused a crash when combining Q() objects which contains boolean expressions + Fixed a regression in Django 3.2 that caused a crash of QuerySet.update() on a queryset ordered by inherited or joined fields on MySQL and MariaDB + Fixed a regression in Django 3.2 that caused a crash when decoding a cookie value, used by django.contrib.messages.storage.cookie.CookieStorage, in the pre-Django 3.2 format + Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting multiple rows in the admin changelist + Fixed a bug in Django 3.2 where a system check would crash on the STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path) + Fixed a long standing bug involving queryset bitwise combination when used with subqueries that began manifesting in Django 3.2, due to a separate fix using Exists to exclude() multi-valued relationships + Fixed a bug in Django 3.2 where variable lookup errors were logged when rendering some admin templates + Fixed a bug in Django 3.2 where an admin changelist would crash when deleting objects filtered against multi-valued relationships + Fixed a regression in Django 3.2 where the calling process environment would not be passed to the dbshell command on PostgreSQL + Fixed a performance regression in Django 3.2 when building complex filters with subqueries * Tue Apr 06 2021 Alberto Planas Dominguez - Update to 3.2.0 + Automatic ~django.apps.AppConfig discovery + Customizing type of auto-created primary keys + Functional indexes + pymemcache support + New decorators for the admin site + For a complete description of new features check: https://github.com/django/django/blob/main/docs/releases/3.2.txt- Update PYTHOPATH to include the local tests- Drop i18n_test.patch, i18n_test_extraction.patch, test_clear_site_cache-sort.patch * Sat Feb 13 2021 Ben Greiner - Don\'t install python36-numpy for testing. It is no longer available. (The tests or portions of tests requiring numpy are skipped automatically in this case.)- Let the singlespec macro do its job to set the primary provider for python3-django and python3-South on the primary flavor only.- Fix mtime of cache file by recompiling.
|
|
|