* CVE-2024-53907: Potential denial-of-service in django.utils.html.strip_tags()
* CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
* Fixed a crash in createsuperuser on Python 3.13+ caused by an unhandled OSError
* Fixed a regression in Django 5.1 where relational fields were not updated
* Fixed a bug in Django 5.1 where DomainNameValidator accepted any input value
that contained a valid domain name, rather than only input values that were
a valid domain name
* Fixed a regression in Django 5.1 that prevented the use of DB-IP databases with GeoIP2
* Fixed a regression in Django 5.1 where non-ASCII fieldset names were not displayed
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=183
* Fixed a regression in Django 5.1 that caused a crash when using
the PostgreSQL lookup trigram_similar on output fields from Concat
* Fixed a regression in Django 5.1 that caused a crash of JSONObject()
when using server-side binding with PostgreSQL 16+
* Fixed a regression in Django 5.1 that made selected items in
multi-select widgets indistinguishable from non-selected items in
the admin dark theme
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=181
- Update to 5.1.1 (bsc#1229823, bsc#1229824)
* CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize()
* CVE-2024-45231: Potential user email enumeration via response
status on password reset
* Fixed a regression in Django 5.1 that caused a crash of Window()
when passing an empty sequence to the order_by parameter, and a
crash of Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field
was included in BaseUserCreationForm (and children). A new
AdminUserCreationForm including this field was added, isolating
the feature to the admin where it was intended
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using
OS_OPEN_FLAGS in FileSystemStorage to correctly point to the
offending call site
* Adjusted the deprecation warning stacklevel in
FieldCacheMixin.get_cache_name() to correctly point to the
offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/request/show/1198700
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Django?expand=0&rev=122
* Fixed a regression in Django 5.1 that caused a crash of Window() when
passing an empty sequence to the order_by parameter, and a crash of
Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field was
included in BaseUserCreationForm (and children).
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using OS_OPEN_FLAGS
in FileSystemStorage to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel in FieldCacheMixin.get_cache_name()
to correctly point to the offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=178
* CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize()
* CVE-2024-45231: Potential user email enumeration via response
status on password reset
* Fixed a regression in Django 5.1 that caused a crash of Window()
when passing an empty sequence to the order_by parameter, and a
crash of Prefetch() for a sliced queryset without ordering
* Fixed a regression in Django 5.1 where a new usable_password field
was included in BaseUserCreationForm (and children). A new
AdminUserCreationForm including this field was added, isolating
the feature to the admin where it was intended
* Adjusted the deprecation warning stacklevel in Model.save() and
Model.asave() to correctly point to the offending call site
* Adjusted the deprecation warning stacklevel when using
OS_OPEN_FLAGS in FileSystemStorage to correctly point to the
offending call site
* Adjusted the deprecation warning stacklevel in
FieldCacheMixin.get_cache_name() to correctly point to the
offending call site
* Restored, following a regression in Django 5.1, the ability to
override the timezone and role setting behavior used within the
init_connection_state method of the PostgreSQL backend
* Fixed a bug in Django 5.1 where variable lookup errors were logged
when rendering admin fieldsets
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=177
* Supports Python >= 3.10.
* Easier guardrails for authentication: the new and shiny
LoginRequiredMiddleware, when added to MIDDLEWARE, enforces
authentication for all views by default.
* A more inclusive framework: Django 5.1 includes several accessibility
enhancements, such as improved screen reader support in the admin
interface, more semantic HTML elements, and better association of
help text and labels with form fieldsets.
* The second oldest ticket fixed in this release provides the long awaited
querystring template tag, which greatly simplifies the handling of query
strings when building URLs in templates.
