- add dirty-hack-remove-assert.patch from fedora to fix
minor test failure with python 3.12
- Update to 4.2.5 (CVE-2023-41164)
- Update minimal dependency versions.
+ Fixed a long standing bug in the __len lookup for ArrayField
constraints on expressions and database functions.
customization.
read the egg-info and fail if they are not fulfilled.
+ New decorators for the admin site
* CVE-2020-24584: Permission escalation in intermediate-level directories of the file
* Fixed a data loss possibility in the select_for_update(). When using related fields
* Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator
* Added compatibility for cx_Oracle 8
* many other bugfixes
- Update to 3.0.5
* Fixed a regression in Django 2.0 where combining Q objects with __in lookups
with FileExistsError if concurrent saves try to create the same directory
* Made admin’s RelatedFieldWidgetWrapper use the wrapped widget’s
value_omitted_from_data() method (#27905)
* Fixed ClearableFileInput’s “Clear” checkbox on model form fields where the
model field has a default
* Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than
* Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or
IntegerField from DateField
* Fixed query expression date subtraction accuracy on PostgreSQL for differences
* Fixed a GDALException raised by GDALClose on GDAL >= 2.0
* Quoted the Oracle test user’s password in queries to fix the “ORA-00922: missing
or invalid option” error when the password starts with a number or
with SLE-12 which provides PIL instead of Pillow.
OBS-URL: https://build.opensuse.org/request/show/1129117
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=151
* CVE-2023-43665: Denial-of-service possibility in
django.utils.text.Truncator
The input processed by Truncator, when operating in HTML mode, has
been limited to the first five million characters in order to
avoid potential performance and memory issues.
* Fixed a regression in Django 4.2.5 where overriding the deprecated
DEFAULT_FILE_STORAGE and STATICFILES_STORAGE settings in tests
caused the main STORAGES to mutate (#34821).
* Fixed a regression in Django 4.2 that caused unnecessary casting
of string based fields (CharField, EmailField, TextField,
CICharField, CIEmailField, and CITextField) used with the __isnull
lookup on PostgreSQL. As a consequence, indexes using an __isnull
expression or condition created before Django 4.2 wouldn’t be used
by the query planner, leading to a performance regression
(#34840).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=147
- Update to 4.2.5 (CVE-2023-41164)
+ Bugfixes
* Fixed a regression in Django 4.2 that caused an incorrect
validation of CheckConstraints on __isnull lookups against
JSONField
* Fixed a bug in Django 4.2 where the deprecated
DEFAULT_FILE_STORAGE and STATICFILES_STORAGE settings were not
synced with STORAGES
* Fixed a regression in Django 4.2.2 that caused an unnecessary
selection of a non-nullable ManyToManyField without a natural
key during serialization
* Fixed a regression in Django 4.2 that caused a crash of a
queryset when filtering against deeply nested OuterRef()
annotations
OBS-URL: https://build.opensuse.org/request/show/1108899
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=145
- Update to 4.2.3 (bsc#1212742, CVE-2023-36053)
+ CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator
+ Bugfixes
* Fixed a regression in Django 4.2 that caused incorrect alignment
of timezone warnings for DateField and TimeField in the admin
* Fixed a regression in Django 4.2 that caused incorrect
highlighting of rows in the admin changelist view when
ModelAdmin.list_editable contained a BooleanField
OBS-URL: https://build.opensuse.org/request/show/1097909
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=139
- Update to 4.2.2
+ Bugfixes
* Fixed a regression in Django 4.2 that caused an unnecessary
DBMS_LOB.SUBSTR() wrapping in the __isnull and __exact=None
lookups for TextField()/BinaryField() on Oracle
* Restored, following a regression in Django 4.2, get_prep_value()
call in JSONField subclasses
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.defer() when passing a ManyToManyField or
GenericForeignKey reference. While doing so is a no-op, it was
allowed in older version
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.only() when passing a reverse OneToOneField reference
* Fixed a bug in Django 4.2 where makemigrations --update didn’t
respect the --name option
* Fixed a performance regression in Django 4.2 when compiling
queries without ordering
* Fixed a regression in Django 4.2 where nonexistent stylesheet
was linked on a “Congratulations!” page
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.aggregate() with expressions referencing other
aggregates
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.aggregate() with aggregates referencing subqueries
* Fixed a regression in Django 4.2 that caused a crash of
querysets on SQLite when filtering on DecimalField against
values outside of the defined range
* Fixed a regression in Django 4.2 that caused a serialization
crash on a ManyToManyField without a natural key when its
