Django

===========================

*February 12, 2019*

Django 2.0.13 fixes a regression in 2.0.12/2.0.11.

Bugfixes
========

* Fixed crash in ``django.utils.numberformat.format_number()`` when the number
has over 200 digits (:ticket:`30177`).


===========================

===========================

*February 11, 2019*

Django 2.0.12 fixes a packaging error in 2.0.11.

Bugfixes
========

* Corrected packaging error from 2.0.11 (:ticket:`30175`).


===========================

===========================

*January 4, 2019*

Django 2.0.10 fixes a security issue and several bugs in 2.0.9.

CVE-2019-3498: Content spoofing possibility in the default 404 page
-------------------------------------------------------------------

An attacker could craft a malicious URL that could make spoofed content appear
on the default page generated by the ``django.views.defaults.page_not_found()``
view.

The URL path is no longer displayed in the default 404 template and the
``request_path`` context variable is now quoted to fix the issue for custom
templates that use the path.

Bugfixes
========

* Prevented repetitive calls to ``geos_version_tuple()`` in the ``WKBWriter``
class in an attempt to fix a random crash involving ``LooseVersion`` since
Django 2.0.6 (:ticket:`29959`).

* Fixed a schema corruption issue on SQLite 3.26+. You might have to drop and
rebuild your SQLite database if you applied a migration while using an older
version of Django with SQLite 3.26 or later (:ticket:`29182`).

* Prevented SQLite schema alterations while foreign key checks are enabled to
avoid the possibility of schema corruption (:ticket:`30023`).


==========================

==========================

*October 1, 2018*

Django 2.0.9 fixes a data loss bug in 2.0.8.

Bugfixes
========

* Fixed a race condition in ``QuerySet.update_or_create()`` that could result
in data loss (:ticket:`29499`).


==========================

==========================

*August 1, 2018*

Django 2.0.8 fixes a security issue and several bugs in 2.0.7.

CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
=================================================================

If the :class:`~django.middleware.common.CommonMiddleware` and the
:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
URL pattern that accepts any path ending in a slash (many content management
systems have such a pattern), then a request to a maliciously crafted URL of
that site could lead to a redirect to another site, enabling phishing and other
attacks.

``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
domains.

Bugfixes
========

* Fixed a regression in Django 2.0.7 that broke the ``regex`` lookup on MariaDB
(even though MariaDB isn't officially supported) (:ticket:`29544`).

* Fixed a regression where ``django.template.Template`` crashed if the
``template_string`` argument is lazy (:ticket:`29617`).


==========================

==========================

*July 2, 2018*

Django 2.0.7 fixes several bugs in 2.0.6.

Bugfixes
========

* Fixed admin changelist crash when using a query expression without ``asc()``
or ``desc()`` in the page's ordering (:ticket:`29428`).

* Fixed admin check crash when using a query expression in
``ModelAdmin.ordering`` (:ticket:`29428`).

* Fixed ``__regex`` and ``__iregex`` lookups with MySQL 8 (:ticket:`29451`).

* Fixed migrations crash with namespace packages on Python 3.7
(:ticket:`28814`).


==========================