* Fixed a regression in Django 5.2.1 that prevented the usage of UNNEST
PostgreSQL strategy of QuerySet.bulk_create() with foreign keys
* Fixed a crash in Django 5.2 when filtering against a composite primary key
using a tuple containing expressions
* Fixed a crash in Django 5.2 when validating a model that uses
GeneratedField or constraints composed of Q and Case lookups
* Added compatibility for docutils 0.22
* Fixed a crash in Django 5.2 when using a ManyToManyField on a model with
a composite primary key, by extending the fields.E347 system check
- Convert to libalternatives on SLE-16-based and newer systems
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=212
* Fixed a log injection possibility by migrating remaining response logging
to django.utils.log.log_response(), which safely escapes arguments
such as the request path to prevent unsafe log output (CVE 2025-48432).
* Fixed a regression in Django 5.2 that caused QuerySet.bulk_update() to
incorrectly convert None to JSON null instead of SQL NULL for JSONField
* Fixed a regression in Django 5.2.2 where the q parameter was removed from
the internal django.http.MediaType.params property
* Fixed a regression in Django 5.2.2 where HttpRequest.get_preferred_type()
incorrectly preferred more specific media types with a lower quality
* Fixed a crash in Django 5.2 when performing an __in lookup involving a
composite primary key and a subquery on certain backends
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=203
* CVE-2025-48432: Potential log injection via unescaped request path
* Fixed a crash when using select_related against a ForeignObject
originating from a model with a CompositePrimaryKey
* Fixed a regression in Django 5.2 that caused a crash when no
arguments were passed into QuerySet.union().
* Fixed a regression in Django 5.2 that caused a crash when using OuterRef
in PostgreSQL aggregate functions ArrayAgg, StringAgg, and JSONBAgg.
* Fixed a bug in Django 5.2 where HttpRequest.get_preferred_type() did not
account for media type parameters in Accept headers, reducing specificity
in content negotiation.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=201
* This release was built using an upgraded setuptools, producing
filenames compliant with PEP 491 and PEP 625 and thus addressing
a PyPI warning about non-compliant distribution filenames. This
change only affects the Django packaging process and does not
impact Django’s behavior.
* CVE-2025-32873: Denial-of-service possibility in strip_tags()
* Fixed a data corruption possibility in file_move_safe() when
allow_overwrite=True
* Fixed a regression introduced when fixing CVE 2025-26699, where
the wordwrap template filter did not preserve empty lines between
paragraphs after wrapping text
* Fixed many bugs and regressions in Django 5.2, see upstream changelog
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=199
* Django 5.2 is designated as a long-term support release. It will receive
security updates for at least three years after its release.
* Django 5.2 supports Python 3.10, 3.11, 3.12, and 3.13.
** What’s new in Django 5.2 **
* Automatic models import in the shell
* Composite Primary Keys
* Simplified override of BoundField
* ... and many more smaller features
** Backwards incompatible changes in 5.2 **
* Database backend API changes
* Dropped support for PostgreSQL 13
* Changed MySQL connection character set default
* ... and more, see upstream changelog
** Features deprecated in 5.2 **
* The all argument for the django.contrib.staticfiles.finders.find()
function is deprecated in favor of the find_all argument.
* The ordering keyword argument of the PostgreSQL specific aggregation
functions is deprecated in favor of the order_by argument.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=194
* CVE-2025-26699: Potential denial-of-service vulnerability in
django.utils.text.wrap()
* Fixed a bug in Django 5.1 where the {% querystring %} template tag
returned an empty string rather than "?"
* Fixed a bug in Django 5.1 where FileSystemStorage, with allow_overwrite
set to True, did not truncate the overwritten file content
* Fixed a regression in Django 5.1 where the count and exists methods of
ManyToManyField related managers would always return 0 and False when
the intermediary model back references used to_field
* Fixed a regression in Django 5.1 where the pre_save and post_save signals
for LogEntry were not sent when deleting a single object in the admin
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=189
* Fixed a regression in Django 5.1.5 that caused validate_ipv6_address()
and validate_ipv46_address() to crash when handling non-string values
* Fixed a regression in Django 5.1 where password fields, despite being
set to required=False, were still treated as required in forms derived
from BaseUserCreationForm
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=187
* CVE-2024-53907: Potential denial-of-service in django.utils.html.strip_tags()
* CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
* Fixed a crash in createsuperuser on Python 3.13+ caused by an unhandled OSError
* Fixed a regression in Django 5.1 where relational fields were not updated
* Fixed a bug in Django 5.1 where DomainNameValidator accepted any input value
that contained a valid domain name, rather than only input values that were
a valid domain name
* Fixed a regression in Django 5.1 that prevented the use of DB-IP databases with GeoIP2
* Fixed a regression in Django 5.1 where non-ASCII fieldset names were not displayed
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=183
* Fixed a regression in Django 5.1 that caused a crash when using
the PostgreSQL lookup trigram_similar on output fields from Concat
* Fixed a regression in Django 5.1 that caused a crash of JSONObject()
when using server-side binding with PostgreSQL 16+
* Fixed a regression in Django 5.1 that made selected items in
multi-select widgets indistinguishable from non-selected items in
the admin dark theme
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=181
- Update to 5.1.1 (bsc#1229823, bsc#1229824)
* CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize()
* CVE-2024-45231: Potential user email enumeration via response
status on password reset
* Fixed a regression in Django 5.1 that caused a crash of Window()
when passing an empty sequence to the order_by parameter, and a
crash of Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field
was included in BaseUserCreationForm (and children). A new
AdminUserCreationForm including this field was added, isolating
the feature to the admin where it was intended
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using
OS_OPEN_FLAGS in FileSystemStorage to correctly point to the
offending call site
* Adjusted the deprecation warning stacklevel in
FieldCacheMixin.get_cache_name() to correctly point to the
offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/request/show/1198700
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Django?expand=0&rev=122
* Fixed a regression in Django 5.1 that caused a crash of Window() when
passing an empty sequence to the order_by parameter, and a crash of
Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field was
included in BaseUserCreationForm (and children).
