- Update to 4.0.1 (CVE-2021-45115, CVE-2021-45452, bsc#1194117)
+ CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
+ CVE-2021-45452: Potential directory-traversal via Storage.save()
+ Fixed a regression in Django 4.0 that caused a crash of
assertFormsetError() on a formset named form
+ Fixed a bug in Django 4.0 that caused a crash on booleans with the
RedisCache backend
+ Relaxed the check added in Django 4.0 to reallow use of a
duck-typed HttpRequest in
django.views.decorators.cache.cache_control() and never_cache()
decorators
+ Fixed a regression in Django 4.0 that caused creating bogus
migrations for models that reference swappable models such as
auth.User
+ Fixed a long standing bug in Geometry Collections and Polygon that
caused a crash on some platforms (reported on macOS based on the
ARM64 architecture)
OBS-URL: https://build.opensuse.org/request/show/945252
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=99
- Update to 3.2.5 (CVE-2021-35042, bsc#1187785)
+ Fixed a regression in Django 3.2 that caused a crash of
QuerySet.values_list(..., named=True) after prefetch_related()
+ Fixed a bug in Django 3.2 that caused a migration crash on MySQL
8.0.13+ when altering BinaryField, JSONField, or TextField to
non-nullable
+ Fixed a regression in Django 3.2 that caused a migration crash on
MySQL 8.0.13+ when adding nullable BinaryField, JSONField, or
TextField with a default value
+ Fixed a bug in Django 3.2 where a system check would crash on a
model with an invalid app_label
OBS-URL: https://build.opensuse.org/request/show/903353
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=88
- Update to 3.2.4 (CVE-2021-33203, CVE-2021-33571)
+ CVE-2021-33203: Potential directory traversal via admindocs
+ CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
+ Fixed a bug in Django 3.2 where a final catch-all view in the
admin didn’t respect the server-provided value of SCRIPT_NAME when
redirecting unauthenticated users to the login page
+ Fixed a bug in Django 3.2 where a system check would crash on an
abstract model
+ Prevented unnecessary initialization of unused caches following a
regression in Django 3.2
+ Fixed a crash in Django 3.2 that could occur when running mod_wsgi
with the recommended settings while the Windows colorama library
was installed
+ Fixed a bug in Django 3.2 that would trigger the auto-reloader for
template changes when directory paths were specified with strings
+ Fixed a regression in Django 3.2 that caused a crash of
auto-reloader with AttributeError, e.g. inside a Conda environment
+ Fixed a regression in Django 3.2 that caused a loss of precision
for operations with DecimalField on MySQL
OBS-URL: https://build.opensuse.org/request/show/896895
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=86
- Update to 3.2.1 (CVE-2021-31542)
+ CVE-2021-31542: Potential directory-traversal via uploaded files
+ Corrected detection of GDAL 3.2 on Windows
+ Fixed a bug in Django 3.2 where subclasses of BigAutoField and
SmallAutoField were not allowed for the DEFAULT_AUTO_FIELD setting
+ Fixed a regression in Django 3.2 that caused a crash of
QuerySet.values()/values_list() after QuerySet.union(),
intersection(), and difference() when it was ordered by an
unannotated field
+ Restored, following a regression in Django 3.2, displaying an
exception message on the technical 404 debug page
+ Fixed a bug in Django 3.2 where a system check would crash on a
reverse one-to-one relationships in CheckConstraint.check or
UniqueConstraint.condition
+ Fixed a regression in Django 3.2 that caused a crash of
ModelAdmin.search_fields when searching against phrases with
unbalanced quotes
+ Fixed a bug in Django 3.2 where variable lookup errors were logged
rendering the sitemap template if alternates were not defined
+ Fixed a regression in Django 3.2 that caused a crash when
combining Q() objects which contains boolean expressions
+ Fixed a regression in Django 3.2 that caused a crash of
QuerySet.update() on a queryset ordered by inherited or joined
fields on MySQL and MariaDB
+ Fixed a regression in Django 3.2 that caused a crash when decoding
a cookie value, used by
django.contrib.messages.storage.cookie.CookieStorage, in the
pre-Django 3.2 format
+ Fixed a regression in Django 3.2 that stopped the shift-key
modifier selecting multiple rows in the admin changelist
+ Fixed a bug in Django 3.2 where a system check would crash on the
STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path)
+ Fixed a long standing bug involving queryset bitwise combination
when used with subqueries that began manifesting in Django 3.2,
due to a separate fix using Exists to exclude() multi-valued
relationships
+ Fixed a bug in Django 3.2 where variable lookup errors were logged
when rendering some admin templates
+ Fixed a bug in Django 3.2 where an admin changelist would crash
when deleting objects filtered against multi-valued relationships
+ Fixed a regression in Django 3.2 where the calling process
environment would not be passed to the dbshell command on PostgreSQL
+ Fixed a performance regression in Django 3.2 when building complex
filters with subqueries
OBS-URL: https://build.opensuse.org/request/show/890638
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=80
* Fixed setting the Content-Length HTTP header in AsyncRequestFactory
