* Fixed a bug in Django 5.2 where data exceeding max_length was
silently truncated by QuerySet.bulk_create() on PostgreSQL
* Fixed a bug where management command colorized help (introduced
in Python 3.14) ignored the --no-color option and the DJANGO_COLORS
setting
- Drop merged test_strip_tags_incomplete.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=224
* CVE-2025-13372: Potential SQL injection in FilteredRelation column
aliases on PostgreSQL
* CVE-2025-64460: Potential denial-of-service vulnerability in XML
Deserializer
* Fixed a crash on Python 3.14+ that prevented template tag functions
from being registered
* Fixed more bugs and regressions, see upstream release notes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=220
* CVE-2025-64459: Potential SQL injection via _connector keyword argument
* Added compatibility for oracledb 3.4.0
* Fixed a bug in Django 5.2 where QuerySet.first() and QuerySet.last()
raised an error on querysets performing aggregation that selected all
fields of a composite primary key.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=218
* CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
aggregate(), and extra() on MySQL and MariaDB
* CVE-2025-59682: Potential partial directory-traversal via archive.extract()
* Fixed a regression in Django 5.2 that reduced the color contrast of the
label of filter_horizontal and filter_vertical widgets within a TabularInline
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=216
* Fixed a regression in Django 5.2.1 that prevented the usage of UNNEST
PostgreSQL strategy of QuerySet.bulk_create() with foreign keys
* Fixed a crash in Django 5.2 when filtering against a composite primary key
using a tuple containing expressions
* Fixed a crash in Django 5.2 when validating a model that uses
GeneratedField or constraints composed of Q and Case lookups
* Added compatibility for docutils 0.22
* Fixed a crash in Django 5.2 when using a ManyToManyField on a model with
a composite primary key, by extending the fields.E347 system check
- Convert to libalternatives on SLE-16-based and newer systems
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=212
* Fixed a log injection possibility by migrating remaining response logging
to django.utils.log.log_response(), which safely escapes arguments
such as the request path to prevent unsafe log output (CVE 2025-48432).
* Fixed a regression in Django 5.2 that caused QuerySet.bulk_update() to
incorrectly convert None to JSON null instead of SQL NULL for JSONField
* Fixed a regression in Django 5.2.2 where the q parameter was removed from
the internal django.http.MediaType.params property
* Fixed a regression in Django 5.2.2 where HttpRequest.get_preferred_type()
incorrectly preferred more specific media types with a lower quality
* Fixed a crash in Django 5.2 when performing an __in lookup involving a
composite primary key and a subquery on certain backends
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=203
* CVE-2025-48432: Potential log injection via unescaped request path
* Fixed a crash when using select_related against a ForeignObject
originating from a model with a CompositePrimaryKey
* Fixed a regression in Django 5.2 that caused a crash when no
arguments were passed into QuerySet.union().
* Fixed a regression in Django 5.2 that caused a crash when using OuterRef
in PostgreSQL aggregate functions ArrayAgg, StringAgg, and JSONBAgg.
* Fixed a bug in Django 5.2 where HttpRequest.get_preferred_type() did not
account for media type parameters in Accept headers, reducing specificity
in content negotiation.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=201
* This release was built using an upgraded setuptools, producing
filenames compliant with PEP 491 and PEP 625 and thus addressing
a PyPI warning about non-compliant distribution filenames. This
change only affects the Django packaging process and does not
impact Django’s behavior.
* CVE-2025-32873: Denial-of-service possibility in strip_tags()
* Fixed a data corruption possibility in file_move_safe() when
allow_overwrite=True
* Fixed a regression introduced when fixing CVE 2025-26699, where
the wordwrap template filter did not preserve empty lines between
paragraphs after wrapping text
* Fixed many bugs and regressions in Django 5.2, see upstream changelog
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=199
* Django 5.2 is designated as a long-term support release. It will receive
security updates for at least three years after its release.
* Django 5.2 supports Python 3.10, 3.11, 3.12, and 3.13.