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using OS_OPEN_FLAGS
in FileSystemStorage to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel in FieldCacheMixin.get_cache_name()
to correctly point to the offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=178
* CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize()
* CVE-2024-45231: Potential user email enumeration via response
status on password reset
* Fixed a regression in Django 5.1 that caused a crash of Window()
when passing an empty sequence to the order_by parameter, and a
crash of Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field
was included in BaseUserCreationForm (and children). A new
AdminUserCreationForm including this field was added, isolating
the feature to the admin where it was intended
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using
OS_OPEN_FLAGS in FileSystemStorage to correctly point to the
offending call site
* Adjusted the deprecation warning stacklevel in
FieldCacheMixin.get_cache_name() to correctly point to the
offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=177
* Supports Python >= 3.10.
* Easier guardrails for authentication: the new and shiny
LoginRequiredMiddleware, when added to MIDDLEWARE, enforces
authentication for all views by default.
* A more inclusive framework: Django 5.1 includes several accessibility
enhancements, such as improved screen reader support in the admin
interface, more semantic HTML elements, and better association of
help text and labels with form fieldsets.
* The second oldest ticket fixed in this release provides the long awaited
querystring template tag, which greatly simplifies the handling of query
strings when building URLs in templates.
* For a detailed list of changes see https://docs.djangoproject.com/en/5.1/releases/5.1/
- Refreshed python-Django.keyring
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=175
* CVE-2024-41989: Memory exhaustion in
django.utils.numberformat.floatformat()
* CVE-2024-41990: Potential denial-of-service vulnerability in
django.utils.html.urlize()
* CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget
* CVE-2024-42005: Potential SQL injection in QuerySet.values() and
values_list()
* Added missing validation for
UniqueConstraint(nulls_distinct=False) when using *expressions
* Fixed a regression in Django 5.0 where ModelAdmin.action_checkbox
could break the admin changelist HTML page when rendering a model
instance with a __html__ method
* Fixed a crash when creating a model with a Field.db_default and a
Meta.constraints constraint composed of __endswith, __startswith,
or __contains lookups
* Fixed a regression in Django 5.0.7 that caused a crash in
LocaleMiddleware when processing a language code over 500
characters
* Fixed a bug in Django 5.0 that caused a system check crash when
ModelAdmin.date_hierarchy was a GeneratedField with an
output_field of DateField or DateTimeField
* Fixed a bug in Django 5.0 which caused constraint validation to
either crash or incorrectly raise validation errors for
constraints referring to fields using Field.db_default
* Fixed a crash in Django 5.0 when saving a model containing a
FileField with a db_default set
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=172
- Update to 5.0.7
* Supports Python >= 3.10.
* Facet counts are now shown for applied filters in the admin changelist
when toggled on via the UI. This behavior can be changed via the new
ModelAdmin.show_facets attribute.
* Django 5.0 introduces the concept of a field group, and field group
templates. This simplifies rendering of the related elements of a
Django form field such as its label, widget, help text, and errors.
* The new Field.db_default parameter sets a database-computed default value.
* The new GeneratedField allows creation of database generated columns.
This field can be used on all supported database backends to create
a field that is always computed from other fields.
* More options for declaring field choices
* Few backwards-incompatible changes in the database backend API,
django.contrib.gis and django.contrib.sitemaps
* Dropped support for MySQL < 8.0.11
* Using create_defaults__exact may now be required with QuerySet.update_or_create()
* Migrating existing UUIDField on MariaDB 10.7+
- Drop no-longer-needed patches:
* dirty-hack-remove-assert.patch
* sanitize_address.patch
OBS-URL: https://build.opensuse.org/request/show/1186489
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=167
