Workflow

Django

Latest version: v5.1.3

Safety actively analyzes 682229 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 4 of 54

4.2.12

Not secure
===========================

*May 6, 2024*

Django 4.2.12 fixes a compatibility issue with Python 3.11.9+ and 3.12.3+.

Bugfixes
========

* Fixed a crash in Django 4.2 when validating email max line lengths with
content decoded using the ``surrogateescape`` error handling scheme
(:ticket:`35361`).


===========================

4.2.11

Not secure
===========================

*March 4, 2024*

Django 4.2.11 fixes a security issue with severity "moderate" and a regression
in 4.2.10.

CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).

Bugfixes
========

* Fixed a regression in Django 4.2.10 where ``intcomma`` template filter could
return a leading comma for string representation of floats (:ticket:`35172`).


===========================

4.2.10

Not secure
===========================

*February 6, 2024*

Django 4.2.10 fixes a security issue with severity "moderate" in 4.2.9.

CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.


==========================

4.2.9

Not secure
==========================

*January 2, 2024*

Django 4.2.9 fixes a bug in 4.2.8.

Bugfixes
========

* Fixed a regression in Django 4.2.8 where admin fields on the same line could
overflow the page and become non-interactive (:ticket:`35012`).


==========================

4.2.8

Not secure
==========================

*December 4, 2023*

Django 4.2.8 fixes several bugs in 4.2.7 and adds compatibility with Python
3.12.

Bugfixes
========

* Fixed a regression in Django 4.2 that caused :option:`makemigrations --check`
to stop displaying pending migrations (:ticket:`34457`).

* Fixed a regression in Django 4.2 that caused a crash of
``QuerySet.aggregate()`` with aggregates referencing other aggregates or
window functions through conditional expressions (:ticket:`34975`).

* Fixed a regression in Django 4.2 that caused a crash when annotating a
``QuerySet`` with a ``Window`` expressions composed of a ``partition_by``
clause mixing field types and aggregation expressions (:ticket:`34987`).

* Fixed a regression in Django 4.2 where the admin's change list page had
misaligned pagination links and inputs when using ``list_editable``
(:ticket:`34991`).

* Fixed a regression in Django 4.2 where checkboxes in the admin would be
centered on narrower screen widths (:ticket:`34994`).

* Fixed a regression in Django 4.2 that caused a crash of querysets with
aggregations on MariaDB when the ``ONLY_FULL_GROUP_BY`` SQL mode was enabled
(:ticket:`34992`).

* Fixed a regression in Django 4.2 where the admin's read-only password widget
and some help texts were incorrectly aligned at tablet widths
(:ticket:`34982`).

* Fixed a regression in Django 4.2 that caused a migration crash on SQLite when
altering unsupported ``Meta.db_table_comment`` (:ticket:`35006`).


==========================

4.2.7

Not secure
==========================

*November 1, 2023*

Django 4.2.7 fixes a security issue with severity "moderate" and several bugs
in 4.2.6.

CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
=========================================================================================

The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
subject to a potential denial of service attack via certain inputs with a very
large number of Unicode characters.

In order to avoid the vulnerability, invalid values longer than
``UsernameField.max_length`` are no longer normalized, since they cannot pass
validation anyway.

Bugfixes
========

* Fixed a regression in Django 4.2 that caused a crash of
``QuerySet.aggregate()`` with aggregates referencing expressions containing
subqueries (:ticket:`34798`).

* Restored, following a regression in Django 4.2, creating
``varchar/text_pattern_ops`` indexes on ``CharField`` and ``TextField`` with
deterministic collations on PostgreSQL (:ticket:`34932`).


==========================

Page 4 of 54

Links

Releases

Has known vulnerabilities

Previous Next

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.