** What’s new in Django 5.2 **
* Automatic models import in the shell
* Composite Primary Keys
* Simplified override of BoundField
* ... and many more smaller features
** Backwards incompatible changes in 5.2 **
* Database backend API changes
* Dropped support for PostgreSQL 13
* Changed MySQL connection character set default
* ... and more, see upstream changelog
** Features deprecated in 5.2 **
* The all argument for the django.contrib.staticfiles.finders.find()
function is deprecated in favor of the find_all argument.
* The ordering keyword argument of the PostgreSQL specific aggregation
functions is deprecated in favor of the order_by argument.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=194
* CVE-2025-26699: Potential denial-of-service vulnerability in
django.utils.text.wrap()
* Fixed a bug in Django 5.1 where the {% querystring %} template tag
returned an empty string rather than "?"
* Fixed a bug in Django 5.1 where FileSystemStorage, with allow_overwrite
set to True, did not truncate the overwritten file content
* Fixed a regression in Django 5.1 where the count and exists methods of
ManyToManyField related managers would always return 0 and False when
the intermediary model back references used to_field
* Fixed a regression in Django 5.1 where the pre_save and post_save signals
for LogEntry were not sent when deleting a single object in the admin
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=189
* Fixed a regression in Django 5.1.5 that caused validate_ipv6_address()
and validate_ipv46_address() to crash when handling non-string values
* Fixed a regression in Django 5.1 where password fields, despite being
set to required=False, were still treated as required in forms derived
from BaseUserCreationForm
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=187
* CVE-2024-53907: Potential denial-of-service in django.utils.html.strip_tags()
* CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
* Fixed a crash in createsuperuser on Python 3.13+ caused by an unhandled OSError
* Fixed a regression in Django 5.1 where relational fields were not updated
* Fixed a bug in Django 5.1 where DomainNameValidator accepted any input value
that contained a valid domain name, rather than only input values that were
a valid domain name
* Fixed a regression in Django 5.1 that prevented the use of DB-IP databases with GeoIP2
* Fixed a regression in Django 5.1 where non-ASCII fieldset names were not displayed
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=183
* Fixed a regression in Django 5.1 that caused a crash when using
the PostgreSQL lookup trigram_similar on output fields from Concat
* Fixed a regression in Django 5.1 that caused a crash of JSONObject()
when using server-side binding with PostgreSQL 16+
* Fixed a regression in Django 5.1 that made selected items in
multi-select widgets indistinguishable from non-selected items in
the admin dark theme
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=181
- Update to 5.1.1 (bsc#1229823, bsc#1229824)
* CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize()
* CVE-2024-45231: Potential user email enumeration via response
status on password reset
* Fixed a regression in Django 5.1 that caused a crash of Window()
when passing an empty sequence to the order_by parameter, and a
crash of Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field
was included in BaseUserCreationForm (and children). A new
AdminUserCreationForm including this field was added, isolating
the feature to the admin where it was intended
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using
OS_OPEN_FLAGS in FileSystemStorage to correctly point to the
offending call site
* Adjusted the deprecation warning stacklevel in
FieldCacheMixin.get_cache_name() to correctly point to the
offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/request/show/1198700
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Django?expand=0&rev=122
* Fixed a regression in Django 5.1 that caused a crash of Window() when
passing an empty sequence to the order_by parameter, and a crash of
Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field was
included in BaseUserCreationForm (and children).
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using OS_OPEN_FLAGS
in FileSystemStorage to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel in FieldCacheMixin.get_cache_name()
to correctly point to the offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=178
* CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize()
* CVE-2024-45231: Potential user email enumeration via response
status on password reset
* Fixed a regression in Django 5.1 that caused a crash of Window()
when passing an empty sequence to the order_by parameter, and a
crash of Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field
was included in BaseUserCreationForm (and children). A new
AdminUserCreationForm including this field was added, isolating
the feature to the admin where it was intended
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using
OS_OPEN_FLAGS in FileSystemStorage to correctly point to the
offending call site
* Adjusted the deprecation warning stacklevel in
FieldCacheMixin.get_cache_name() to correctly point to the
offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=177
