- Update to 5.2.11
* CVE-2025-13473: Username enumeration through timing difference
in mod_wsgi authentication handler (bsc#1257401)
* CVE-2025-14550: Potential denial-of-service vulnerability via
repeated headers when using ASGI (bsc#1257403)
* CVE-2026-1207: Potential SQL injection via raster lookups on
PostGIS (bsc#1257405)
* CVE-2026-1285: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods (bsc#1257406)
* CVE-2026-1287: Potential SQL injection in column aliases via
control characters (bsc#1257407)
* CVE-2026-1312: Potential SQL injection via QuerySet.order_by
and FilteredRelation (bsc#1257408)
OBS-URL: https://build.opensuse.org/request/show/1330887
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=226
- Update to 5.2.5
* Fixed a regression in Django 5.2.1 that prevented the usage of UNNEST
PostgreSQL strategy of QuerySet.bulk_create() with foreign keys
* Fixed a crash in Django 5.2 when filtering against a composite primary key
using a tuple containing expressions
* Fixed a crash in Django 5.2 when validating a model that uses
GeneratedField or constraints composed of Q and Case lookups
* Added compatibility for docutils 0.22
* Fixed a crash in Django 5.2 when using a ManyToManyField on a model with
a composite primary key, by extending the fields.E347 system check
- Convert to libalternatives on SLE-16-based and newer systems
OBS-URL: https://build.opensuse.org/request/show/1299046
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=212
- Update to 5.2.4
* Fixed a log injection possibility by migrating remaining response logging
to django.utils.log.log_response(), which safely escapes arguments
such as the request path to prevent unsafe log output (CVE 2025-48432).
* Fixed a regression in Django 5.2 that caused QuerySet.bulk_update() to
incorrectly convert None to JSON null instead of SQL NULL for JSONField
* Fixed a regression in Django 5.2.2 where the q parameter was removed from
the internal django.http.MediaType.params property
* Fixed a regression in Django 5.2.2 where HttpRequest.get_preferred_type()
incorrectly preferred more specific media types with a lower quality
* Fixed a crash in Django 5.2 when performing an __in lookup involving a
composite primary key and a subquery on certain backends
OBS-URL: https://build.opensuse.org/request/show/1290240
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=203
- Update to 5.2.2 (bsc#1244095)
* CVE-2025-48432: Potential log injection via unescaped request path
* Fixed a crash when using select_related against a ForeignObject
originating from a model with a CompositePrimaryKey
* Fixed a regression in Django 5.2 that caused a crash when no
arguments were passed into QuerySet.union().
* Fixed a regression in Django 5.2 that caused a crash when using OuterRef
in PostgreSQL aggregate functions ArrayAgg, StringAgg, and JSONBAgg.
* Fixed a bug in Django 5.2 where HttpRequest.get_preferred_type() did not
account for media type parameters in Accept headers, reducing specificity
in content negotiation.
OBS-URL: https://build.opensuse.org/request/show/1283359
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=201
- Update to 5.2.1 (bsc#1242210)
* This release was built using an upgraded setuptools, producing
filenames compliant with PEP 491 and PEP 625 and thus addressing
a PyPI warning about non-compliant distribution filenames. This
change only affects the Django packaging process and does not
impact Django’s behavior.
* CVE-2025-32873: Denial-of-service possibility in strip_tags()
* Fixed a data corruption possibility in file_move_safe() when
allow_overwrite=True
* Fixed a regression introduced when fixing CVE 2025-26699, where
the wordwrap template filter did not preserve empty lines between
paragraphs after wrapping text
* Fixed many bugs and regressions in Django 5.2, see upstream changelog
OBS-URL: https://build.opensuse.org/request/show/1276780
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=199
- Update to 5.2
* Django 5.2 is designated as a long-term support release. It will receive
security updates for at least three years after its release.
* Django 5.2 supports Python 3.10, 3.11, 3.12, and 3.13.
** What’s new in Django 5.2 **
* Automatic models import in the shell
* Composite Primary Keys
* Simplified override of BoundField
* ... and many more smaller features
** Backwards incompatible changes in 5.2 **
* Database backend API changes
* Dropped support for PostgreSQL 13
* Changed MySQL connection character set default
* ... and more, see upstream changelog
** Features deprecated in 5.2 **
* The all argument for the django.contrib.staticfiles.finders.find()
function is deprecated in favor of the find_all argument.
* The ordering keyword argument of the PostgreSQL specific aggregation
functions is deprecated in favor of the order_by argument.
OBS-URL: https://build.opensuse.org/request/show/1269461
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=194
- Update to 5.1.7 (bsc#1239052)
* CVE-2025-26699: Potential denial-of-service vulnerability in
django.utils.text.wrap()
* Fixed a bug in Django 5.1 where the {% querystring %} template tag
returned an empty string rather than "?"
* Fixed a bug in Django 5.1 where FileSystemStorage, with allow_overwrite
set to True, did not truncate the overwritten file content
* Fixed a regression in Django 5.1 where the count and exists methods of
ManyToManyField related managers would always return 0 and False when
the intermediary model back references used to_field
* Fixed a regression in Django 5.1 where the pre_save and post_save signals
for LogEntry were not sent when deleting a single object in the admin
OBS-URL: https://build.opensuse.org/request/show/1254130
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=189
- Update to 5.1.4 (bsc#1234231, CVE-2024-53908, bsc#1234232, CVE-2024-53907)
* CVE-2024-53907: Potential denial-of-service in django.utils.html.strip_tags()
* CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
* Fixed a crash in createsuperuser on Python 3.13+ caused by an unhandled OSError
* Fixed a regression in Django 5.1 where relational fields were not updated
* Fixed a bug in Django 5.1 where DomainNameValidator accepted any input value
that contained a valid domain name, rather than only input values that were
a valid domain name
* Fixed a regression in Django 5.1 that prevented the use of DB-IP databases with GeoIP2
* Fixed a regression in Django 5.1 where non-ASCII fieldset names were not displayed
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/request/show/1229256
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=183
- Update to 5.1.2
* Fixed a regression in Django 5.1 that caused a crash when using
the PostgreSQL lookup trigram_similar on output fields from Concat
* Fixed a regression in Django 5.1 that caused a crash of JSONObject()
when using server-side binding with PostgreSQL 16+
* Fixed a regression in Django 5.1 that made selected items in
multi-select widgets indistinguishable from non-selected items in
the admin dark theme
OBS-URL: https://build.opensuse.org/request/show/1208605
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=181
- Update to 5.1.1 (bsc#1229823, bsc#1229824)
* CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize()
* CVE-2024-45231: Potential user email enumeration via response
status on password reset
* Fixed a regression in Django 5.1 that caused a crash of Window()
when passing an empty sequence to the order_by parameter, and a
crash of Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field
was included in BaseUserCreationForm (and children). A new
AdminUserCreationForm including this field was added, isolating
the feature to the admin where it was intended
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using
OS_OPEN_FLAGS in FileSystemStorage to correctly point to the
offending call site
* Adjusted the deprecation warning stacklevel in
FieldCacheMixin.get_cache_name() to correctly point to the
offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/request/show/1198700
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Django?expand=0&rev=122
