- Update to 4.2.1
+ CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
+ Bugfixes
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.defer() when deferring fields by attribute names
* Fixed a regression in Django 4.2 that caused a crash of
SearchVector function with % characters
* Fixed a regression in Django 4.2 that caused aggregation over
query that uses explicit grouping to group against the wrong
columns
* Reallowed, following a regression in Django 4.2, setting the
"cursor_factory" option in OPTIONS on PostgreSQL
* Enforced UTF-8 client encoding on PostgreSQL, following a
regression in Django 4.2
* Fixed a regression in Django 4.2 where i18n_patterns() didn’t
respect the prefix_default_language argument when a fallback
language of the default language was used
* Fixed a regression in Django 4.2 where translated URLs of the
default language from i18n_patterns() with
prefix_default_language set to False raised 404 errors for a
request with a different language
* Fixed a regression in Django 4.2 where creating copies and deep
copies of HttpRequest, HttpResponse, and their subclasses didn’t
always work correctly
* Fixed a regression in Django 4.2 where timesince and timeuntil
template filters returned incorrect results for a datetime with
a non-UTC timezone when a time difference is less than 1 day
* Fixed a regression in Django 4.2 that caused a crash of
SearchHeadline function with psycopg 3
* Fixed a regression in Django 4.2 that caused incorrect
ClearableFileInput margins in the admin
* Fixed a regression in Django 4.2 where breadcrumbs didn’t appear
on admin site app index views
* Made squashing migrations reduce AddIndex, RemoveIndex,
RenameIndex, and CreateModel operations which allows removing a
deprecated Meta.index_together option from historical migrations
and use Meta.indexes instead
OBS-URL: https://build.opensuse.org/request/show/1084538
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=133
- Update to 4.1.4
+ Fixed a regression in Django 4.1 that caused an unnecessary table
rebuild when adding a ManyToManyField on SQLite
+ Fixed a bug in Django 4.1 that caused a crash of the sitemap index
view with an empty Sitemap.items() and a callable lastmod
+ Fixed a bug in Django 4.1 that caused a crash using acreate(),
aget_or_create(), and aupdate_or_create() asynchronous methods of
related managers
+ Fixed a bug in Django 4.1 that caused a crash of
QuerySet.bulk_create() with "pk" in unique_fields
+ Fixed a bug in Django 4.1 that caused a crash of
QuerySet.bulk_create() on fields with db_column
OBS-URL: https://build.opensuse.org/request/show/1040693
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=119
- Update to 4.1.2 (bsc#1203793, CVE-2022-41323)
+ Fixed a regression in Django 4.1 that caused a migration crash on
PostgreSQL when adding a model with ExclusionConstraint
+ Fixed a regression in Django 4.1 that caused aggregation over a
queryset that contained an Exists annotation to crash due to too
many selected columns
+ Fixed a bug in Django 4.1 that caused an incorrect validation of
CheckConstraint on NULL values
+ Fixed a regression in Django 4.1 that caused a
QuerySet.values()/values_list() crash on ArrayAgg() and JSONBAgg()
+ Fixed a bug in Django 4.1 that caused
ModelAdmin.autocomplete_fields to be incorrectly selected after
adding/changing related instances via popups
+ Fixed a regression in Django 4.1 where the app registry was not
populated when running parallel tests with the multiprocessing
start method spawn
+ Fixed a regression in Django 4.1 where the --debug-mode argument
to test did not work when running parallel tests with the
multiprocessing start method spawn
+ Fixed a regression in Django 4.1 that didn’t alter a sequence type
when altering type of pre-Django 4.1 serial columns on PostgreSQL
+ Fixed a regression in Django 4.1 that caused a crash for View
subclasses with asynchronous handlers when handling non-allowed
HTTP methods
+ Reverted caching related managers for ForeignKey, ManyToManyField,
and GenericRelation that caused the incorrect refreshing of
related objects
+ Relaxed the system check added in Django 4.1 for the same name