Manager’s base QuerySet used select_related()
OBS-URL: https://build.opensuse.org/request/show/1091039
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=135
- Update to 4.2.1
+ CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
+ Bugfixes
* Fixed a regression in Django 4.2 that caused a crash of
QuerySet.defer() when deferring fields by attribute names
* Fixed a regression in Django 4.2 that caused a crash of
SearchVector function with % characters
* Fixed a regression in Django 4.2 that caused aggregation over
query that uses explicit grouping to group against the wrong
columns
* Reallowed, following a regression in Django 4.2, setting the
"cursor_factory" option in OPTIONS on PostgreSQL
* Enforced UTF-8 client encoding on PostgreSQL, following a
regression in Django 4.2
* Fixed a regression in Django 4.2 where i18n_patterns() didn’t
respect the prefix_default_language argument when a fallback
language of the default language was used
* Fixed a regression in Django 4.2 where translated URLs of the
default language from i18n_patterns() with
prefix_default_language set to False raised 404 errors for a
request with a different language
* Fixed a regression in Django 4.2 where creating copies and deep
copies of HttpRequest, HttpResponse, and their subclasses didn’t
always work correctly
* Fixed a regression in Django 4.2 where timesince and timeuntil
template filters returned incorrect results for a datetime with
a non-UTC timezone when a time difference is less than 1 day
* Fixed a regression in Django 4.2 that caused a crash of
SearchHeadline function with psycopg 3
* Fixed a regression in Django 4.2 that caused incorrect
ClearableFileInput margins in the admin
* Fixed a regression in Django 4.2 where breadcrumbs didn’t appear
on admin site app index views
* Made squashing migrations reduce AddIndex, RemoveIndex,
RenameIndex, and CreateModel operations which allows removing a
deprecated Meta.index_together option from historical migrations
and use Meta.indexes instead
OBS-URL: https://build.opensuse.org/request/show/1084538
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=133
- Update to 4.1.4
+ Fixed a regression in Django 4.1 that caused an unnecessary table
rebuild when adding a ManyToManyField on SQLite
+ Fixed a bug in Django 4.1 that caused a crash of the sitemap index
view with an empty Sitemap.items() and a callable lastmod
+ Fixed a bug in Django 4.1 that caused a crash using acreate(),
aget_or_create(), and aupdate_or_create() asynchronous methods of
related managers
+ Fixed a bug in Django 4.1 that caused a crash of
QuerySet.bulk_create() with "pk" in unique_fields
+ Fixed a bug in Django 4.1 that caused a crash of
QuerySet.bulk_create() on fields with db_column
OBS-URL: https://build.opensuse.org/request/show/1040693
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=119
- Update to 4.1.2 (bsc#1203793, CVE-2022-41323)
+ Fixed a regression in Django 4.1 that caused a migration crash on
PostgreSQL when adding a model with ExclusionConstraint
+ Fixed a regression in Django 4.1 that caused aggregation over a
queryset that contained an Exists annotation to crash due to too
many selected columns
+ Fixed a bug in Django 4.1 that caused an incorrect validation of
CheckConstraint on NULL values
+ Fixed a regression in Django 4.1 that caused a
QuerySet.values()/values_list() crash on ArrayAgg() and JSONBAgg()
+ Fixed a bug in Django 4.1 that caused
ModelAdmin.autocomplete_fields to be incorrectly selected after
adding/changing related instances via popups
+ Fixed a regression in Django 4.1 where the app registry was not
populated when running parallel tests with the multiprocessing
start method spawn
+ Fixed a regression in Django 4.1 where the --debug-mode argument
to test did not work when running parallel tests with the
multiprocessing start method spawn
+ Fixed a regression in Django 4.1 that didn’t alter a sequence type
when altering type of pre-Django 4.1 serial columns on PostgreSQL
+ Fixed a regression in Django 4.1 that caused a crash for View
subclasses with asynchronous handlers when handling non-allowed
HTTP methods
+ Reverted caching related managers for ForeignKey, ManyToManyField,
and GenericRelation that caused the incorrect refreshing of
related objects
+ Relaxed the system check added in Django 4.1 for the same name
used for multiple template tag modules to a warning
OBS-URL: https://build.opensuse.org/request/show/1007838
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=115
- Update to 4.1.1
+ Reallowed, following a regression in Django 4.1, using GeoIP2()
when GEOS is not installed
+ Fixed a regression in Django 4.1 that caused a crash of admin’s
autocomplete widgets when translations are deactivated
+ Fixed a regression in Django 4.1 that caused a crash of the test
management command when running in parallel and multiprocessing
start method is spawn
+ Fixed a regression in Django 4.1 that caused an incorrect
redirection to the admin changelist view when using "Save and
continue editing" and "Save and add another" options
+ Fixed a regression in Django 4.1 that caused a crash of Window
expressions with ArrayAgg
