Django

==========================

*April 5, 2023*

Django 4.1.8 fixes a bug in 4.1.7.

Bugfixes
========

* Fixed a bug in Django 4.1 that caused invalidation of sessions when rotating
secret keys with ``SECRET_KEY_FALLBACKS`` (:ticket:`34384`).


==========================

==========================

*February 14, 2023*

Django 4.1.7 fixes a security issue with severity "moderate" and a bug in
4.1.6.

CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
=========================================================================

Passing certain inputs to multipart forms could result in too many open files
or memory exhaustion, and provided a potential vector for a denial-of-service
attack.

The number of files parts parsed is now limited via the new
:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting.

Bugfixes
========

* Fixed a bug in Django 4.1 that caused a crash of model validation on
``ValidationError`` with no ``code`` (:ticket:`34319`).


==========================

==========================

*February 1, 2023*

Django 4.1.6 fixes a security issue with severity "moderate" and a bug in
4.1.5.

CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers
===========================================================================

The parsed values of ``Accept-Language`` headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector via
excessive memory usage if large header values are sent.

In order to avoid this vulnerability, the ``Accept-Language`` header is now
parsed up to a maximum length.

Bugfixes
========

* Fixed a bug in Django 4.1 that caused a crash of model validation on
``UniqueConstraint`` with ordered expressions (:ticket:`34291`).


==========================

==========================

*January 2, 2023*

Django 4.1.5 fixes a bug in 4.1.4. Also, the latest string translations from
Transifex are incorporated.

Bugfixes
========

* Fixed a long standing bug in the ``__len`` lookup for ``ArrayField`` that
caused a crash of model validation on
:attr:`Meta.constraints <django.db.models.Options.constraints>`
(:ticket:`34205`).


==========================

==========================

*December 6, 2022*

Django 4.1.4 fixes several bugs in 4.1.3.

Bugfixes
========

* Fixed a regression in Django 4.1 that caused an unnecessary table rebuild
when adding a ``ManyToManyField`` on SQLite (:ticket:`34138`).

* Fixed a bug in Django 4.1 that caused a crash of the sitemap index view with
an empty :meth:`Sitemap.items() <django.contrib.sitemaps.Sitemap.items>` and
a callable :attr:`~django.contrib.sitemaps.Sitemap.lastmod`
(:ticket:`34088`).

* Fixed a bug in Django 4.1 that caused a crash using ``acreate()``,
``aget_or_create()``, and ``aupdate_or_create()`` asynchronous methods of
related managers (:ticket:`34139`).

* Fixed a bug in Django 4.1 that caused a crash of ``QuerySet.bulk_create()``
with ``"pk"`` in ``unique_fields`` (:ticket:`34177`).

* Fixed a bug in Django 4.1 that caused a crash of ``QuerySet.bulk_create()``
on fields with ``db_column`` (:ticket:`34171`).


==========================

==========================

*November 1, 2022*

Django 4.1.3 fixes a bug in 4.1.2 and adds compatibility with Python 3.11.

Bugfixes
========

* Fixed a bug in Django 4.1 that caused non-Python files created by
``startproject`` and ``startapp`` management commands from custom templates
to be incorrectly formatted using the ``black`` command (:ticket:`34085`).


==========================