chango.git, branch 5.0.7 django http://cgit.adnoto.dev/chango.git/atom?h=5.0.7 2024-07-09T13:29:34Z [5.0.x] Bumped version for 5.0.7 release. 2024-07-09T13:29:34Z Natalia 124304+nessita@users.noreply.github.com 2024-07-09T13:29:34Z urn:sha1:deec9b933ee8496274e4c53217a38f31cb59a27f [5.0.x] Made cosmetic edits to 5.0.7 release notes. 2024-07-09T13:04:57Z Natalia 124304+nessita@users.noreply.github.com 2024-07-09T12:36:54Z urn:sha1:3a7bf7fb6cf621cf99931b8c4a23b92ccdee713e Backport of 1062bf730235ecc90f2087f1c2d346615377a006 from main. [5.0.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant(). 2024-07-09T13:03:38Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-06-26T10:11:54Z urn:sha1:8e7a44e4bec0f11474699c3111a5e0a45afe7f49 Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report. [5.0.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method. 2024-07-09T13:03:32Z Natalia 124304+nessita@users.noreply.github.com 2024-03-20T16:55:21Z urn:sha1:9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270 Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews. [5.0.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords. 2024-07-09T13:03:20Z Michael Manfre mike@manfre.net 2024-06-15T02:12:58Z urn:sha1:07cefdee4a9d1fcd9a3a631cbd07c78defd1923b Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review. [5.0.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 2024-07-09T13:03:07Z Adam Johnson me@adamj.eu 2024-06-24T13:30:59Z urn:sha1:7285644640f085f41d60ab0c8ae4e9153f0485db Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> [5.0.x] Fixed 35506 -- Clarified initial references to URLconf in tutorial 1. 2024-07-09T01:03:50Z lucas-r-oliveira lucasoliveira7c@gmail.com 2024-06-08T10:49:08Z urn:sha1:830340037b1bc499612752b835c1629d3aa01036 Backport of 2c931fda5b341e0febf68269d2c2447a64875127 from main. [5.0.x] Refs #35560 -- Corrected CheckConstraint argument name in model_fields tests. 2024-07-08T10:38:04Z Mariusz Felisiak felisiak.mariusz@gmail.com 2024-07-05T06:21:27Z urn:sha1:c76089be6f955d0493b3ab81c2beb64db4e203c4 [5.0.x] Removed outdated note about limitations in Clickjacking protection. 2024-07-04T21:13:25Z Mariusz Felisiak felisiak.mariusz@gmail.com 2024-07-04T21:08:19Z urn:sha1:43aa0c103b08a6d4bf2500080ed389c6303b37e9 There is no need to list old browser versions or point users to workarounds. Backport of f302343380c77e1eb5dab3b64dd70895a95926ca from main. [5.0.x] Fixed #35560 -- Made Model.full_clean() ignore GeneratedFields for constraints. 2024-07-04T09:49:27Z Mark Gensler mark.gensler@protonmail.com 2024-06-25T14:04:48Z urn:sha1:0602fc2124f3e1f1562d497607e0efd5474b5831 Accessing generated field values on unsaved models caused a crash when validating CheckConstraints and UniqueConstraints with expressions. Backport of 1005c2abd1ef0c156f449641e38c33e473989d37 from main.