used for multiple template tag modules to a warning
OBS-URL: https://build.opensuse.org/request/show/1007838
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=115
- Update to 4.1.1
+ Reallowed, following a regression in Django 4.1, using GeoIP2()
when GEOS is not installed
+ Fixed a regression in Django 4.1 that caused a crash of admin’s
autocomplete widgets when translations are deactivated
+ Fixed a regression in Django 4.1 that caused a crash of the test
management command when running in parallel and multiprocessing
start method is spawn
+ Fixed a regression in Django 4.1 that caused an incorrect
redirection to the admin changelist view when using "Save and
continue editing" and "Save and add another" options
+ Fixed a regression in Django 4.1 that caused a crash of Window
expressions with ArrayAgg
+ Fixed a regression in Django 4.1 that caused a migration crash on
SQLite 3.35.5+ when removing an indexed field
+ Fixed a bug in Django 4.1 that caused a crash of model validation
on UniqueConstraint() with field names in expressions
+ Fixed a bug in Django 4.1 that caused an incorrect validation of
CheckConstraint() with range fields on PostgreSQL
+ Fixed a regression in Django 4.1 that caused an incorrect
migration when adding AutoField, BigAutoField, or SmallAutoField
on PostgreSQL
+ Fixed a regression in Django 4.1 that caused a migration crash on
PostgreSQL when altering AutoField, BigAutoField, or
SmallAutoField to OneToOneField
+ Fixed a migration crash on ManyToManyField fields with through
referencing models in different apps
+ Fixed a regression in Django 4.1 that caused an incorrect
migration when renaming a model with ManyToManyField and db_table
+ Reallowed, following a regression in Django 4.1, creating reverse
OBS-URL: https://build.opensuse.org/request/show/1001261
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=113
- Update to 4.0.2 (CVE-2022-22818, bsc#1195086) (CVE-2022-23833, bsc#1195088)
+ CVE-2022-22818: Possible XSS via {% debug %} template tag
+ CVE-2022-23833: Denial-of-service possibility in file uploads
+ Fixed a bug in Django 4.0 where
TestCase.captureOnCommitCallbacks() could execute callbacks
multiple times
+ Fixed a regression in Django 4.0 where help_text was HTML-escaped
in automatically-generated forms
+ Fixed a regression in Django 4.0 that caused displaying an
incorrect name for class-based views on the technical 404 debug
page
+ Fixed a regression in Django 4.0 that caused an incorrect repr of
ResolverMatch for class-based views
+ Fixed a regression in Django 4.0 that caused a crash of
makemigrations on models without Meta.order_with_respect_to but
with a field named _order
+ Fixed a regression in Django 4.0 that caused incorrect
ModelAdmin.radio_fields layout in the admin
+ Fixed a duplicate operation regression in Django 4.0 that caused a
migration crash when altering a primary key type for a concrete
parent model referenced by a foreign key
+ Fixed a bug in Django 4.0 that caused a crash of
QuerySet.aggregate() after annotate() on an aggregate function
with a default
+ Fixed a regression in Django 4.0 that caused a crash of
makemigrations when renaming a field of a renamed model
OBS-URL: https://build.opensuse.org/request/show/950390
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=101
- Update to 4.0.1 (CVE-2021-45115, CVE-2021-45452, bsc#1194117)
+ CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
+ CVE-2021-45452: Potential directory-traversal via Storage.save()
+ Fixed a regression in Django 4.0 that caused a crash of
assertFormsetError() on a formset named form
+ Fixed a bug in Django 4.0 that caused a crash on booleans with the
RedisCache backend
+ Relaxed the check added in Django 4.0 to reallow use of a
duck-typed HttpRequest in
django.views.decorators.cache.cache_control() and never_cache()
decorators
+ Fixed a regression in Django 4.0 that caused creating bogus
migrations for models that reference swappable models such as
auth.User
+ Fixed a long standing bug in Geometry Collections and Polygon that
caused a crash on some platforms (reported on macOS based on the