* Fixed passing extra HTTP headers to AsyncRequestFactory request methods
* Fixed crash of key transforms for JSONField on PostgreSQL when usingi
on a Subquery() annotation
* Fixed a regression in Django 3.1 that caused the incorrect grouping
by a Q object annotation
* Fixed a regression in Django 3.1 that caused suppressing connection errors
when JSONField is used on SQLite
* Fixed a crash on SQLite, when QuerySet.values()/values_list() contained
key transforms for JSONField returning non-string primitive values
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=74
* Fixed a regression in Django 3.1.2 that caused the incorrect height of the admin
changelist search bar
* Fixed a regression in Django 3.1.2 that caused the incorrect width of the
admin changelist search bar on a filtered page
* Fixed displaying Unicode characters in forms.JSONField and read-only
models.JSONField values in the admin
* Fixed a regression in Django 3.1 that caused a crash of ArrayAgg and StringAgg
with ordering on key transforms for JSONField
* Fixed a regression in Django 3.1 that caused a crash of __in lookup when using
key transforms for JSONField in the lookup value
* Fixed a regression in Django 3.1 that caused a crash of ExpressionWrapper with
key transforms for JSONField
* Fixed a regression in Django 3.1 that caused a migrations crash on PostgreSQL
when adding an ExclusionConstraint with key transforms for JSONField in expressions
* Fixed a regression in Django 3.1 where ProtectedError.protected_objects
and RestrictedError.restricted_objects attributes returned iterators instead
of set of objects
* Fixed a regression in Django 3.1.2 that caused incorrect form input layout
on small screens in the admin change form view
* Fixed a regression in Django 3.1 that invalidated pre-Django 3.1 password reset tokens
* Added support for asgiref 3.3
* Fixed a regression in Django 3.1 that caused incorrect textarea layout
on medium-sized screens in the admin change form view with the sidebar open
* Fixed a regression in Django 3.0.7 that didn’t use Subquery() aliases
in the GROUP BY clause
* Fixed a bug in Django 3.1 where FileField instances with a callable storage were
not correctly deconstructed
* Fixed a regression in Django 3.1 where the QuerySet.ordered attribute returned
incorrectly True for GROUP BY queries (e.g. .annotate().values()) on models with
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=72
- Update to 3.1.1
* CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
* CVE-2020-24584: Permission escalation in intermediate-level directories of the file
system cache on Python 3.7+
* Fixed a data loss possibility in the select_for_update(). When using related fields
pointing to a proxy model in the of argument, the corresponding model was not locked
* Fixed a regression in Django 3.1 that caused a crash when decoding an invalid session data
* Fixed __in lookup on key transforms for JSONField with MariaDB, MySQL, Oracle, and SQLite
* Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator
and settings.py
OBS-URL: https://build.opensuse.org/request/show/833246
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=70
* Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings
raised by cache key validation
* Fixed a regression in Django 3.0.7 that caused a queryset crash
when grouping by a many-to-one relationship
* Reallowed, following a regression in Django 3.0, non-expressions having
a filterable attribute to be used as the right-hand side in queryset filters
* Fixed a regression in Django 3.0.2 that caused a migration crash
on PostgreSQL when adding a foreign key to a model with a namespaced db_table
* Added compatibility for cx_Oracle 8
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=64
- Update to 2.2.8
* CVE-2019-19118: Privilege escalation in the Django admin (boo#1157705)
* Fixed a data loss possibility in the admin changelist view when a
custom formset’s prefix contains regular expression special
characters, e.g. '$'
* Fixed a regression in Django 2.2.1 that caused a crash when
migrating permissions for proxy models with a multiple database
setup if the default entry was empty
* Fixed a data loss possibility in the select_for_update(). When
using 'self' in the of argument with multi-table inheritance, a
parent model was locked instead of the queryset’s model
- Add patch fix-selenium-test.patch to fix a test when selenium is
missing
OBS-URL: https://build.opensuse.org/request/show/752866
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=45
* Fixed a crash when using a contains, contained_by, has_key, has_keys, or has_any_keys lookup on JSONField, if the right or left hand side of an expression is a key transform (#30826).
* Prevented migrate --plan from showing that RunPython operations are irreversible when reverse_code callables don’t have docstrings or when showing a forward migration plan (#30870).
* Fixed migrations crash on PostgreSQL when adding an Index with fields ordering and opclasses (#30903).
* Restored the ability to override get_FOO_display() (#30931).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=43
* Relaxed the system check added in Django 2.2 for models to reallow use of the same db_table by multiple models when database routers are installed (#30673).
* Fixed crash of KeyTransform() for JSONField and HStoreField when using on expressions with params (#30672).