* For a detailed list of changes see https://docs.djangoproject.com/en/5.1/releases/5.1/
- Refreshed python-Django.keyring
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=175
* CVE-2024-41989: Memory exhaustion in
django.utils.numberformat.floatformat()
* CVE-2024-41990: Potential denial-of-service vulnerability in
django.utils.html.urlize()
* CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget
* CVE-2024-42005: Potential SQL injection in QuerySet.values() and
values_list()
* Added missing validation for
UniqueConstraint(nulls_distinct=False) when using *expressions
* Fixed a regression in Django 5.0 where ModelAdmin.action_checkbox
could break the admin changelist HTML page when rendering a model
instance with a __html__ method
* Fixed a crash when creating a model with a Field.db_default and a
Meta.constraints constraint composed of __endswith, __startswith,
or __contains lookups
* Fixed a regression in Django 5.0.7 that caused a crash in
LocaleMiddleware when processing a language code over 500
characters
* Fixed a bug in Django 5.0 that caused a system check crash when
ModelAdmin.date_hierarchy was a GeneratedField with an
output_field of DateField or DateTimeField
* Fixed a bug in Django 5.0 which caused constraint validation to
either crash or incorrectly raise validation errors for
constraints referring to fields using Field.db_default
* Fixed a crash in Django 5.0 when saving a model containing a
FileField with a db_default set
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=172
- Update to 5.0.7
* Supports Python >= 3.10.
* Facet counts are now shown for applied filters in the admin changelist
when toggled on via the UI. This behavior can be changed via the new
ModelAdmin.show_facets attribute.
* Django 5.0 introduces the concept of a field group, and field group
templates. This simplifies rendering of the related elements of a
Django form field such as its label, widget, help text, and errors.
* The new Field.db_default parameter sets a database-computed default value.
* The new GeneratedField allows creation of database generated columns.
This field can be used on all supported database backends to create
a field that is always computed from other fields.
* More options for declaring field choices
* Few backwards-incompatible changes in the database backend API,
django.contrib.gis and django.contrib.sitemaps
* Dropped support for MySQL < 8.0.11
* Using create_defaults__exact may now be required with QuerySet.update_or_create()
* Migrating existing UUIDField on MariaDB 10.7+
- Drop no-longer-needed patches:
* dirty-hack-remove-assert.patch
* sanitize_address.patch
OBS-URL: https://build.opensuse.org/request/show/1186489
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=167
- Add python3122.patch to fix tests with python 3.12.2
gh#django/django#17843
- Update to 4.2.10 (bsc#1219683, CVE-2024-24680):
- Django 4.2.10 fixes a security issue with severity "moderate" in
4.2.9.
CVE-2024-24680: Potential denial-of-service in intcomma template
filter The intcomma template filter was subject to a potential
denial-of-service attack when used with very long strings.
OBS-URL: https://build.opensuse.org/request/show/1145400
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Django?expand=0&rev=113
gh#django/django#17843
- Update to 4.2.10 (bsc#1219683, CVE-2024-24680):
- Django 4.2.10 fixes a security issue with severity "moderate" in
4.2.9.
CVE-2024-24680: Potential denial-of-service in intcomma template
filter The intcomma template filter was subject to a potential
denial-of-service attack when used with very long strings.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=158
- Update to 4.2.8
* Fixed a regression in Django 4.2 that caused makemigrations
--check to stop displaying pending migrations
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.aggregate() with aggregates referencing other aggregates
or window functions through conditional expressions
* Fixed a regression in Django 4.2 that caused a crash when
annotating a QuerySet with a Window expressions composed of a
partition_by clause mixing field types and aggregation expressions
* Fixed a regression in Django 4.2 where the admin’s change list
page had misaligned pagination links and inputs when using
list_editable
* Fixed a regression in Django 4.2 where checkboxes in the admin
would be centered on narrower screen widths
* Fixed a regression in Django 4.2 that caused a crash of querysets
with aggregations on MariaDB when the ONLY_FULL_GROUP_BY SQL mode
was enabled
* Fixed a regression in Django 4.2 where the admin’s read-only
password widget and some help texts were incorrectly aligned at
tablet widths
* Fixed a regression in Django 4.2 that caused a migration crash on
SQLite when altering unsupported Meta.db_table_comment
OBS-URL: https://build.opensuse.org/request/show/1130704
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=153
- add dirty-hack-remove-assert.patch from fedora to fix
minor test failure with python 3.12
- Update to 4.2.5 (CVE-2023-41164)
- Update minimal dependency versions.
