| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Upstream changes:
Django 3.1.2 release notes¶
October 1, 2020
Django 3.1.2 fixes several bugs in 3.1.1.
Bugfixes¶
Fixed a bug in Django 3.1 where FileField instances with a callable storage were not correctly deconstructed (#31941).
Fixed a regression in Django 3.1 where the QuerySet.ordered attribute returned incorrectly True for GROUP BY queries (e.g. .annotate().values()) on models with Meta.ordering. A model’s Meta.ordering doesn’t affect such queries (#31990).
Fixed a regression in Django 3.1 where a queryset would crash if it contained an aggregation and a Q object annotation (#32007).
Fixed a bug in Django 3.1 where a test database was not synced during creation when using the MIGRATE test database setting (#32012).
Fixed a django.contrib.admin.EmptyFieldListFilter crash when using on a GenericRelation (#32038).
Fixed a regression in Django 3.1.1 where the admin changelist filter sidebar would not scroll for a long list of available filters (#31986).
|
|
Django 3.1.1 fixes two security issues and several bugs in 3.1.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.
You should review and manually fix permissions on existing intermediate-level directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
On Python 3.7+, the intermediate-level directories of the file system cache had the system’s standard umask rather than 0o077 (no group or others permissions).
Bugfixes
Fixed wrapping of translated action labels in the admin’s navigation sidebar for East Asian languages.
Fixed wrapping of long model names in the admin’s navigation sidebar.
Fixed encoding session data while upgrading multiple instances of the same project to Django 3.1.
Adjusted admin’s navigation sidebar template to reduce debug logging when rendering.
Fixed a data loss possibility in the select_for_update(). When using related fields pointing to a proxy model in the of argument, the corresponding model was not locked.
Fixed a data loss possibility, following a regression in Django 2.0, when copying model instances with a cached fields value.
Fixed a regression in Django 3.1 that caused a crash when decoding an invalid session data.
Reverted a deprecation in Django 3.1 that caused a crash when passing deprecated keyword arguments to a queryset in TemplateView.get_context_data().
Enforced thread sensitivity of the MiddlewareMixin.process_request() and process_response() hooks when in an async context.
Fixed __in lookup on key transforms for JSONField with MariaDB, MySQL, Oracle, and SQLite.
Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator and settings.py generated by the startproject command, when user didn’t have permissions to all intermediate directories in a Django installation path.
Fixed detecting an async get_response callable in various builtin middlewares.
Fixed a QuerySet.order_by() crash on PostgreSQL when ordering and grouping by JSONField with a custom decoder.
Fixed a QuerySet.delete() crash on MySQL, following a performance regression in Django 3.1 on MariaDB 10.3.2+, when filtering against an aggregate function.
Fixed a django.contrib.admin.EmptyFieldListFilter crash when using on reverse relations.
Prevented content overflowing in the admin changelist view when the navigation sidebar is enabled
What’s new in Django 3.1
Asynchronous views and middleware support
JSONField for all supported database backends
DEFAULT_HASHING_ALGORITHM settings
|
|
Django 3.0.8 fixes several bugs in 3.0.7.
Bugfixes
Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings raised by cache key validation.
Fixed a regression in Django 3.0.7 that caused a queryset crash when grouping by a many-to-one relationship.
Reallowed, following a regression in Django 3.0, non-expressions having a filterable attribute to be used as the right-hand side in queryset filters.
Fixed a regression in Django 3.0.2 that caused a migration crash on PostgreSQL when adding a foreign key to a model with a namespaced db_table.
Added compatibility for cx_Oracle 8
|
|
Django 3.0.7 fixes two security issues and several bugs in 3.0.6.
CVE-2020-13254: Potential data leakage via malformed memcached keys
In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.
CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.
Bugfixes
Fixed a regression in Django 3.0 by restoring the ability to use field lookups in Meta.ordering.
Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and a subquery annotation.
Fixed a regression in Django 3.0 where aggregates used wrong annotations when a queryset has multiple subqueries annotations.
Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and an Exists() annotation on Oracle.
Fixed a regression in Django 3.0 where all resolved Subquery() expressions were considered equal.
Fixed a regression in Django 3.0.5 that affected translation loading for apps providing translations for territorial language variants as well as a generic language, where the project has different plural equations for the language.
Tracking a jQuery security release, upgraded the version of jQuery used by the admin from 3.4.1 to 3.5.1.
|
|
3.0.6:
Fixed a regression in Django 3.0 that caused a crash when filtering a Subquery() annotation of a queryset containing a single related field against a SimpleLazyObject.
|
|
Django 3.0.5:
Added the ability to handle .po files containing different plural equations for the same language.
Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and Subquery() annotation that collides with a field name.
|
|
Django 3.0.4 fixes a security issue and several bugs in 3.0.3.
CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle
GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance.
Bugfixes
Fixed a data loss possibility when using caching from async code.
Fixed a regression in Django 3.0 that caused a file response using a temporary file to be closed incorrectly.
Fixed a data loss possibility in the select_for_update(). When using related fields or parent link fields with Multi-table inheritance in the of argument, the corresponding models were not locked.
Fixed a regression in Django 3.0 that caused misplacing parameters in logged SQL queries on Oracle.
Fixed a regression in Django 3.0.3 that caused misplacing parameters of SQL queries when subtracting DateField or DateTimeField expressions on MySQL.
Fixed a regression in Django 3.0 that didn’t include subqueries spanning multivalued relations in the GROUP BY clause
|
|
What’s new in Django 3.0
MariaDB support
ASGI support
Exclusion constraints on PostgreSQL
Filter expressions
Enumerations for model field choices
|
