Django

==========================

*February 5, 2025*

Django 5.1.6 fixes several bugs in 5.1.5.

Bugfixes
========

* Fixed a regression in Django 5.1.5 that caused ``validate_ipv6_address()``
and ``validate_ipv46_address()`` to crash when handling non-string values
(:ticket:`36098`).

* Fixed a regression in Django 5.1 where password fields, despite being set to
``required=False``, were still treated as required in forms derived from
:class:`~django.contrib.auth.forms.BaseUserCreationForm` (:ticket:`36140`).


==========================

==========================

*January 14, 2025*

Django 5.1.5 fixes a security issue with severity "moderate" and one bug in
5.1.4.

CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
============================================================================

Lack of upper bound limit enforcement in strings passed when performing IPv6
validation could lead to a potential denial-of-service attack. The undocumented
and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
which has now been updated to define a ``max_length`` of 39 characters.

The :class:`django.db.models.GenericIPAddressField` model field was not
affected.

Bugfixes
========

* Fixed a crash when applying migrations with references to the removed
``Meta.index_together`` option (:ticket:`34856`).


==========================

==========================

*December 4, 2024*

Django 5.1.4 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.1.3.

CVE-2024-53907: Denial-of-service possibility in ``strip_tags()``
=================================================================

:func:`~django.utils.html.strip_tags` would be extremely slow to evaluate
certain inputs containing large sequences of nested incomplete HTML entities.
The ``strip_tags()`` method is used to implement the corresponding
:tfilter:`striptags` template filter, which was thus also vulnerable.

``strip_tags()`` now has an upper limit of recursive calls to ``HTMLParser``
before raising a :exc:`.SuspiciousOperation` exception.

Remember that absolutely NO guarantee is provided about the results of
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
``strip_tags()`` call without escaping it first, for example with
:func:`django.utils.html.escape`.

CVE-2024-53908: Potential SQL injection via ``HasKey(lhs, rhs)`` on Oracle
==========================================================================

Direct usage of the ``django.db.models.fields.json.HasKey`` lookup on Oracle
was subject to SQL injection if untrusted data was used as a ``lhs`` value.

Applications that use the :lookup:`has_key <jsonfield.has_key>` lookup through
the ``__`` syntax are unaffected.

Bugfixes
========

* Fixed a crash in ``createsuperuser`` on Python 3.13+ caused by an unhandled
``OSError`` when the username could not be determined (:ticket:`35942`).

* Fixed a regression in Django 5.1 where relational fields were not updated
when calling ``Model.refresh_from_db()`` on instances with deferred fields
(:ticket:`35950`).


==========================

==========================

*November 5, 2024*

Django 5.1.3 fixes several bugs in 5.1.2 and adds compatibility with Python
3.13.

Bugfixes
========

* Fixed a bug in Django 5.1 where
:class:`~django.core.validators.DomainNameValidator` accepted any input value
that contained a valid domain name, rather than only input values that were a
valid domain name (:ticket:`35845`).

* Fixed a regression in Django 5.1 that prevented the use of DB-IP databases
with :class:`~django.contrib.gis.geoip2.GeoIP2` (:ticket:`35841`).

* Fixed a regression in Django 5.1 where non-ASCII fieldset names were not
displayed when rendering admin fieldsets (:ticket:`35876`).


==========================

==========================

*October 8, 2024*

Django 5.1.2 fixes several bugs in 5.1.1. Also, the latest string translations
from Transifex are incorporated.

Bugfixes
========

* Fixed a regression in Django 5.1 that caused a crash when using the
PostgreSQL lookup :lookup:`trigram_similar` on output fields from ``Concat``
(:ticket:`35732`).

* Fixed a regression in Django 5.1 that caused a crash of ``JSONObject()``
when using server-side binding with PostgreSQL 16+ (:ticket:`35734`).

* Fixed a regression in Django 5.1 that made selected items in multi-select
widgets indistinguishable from non-selected items in the admin dark theme
(:ticket:`35809`).


==========================

==========================

*September 3, 2024*

Django 5.1.1 fixes one security issue with severity "moderate", one security
issue with severity "low", and several bugs in 5.1.

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-45231: Potential user email enumeration via response status on password reset
======================================================================================

Due to unhandled email sending failures, the
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.

Bugfixes
========

* Fixed a regression in Django 5.1 that caused a crash of ``Window()`` when
passing an empty sequence to the ``order_by`` parameter, and a crash of
``Prefetch()`` for a sliced queryset without ordering (:ticket:`35665`).

* Fixed a regression in Django 5.1 where a new ``usable_password`` field was
included in :class:`~django.contrib.auth.forms.BaseUserCreationForm` (and
children). A new :class:`~django.contrib.auth.forms.AdminUserCreationForm`
including this field was added, isolating the feature to the admin where it
was intended (:ticket:`35678`).

* Adjusted the deprecation warning ``stacklevel`` in :meth:`.Model.save` and
:meth:`.Model.asave` to correctly point to the offending call site
(:ticket:`35060`).

* Adjusted the deprecation warning ``stacklevel`` when using ``OS_OPEN_FLAGS``
in :class:`~django.core.files.storage.FileSystemStorage` to correctly point
to the offending call site (:ticket:`35326`).

* Adjusted the deprecation warning ``stacklevel`` in
``FieldCacheMixin.get_cache_name()`` to correctly point to the offending call
site (:ticket:`35405`).

* Restored, following a regression in Django 5.1, the ability to override the
timezone and role setting behavior used within the ``init_connection_state``
method of the PostgreSQL backend (:ticket:`35688`).

* Fixed a bug in Django 5.1 where variable lookup errors were logged when
rendering admin fieldsets (:ticket:`35716`).


========================