* Fixed a regression in Django 2.2 where ModelAdmin.list_filter choices to foreign objects don’t respect a model’s Meta.ordering (#30449).
* Fixed a race condition in loading URLconf module that could cause a crash of auto-reloader on Python 3.5 and below (#30500).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=38
* CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
* Fixed a regression in Django 2.2 when ordering a QuerySet.union(), intersection(), or difference() by a field type present more than once results in the wrong ordering being used (#30628).
* Fixed a migration crash on PostgreSQL when adding a check constraint with a contains lookup on DateRangeField or DateTimeRangeField, if the right hand side of an expression is the same type (#30621).
* Fixed a regression in Django 2.2 where auto-reloader crashes if a file path contains nulls characters ('\x00') (#30506).
* Fixed a regression in Django 2.2 where auto-reloader crashes if a translation directory cannot be resolved (#30647).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=35
- Update to 2.2.1
* Fixed a regression in Django 2.1 that caused the incorrect quoting
of database user password when using dbshell on Oracle (#30307).
* Added compatibility for psycopg2 2.8 (#30331).
* Fixed a regression in Django 2.2 that caused a crash when loading
the template for the technical 500 debug page (#30324).
* Fixed crash of ordering argument in ArrayAgg and StringAgg when it
contains an expression with params (#30332).
* Fixed a regression in Django 2.2 that caused a single instance
fast-delete to not set the primary key to None (#30330).
* Prevented makemigrations from generating infinite migrations for
check constraints and partial indexes when condition contains a
range object (#30350). Reverted an optimization in Django 2.2
(#29725) that caused the inconsistent behavior of count() and
exists() on a reverse many-to-many relationship with a custom
manager (#30325).
* Fixed a regression in Django 2.2 where Paginator crashes if
object_list is a queryset ordered or aggregated over a nested
JSONField key transform (#30335).
* Fixed a regression in Django 2.2 where IntegerField validation of
database limits crashes if limit_value attribute in a custom
validator is callable (#30328).
* Fixed a regression in Django 2.2 where SearchVector generates SQL
that is not indexable (#30385).
* Fixed a regression in Django 2.2 that caused an exception to be
raised when a custom error handler could not be imported (#30318).
* Relaxed the system check added in Django 2.2 for the admin app’s
dependencies to reallow use of SessionMiddleware subclasses,
rather than requiring django.contrib.sessions to be in
INSTALLED_APPS (#30312).
OBS-URL: https://build.opensuse.org/request/show/701120
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=28
* Corrected packaging error from 2.1.6
* Memory exhaustion in django.utils.numberformat.format()
If django.utils.numberformat.format() – used by contrib.admin as well
as the the floatformat, filesizeformat, and intcomma templates
filters – received a Decimal with a large number of digits or a
large exponent, it could lead to significant memory usage
due to a call to '{:f}'.format().
To avoid this, decimals with more than 200 digits are now formatted
using scientific notation.
* Made the obj argument of InlineModelAdmin.has_add_permission() optional
to restore backwards compatibility with third-party code that doesn’t
provide it
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=20
* CVE-2019-3498: Content spoofing possibility in the default 404 page
* Fixed compatibility with mysqlclient 1.3.14 (#30013).
* Fixed a schema corruption issue on SQLite 3.26+. You might have to drop
and rebuild your SQLite database if you applied a migration while using
an older version of Django with SQLite 3.26 or later (#29182).
* Prevented SQLite schema alterations while foreign key checks are enabled
to avoid the possibility of schema corruption (#30023).
* Fixed a regression in Django 2.1.4 (which enabled keep-alive connections)
where request body data isn’t properly consumed for such
connections (#30015).
* Fixed a regression in Django 2.1.4 where
InlineModelAdmin.has_change_permission() is incorrectly called with
a non-None obj argument during an object add (#30050).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=18
- Update to version 2.1.4
* Corrected the default password list that CommonPasswordValidator uses
by lowercasing all passwords to match the format expected by the validator
* Prevented repetitive calls to geos_version_tuple() in the WKBWriter class in
an attempt to fix a random crash involving LooseVersion
* Fixed keep-alive support in runserver after it was disabled o 2.0
* Fixed admin view-only change form crash when using ModelAdmin.prepopulated_fields
* Fixed “Please correct the errors below” error message when editing an object
in the admin if the user only has the “view” permission on inlines
* Fixed a regression in Django 2.0 where combining Q objects with __in lookups
and lists crashed
* Fixed a regression in Django 2.0 where test databases aren’t reused
with manage.py test --keepdb on MySQL
* Fixed a regression where cached foreign keys that use to_field were
incorrectly cleared in Model.save()
* Fixed a regression in Django 2.0 where FileSystemStorage crashes
with FileExistsError if concurrent saves try to create the same directory
OBS-URL: https://build.opensuse.org/request/show/656841
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=16