+ Fixed a long standing bug in the __len lookup for ArrayField
constraints on expressions and database functions.
customization.
read the egg-info and fail if they are not fulfilled.
+ New decorators for the admin site
* CVE-2020-24584: Permission escalation in intermediate-level directories of the file
* Fixed a data loss possibility in the select_for_update(). When using related fields
* Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator
* Added compatibility for cx_Oracle 8
* many other bugfixes
- Update to 3.0.5
* Fixed a regression in Django 2.0 where combining Q objects with __in lookups
with FileExistsError if concurrent saves try to create the same directory
* Made admin’s RelatedFieldWidgetWrapper use the wrapped widget’s
value_omitted_from_data() method (#27905)
* Fixed ClearableFileInput’s “Clear” checkbox on model form fields where the
model field has a default
* Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than
* Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
IntegerField from DateField
* Fixed query expression date subtraction accuracy on PostgreSQL for differences
* Fixed a GDALException raised by GDALClose on GDAL >= 2.0
* Quoted the Oracle test user’s password in queries to fix the “ORA-00922: missing
or invalid option” error when the password starts with a number or
with SLE-12 which provides PIL instead of Pillow.
OBS-URL: https://build.opensuse.org/request/show/1129117
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=151
- Update to 4.2.6 (bsc#1215978, CVE-2023-43665)
* CVE-2023-43665: Denial-of-service possibility in
django.utils.text.Truncator
The input processed by Truncator, when operating in HTML mode, has
been limited to the first five million characters in order to
avoid potential performance and memory issues.
* Fixed a regression in Django 4.2.5 where overriding the deprecated
DEFAULT_FILE_STORAGE and STATICFILES_STORAGE settings in tests
caused the main STORAGES to mutate (#34821).
* Fixed a regression in Django 4.2 that caused unnecessary casting
of string based fields (CharField, EmailField, TextField,
CICharField, CIEmailField, and CITextField) used with the __isnull
lookup on PostgreSQL. As a consequence, indexes using an __isnull
expression or condition created before Django 4.2 wouldn’t be used
by the query planner, leading to a performance regression
(#34840).
OBS-URL: https://build.opensuse.org/request/show/1117946
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Django?expand=0&rev=108
* CVE-2023-43665: Denial-of-service possibility in
django.utils.text.Truncator
The input processed by Truncator, when operating in HTML mode, has
been limited to the first five million characters in order to
avoid potential performance and memory issues.
* Fixed a regression in Django 4.2.5 where overriding the deprecated
DEFAULT_FILE_STORAGE and STATICFILES_STORAGE settings in tests
caused the main STORAGES to mutate (#34821).
* Fixed a regression in Django 4.2 that caused unnecessary casting
of string based fields (CharField, EmailField, TextField,
CICharField, CIEmailField, and CITextField) used with the __isnull
lookup on PostgreSQL. As a consequence, indexes using an __isnull
expression or condition created before Django 4.2 wouldn’t be used
by the query planner, leading to a performance regression
(#34840).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=147
- Update to 4.2.5 (CVE-2023-41164)
+ Bugfixes
* Fixed a regression in Django 4.2 that caused an incorrect
validation of CheckConstraints on __isnull lookups against
JSONField
* Fixed a bug in Django 4.2 where the deprecated
DEFAULT_FILE_STORAGE and STATICFILES_STORAGE settings were not
synced with STORAGES
* Fixed a regression in Django 4.2.2 that caused an unnecessary
selection of a non-nullable ManyToManyField without a natural
key during serialization
* Fixed a regression in Django 4.2 that caused a crash of a
queryset when filtering against deeply nested OuterRef()
annotations
OBS-URL: https://build.opensuse.org/request/show/1108899
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=145
- Update to 4.2.3 (bsc#1212742, CVE-2023-36053)
+ CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator
+ Bugfixes
* Fixed a regression in Django 4.2 that caused incorrect alignment
of timezone warnings for DateField and TimeField in the admin
* Fixed a regression in Django 4.2 that caused incorrect
highlighting of rows in the admin changelist view when
ModelAdmin.list_editable contained a BooleanField
OBS-URL: https://build.opensuse.org/request/show/1097909
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=139