ARM64 architecture)
OBS-URL: https://build.opensuse.org/request/show/945252
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=99
- Update to 3.2.5 (CVE-2021-35042, bsc#1187785)
+ Fixed a regression in Django 3.2 that caused a crash of
QuerySet.values_list(..., named=True) after prefetch_related()
+ Fixed a bug in Django 3.2 that caused a migration crash on MySQL
8.0.13+ when altering BinaryField, JSONField, or TextField to
non-nullable
+ Fixed a regression in Django 3.2 that caused a migration crash on
MySQL 8.0.13+ when adding nullable BinaryField, JSONField, or
TextField with a default value
+ Fixed a bug in Django 3.2 where a system check would crash on a
model with an invalid app_label
OBS-URL: https://build.opensuse.org/request/show/903353
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=88
- Update to 3.2.4 (CVE-2021-33203, CVE-2021-33571)
+ CVE-2021-33203: Potential directory traversal via admindocs
+ CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
+ Fixed a bug in Django 3.2 where a final catch-all view in the
admin didn’t respect the server-provided value of SCRIPT_NAME when
redirecting unauthenticated users to the login page
+ Fixed a bug in Django 3.2 where a system check would crash on an
abstract model
+ Prevented unnecessary initialization of unused caches following a
regression in Django 3.2
+ Fixed a crash in Django 3.2 that could occur when running mod_wsgi
with the recommended settings while the Windows colorama library
was installed
+ Fixed a bug in Django 3.2 that would trigger the auto-reloader for
template changes when directory paths were specified with strings
+ Fixed a regression in Django 3.2 that caused a crash of
auto-reloader with AttributeError, e.g. inside a Conda environment
+ Fixed a regression in Django 3.2 that caused a loss of precision
for operations with DecimalField on MySQL
OBS-URL: https://build.opensuse.org/request/show/896895
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=86
- Update to 3.2.1 (CVE-2021-31542)
+ CVE-2021-31542: Potential directory-traversal via uploaded files
+ Corrected detection of GDAL 3.2 on Windows
+ Fixed a bug in Django 3.2 where subclasses of BigAutoField and
SmallAutoField were not allowed for the DEFAULT_AUTO_FIELD setting
+ Fixed a regression in Django 3.2 that caused a crash of
QuerySet.values()/values_list() after QuerySet.union(),
intersection(), and difference() when it was ordered by an
unannotated field
+ Restored, following a regression in Django 3.2, displaying an
exception message on the technical 404 debug page
+ Fixed a bug in Django 3.2 where a system check would crash on a
reverse one-to-one relationships in CheckConstraint.check or
UniqueConstraint.condition
+ Fixed a regression in Django 3.2 that caused a crash of
ModelAdmin.search_fields when searching against phrases with
unbalanced quotes
+ Fixed a bug in Django 3.2 where variable lookup errors were logged
rendering the sitemap template if alternates were not defined
+ Fixed a regression in Django 3.2 that caused a crash when
combining Q() objects which contains boolean expressions
+ Fixed a regression in Django 3.2 that caused a crash of
QuerySet.update() on a queryset ordered by inherited or joined
fields on MySQL and MariaDB
+ Fixed a regression in Django 3.2 that caused a crash when decoding
a cookie value, used by
django.contrib.messages.storage.cookie.CookieStorage, in the
pre-Django 3.2 format
+ Fixed a regression in Django 3.2 that stopped the shift-key
modifier selecting multiple rows in the admin changelist
+ Fixed a bug in Django 3.2 where a system check would crash on the
STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path)
+ Fixed a long standing bug involving queryset bitwise combination
when used with subqueries that began manifesting in Django 3.2,
due to a separate fix using Exists to exclude() multi-valued
relationships
+ Fixed a bug in Django 3.2 where variable lookup errors were logged
when rendering some admin templates
+ Fixed a bug in Django 3.2 where an admin changelist would crash
when deleting objects filtered against multi-valued relationships