+ Fixed a regression in Django 4.1 that caused a migration crash on
SQLite 3.35.5+ when removing an indexed field
+ Fixed a bug in Django 4.1 that caused a crash of model validation
on UniqueConstraint() with field names in expressions
+ Fixed a bug in Django 4.1 that caused an incorrect validation of
CheckConstraint() with range fields on PostgreSQL
+ Fixed a regression in Django 4.1 that caused an incorrect
migration when adding AutoField, BigAutoField, or SmallAutoField
on PostgreSQL
+ Fixed a regression in Django 4.1 that caused a migration crash on
PostgreSQL when altering AutoField, BigAutoField, or
SmallAutoField to OneToOneField
+ Fixed a migration crash on ManyToManyField fields with through
referencing models in different apps
+ Fixed a regression in Django 4.1 that caused an incorrect
migration when renaming a model with ManyToManyField and db_table
+ Reallowed, following a regression in Django 4.1, creating reverse
OBS-URL: https://build.opensuse.org/request/show/1001261
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=113
- Update to 4.0.2 (CVE-2022-22818, bsc#1195086) (CVE-2022-23833, bsc#1195088)
+ CVE-2022-22818: Possible XSS via {% debug %} template tag
+ CVE-2022-23833: Denial-of-service possibility in file uploads
+ Fixed a bug in Django 4.0 where
TestCase.captureOnCommitCallbacks() could execute callbacks
multiple times
+ Fixed a regression in Django 4.0 where help_text was HTML-escaped
in automatically-generated forms
+ Fixed a regression in Django 4.0 that caused displaying an
incorrect name for class-based views on the technical 404 debug
page
+ Fixed a regression in Django 4.0 that caused an incorrect repr of
ResolverMatch for class-based views
+ Fixed a regression in Django 4.0 that caused a crash of
makemigrations on models without Meta.order_with_respect_to but
with a field named _order
+ Fixed a regression in Django 4.0 that caused incorrect
ModelAdmin.radio_fields layout in the admin
+ Fixed a duplicate operation regression in Django 4.0 that caused a
migration crash when altering a primary key type for a concrete
parent model referenced by a foreign key
+ Fixed a bug in Django 4.0 that caused a crash of
QuerySet.aggregate() after annotate() on an aggregate function
with a default
+ Fixed a regression in Django 4.0 that caused a crash of
makemigrations when renaming a field of a renamed model
OBS-URL: https://build.opensuse.org/request/show/950390
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=101
- Update to 4.0.1 (CVE-2021-45115, CVE-2021-45452, bsc#1194117)
+ CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
+ CVE-2021-45452: Potential directory-traversal via Storage.save()
+ Fixed a regression in Django 4.0 that caused a crash of
assertFormsetError() on a formset named form
+ Fixed a bug in Django 4.0 that caused a crash on booleans with the
RedisCache backend
+ Relaxed the check added in Django 4.0 to reallow use of a
duck-typed HttpRequest in
django.views.decorators.cache.cache_control() and never_cache()
decorators
+ Fixed a regression in Django 4.0 that caused creating bogus
migrations for models that reference swappable models such as
auth.User
+ Fixed a long standing bug in Geometry Collections and Polygon that
caused a crash on some platforms (reported on macOS based on the
ARM64 architecture)
OBS-URL: https://build.opensuse.org/request/show/945252
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=99
- Update to 3.2.5 (CVE-2021-35042, bsc#1187785)
+ Fixed a regression in Django 3.2 that caused a crash of
QuerySet.values_list(..., named=True) after prefetch_related()
+ Fixed a bug in Django 3.2 that caused a migration crash on MySQL
8.0.13+ when altering BinaryField, JSONField, or TextField to
non-nullable
+ Fixed a regression in Django 3.2 that caused a migration crash on
MySQL 8.0.13+ when adding nullable BinaryField, JSONField, or
TextField with a default value
+ Fixed a bug in Django 3.2 where a system check would crash on a
model with an invalid app_label
OBS-URL: https://build.opensuse.org/request/show/903353
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=88
- Update to 3.2.4 (CVE-2021-33203, CVE-2021-33571)
+ CVE-2021-33203: Potential directory traversal via admindocs
+ CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
+ Fixed a bug in Django 3.2 where a final catch-all view in the
admin didn’t respect the server-provided value of SCRIPT_NAME when
redirecting unauthenticated users to the login page
+ Fixed a bug in Django 3.2 where a system check would crash on an
abstract model
+ Prevented unnecessary initialization of unused caches following a
regression in Django 3.2
+ Fixed a crash in Django 3.2 that could occur when running mod_wsgi
with the recommended settings while the Windows colorama library
was installed
+ Fixed a bug in Django 3.2 that would trigger the auto-reloader for
template changes when directory paths were specified with strings
+ Fixed a regression in Django 3.2 that caused a crash of
auto-reloader with AttributeError, e.g. inside a Conda environment
+ Fixed a regression in Django 3.2 that caused a loss of precision
for operations with DecimalField on MySQL