+ Fixed a regression in Django 3.2 where the calling process
environment would not be passed to the dbshell command on PostgreSQL
+ Fixed a performance regression in Django 3.2 when building complex
filters with subqueries
OBS-URL: https://build.opensuse.org/request/show/890638
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=80
* Fixed setting the Content-Length HTTP header in AsyncRequestFactory
* Fixed passing extra HTTP headers to AsyncRequestFactory request methods
* Fixed crash of key transforms for JSONField on PostgreSQL when usingi
on a Subquery() annotation
* Fixed a regression in Django 3.1 that caused the incorrect grouping
by a Q object annotation
* Fixed a regression in Django 3.1 that caused suppressing connection errors
when JSONField is used on SQLite
* Fixed a crash on SQLite, when QuerySet.values()/values_list() contained
key transforms for JSONField returning non-string primitive values
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=74
* Fixed a regression in Django 3.1.2 that caused the incorrect height of the admin
changelist search bar
* Fixed a regression in Django 3.1.2 that caused the incorrect width of the
admin changelist search bar on a filtered page
* Fixed displaying Unicode characters in forms.JSONField and read-only
models.JSONField values in the admin
* Fixed a regression in Django 3.1 that caused a crash of ArrayAgg and StringAgg
with ordering on key transforms for JSONField
* Fixed a regression in Django 3.1 that caused a crash of __in lookup when using
key transforms for JSONField in the lookup value
* Fixed a regression in Django 3.1 that caused a crash of ExpressionWrapper with
key transforms for JSONField
* Fixed a regression in Django 3.1 that caused a migrations crash on PostgreSQL
when adding an ExclusionConstraint with key transforms for JSONField in expressions
* Fixed a regression in Django 3.1 where ProtectedError.protected_objects
and RestrictedError.restricted_objects attributes returned iterators instead
of set of objects
* Fixed a regression in Django 3.1.2 that caused incorrect form input layout
on small screens in the admin change form view
* Fixed a regression in Django 3.1 that invalidated pre-Django 3.1 password reset tokens
* Added support for asgiref 3.3
* Fixed a regression in Django 3.1 that caused incorrect textarea layout
on medium-sized screens in the admin change form view with the sidebar open
* Fixed a regression in Django 3.0.7 that didn’t use Subquery() aliases
in the GROUP BY clause
* Fixed a bug in Django 3.1 where FileField instances with a callable storage were
not correctly deconstructed
* Fixed a regression in Django 3.1 where the QuerySet.ordered attribute returned
incorrectly True for GROUP BY queries (e.g. .annotate().values()) on models with
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=72
- Update to 3.1.1
* CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
* CVE-2020-24584: Permission escalation in intermediate-level directories of the file
system cache on Python 3.7+
* Fixed a data loss possibility in the select_for_update(). When using related fields
pointing to a proxy model in the of argument, the corresponding model was not locked
* Fixed a regression in Django 3.1 that caused a crash when decoding an invalid session data
* Fixed __in lookup on key transforms for JSONField with MariaDB, MySQL, Oracle, and SQLite
* Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator
and settings.py
OBS-URL: https://build.opensuse.org/request/show/833246
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=70
* Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings
raised by cache key validation
* Fixed a regression in Django 3.0.7 that caused a queryset crash
when grouping by a many-to-one relationship
* Reallowed, following a regression in Django 3.0, non-expressions having
a filterable attribute to be used as the right-hand side in queryset filters
* Fixed a regression in Django 3.0.2 that caused a migration crash
on PostgreSQL when adding a foreign key to a model with a namespaced db_table
* Added compatibility for cx_Oracle 8
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=64