OBS-URL: https://build.opensuse.org/request/show/896895
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=86
- Update to 3.2.1 (CVE-2021-31542)
+ CVE-2021-31542: Potential directory-traversal via uploaded files
+ Corrected detection of GDAL 3.2 on Windows
+ Fixed a bug in Django 3.2 where subclasses of BigAutoField and
SmallAutoField were not allowed for the DEFAULT_AUTO_FIELD setting
+ Fixed a regression in Django 3.2 that caused a crash of
QuerySet.values()/values_list() after QuerySet.union(),
intersection(), and difference() when it was ordered by an
unannotated field
+ Restored, following a regression in Django 3.2, displaying an
exception message on the technical 404 debug page
+ Fixed a bug in Django 3.2 where a system check would crash on a
reverse one-to-one relationships in CheckConstraint.check or
UniqueConstraint.condition
+ Fixed a regression in Django 3.2 that caused a crash of
ModelAdmin.search_fields when searching against phrases with
unbalanced quotes
+ Fixed a bug in Django 3.2 where variable lookup errors were logged
rendering the sitemap template if alternates were not defined
+ Fixed a regression in Django 3.2 that caused a crash when
combining Q() objects which contains boolean expressions
+ Fixed a regression in Django 3.2 that caused a crash of
QuerySet.update() on a queryset ordered by inherited or joined
fields on MySQL and MariaDB
+ Fixed a regression in Django 3.2 that caused a crash when decoding
a cookie value, used by
django.contrib.messages.storage.cookie.CookieStorage, in the
pre-Django 3.2 format
+ Fixed a regression in Django 3.2 that stopped the shift-key
modifier selecting multiple rows in the admin changelist
+ Fixed a bug in Django 3.2 where a system check would crash on the
STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path)
+ Fixed a long standing bug involving queryset bitwise combination
when used with subqueries that began manifesting in Django 3.2,
due to a separate fix using Exists to exclude() multi-valued
relationships
+ Fixed a bug in Django 3.2 where variable lookup errors were logged
when rendering some admin templates
+ Fixed a bug in Django 3.2 where an admin changelist would crash
when deleting objects filtered against multi-valued relationships
+ Fixed a regression in Django 3.2 where the calling process
environment would not be passed to the dbshell command on PostgreSQL
+ Fixed a performance regression in Django 3.2 when building complex
filters with subqueries
OBS-URL: https://build.opensuse.org/request/show/890638
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=80
* Fixed setting the Content-Length HTTP header in AsyncRequestFactory
* Fixed passing extra HTTP headers to AsyncRequestFactory request methods
* Fixed crash of key transforms for JSONField on PostgreSQL when usingi
on a Subquery() annotation
* Fixed a regression in Django 3.1 that caused the incorrect grouping
by a Q object annotation
* Fixed a regression in Django 3.1 that caused suppressing connection errors
when JSONField is used on SQLite
* Fixed a crash on SQLite, when QuerySet.values()/values_list() contained
key transforms for JSONField returning non-string primitive values
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=74
* Fixed a regression in Django 3.1.2 that caused the incorrect height of the admin
changelist search bar
* Fixed a regression in Django 3.1.2 that caused the incorrect width of the
admin changelist search bar on a filtered page
* Fixed displaying Unicode characters in forms.JSONField and read-only
models.JSONField values in the admin
* Fixed a regression in Django 3.1 that caused a crash of ArrayAgg and StringAgg
with ordering on key transforms for JSONField
* Fixed a regression in Django 3.1 that caused a crash of __in lookup when using
key transforms for JSONField in the lookup value
* Fixed a regression in Django 3.1 that caused a crash of ExpressionWrapper with
key transforms for JSONField
* Fixed a regression in Django 3.1 that caused a migrations crash on PostgreSQL
when adding an ExclusionConstraint with key transforms for JSONField in expressions
* Fixed a regression in Django 3.1 where ProtectedError.protected_objects
and RestrictedError.restricted_objects attributes returned iterators instead
of set of objects
* Fixed a regression in Django 3.1.2 that caused incorrect form input layout
on small screens in the admin change form view
* Fixed a regression in Django 3.1 that invalidated pre-Django 3.1 password reset tokens
* Added support for asgiref 3.3
* Fixed a regression in Django 3.1 that caused incorrect textarea layout
on medium-sized screens in the admin change form view with the sidebar open
* Fixed a regression in Django 3.0.7 that didn’t use Subquery() aliases
in the GROUP BY clause
* Fixed a bug in Django 3.1 where FileField instances with a callable storage were
not correctly deconstructed
* Fixed a regression in Django 3.1 where the QuerySet.ordered attribute returned
incorrectly True for GROUP BY queries (e.g. .annotate().values()) on models with
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:django/python-Django?expand=0&rev=72
