django.git/docs/releases/5.0.8.txt, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2024-08-06T06:50:08Z Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields. 2024-08-06T06:50:08Z Simon Charette charette.s@gmail.com 2024-07-25T16:19:13Z urn:sha1:c87bfaacf8fb84984243b5055dc70f97996cb115 Thanks Eyal (eyalgabay) for the report. Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget. 2024-08-06T06:50:08Z Mariusz Felisiak felisiak.mariusz@gmail.com 2024-07-10T18:30:12Z urn:sha1:5f1757142febd95994caa1c0f64c1a0c161982c3 Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 2024-08-06T06:50:08Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-07-18T11:19:34Z urn:sha1:ecf1f8fb900f94de08c945164633e9a28a2edadb Thanks to MProgrammer for the report. Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat. 2024-08-06T06:50:08Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-07-12T09:38:34Z urn:sha1:c19465ad87e33b6122c886b97a202ad54cd43672 Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com> Fixed #35657 -- Made FileField handle db_default values. 2024-08-05T19:36:49Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-08-05T19:36:49Z urn:sha1:8deb6bb1fc427762d56646bf7306cbd11fb5bb68 Fixed #35638 -- Updated validate_constraints to consider db_default. 2024-08-05T15:33:12Z David Sanders shang.xiao.sanders@gmail.com 2024-08-05T06:22:29Z urn:sha1:509763c79952cde02d9f5b584af4278bdbed77b2 Fixed #35628 -- Allowed compatible GeneratedFields for ModelAdmin.date_hierarchy. 2024-08-05T13:27:20Z John Parton john.parton.iv@gmail.com 2024-07-24T18:53:06Z urn:sha1:7f8d839722b72aeb3ec5a4278ae57c18283acacd Added stub release notes and release date for 5.0.8 and 4.2.15. 2024-07-31T09:21:32Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-07-31T09:21:32Z urn:sha1:3f880890699d4412cf23b59dba425111f62afb3a Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in get_supported_language_variant(). 2024-07-25T07:38:46Z Lorenzo Peña lorinkoz@gmail.com 2024-07-23T10:06:29Z urn:sha1:0e94f292cda632153f2b3d9a9037eb0141ae9c2e LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Fixed #35625 -- Fixed a crash when adding a field with db_default and check constraint. 2024-07-25T05:48:53Z Simon Charette charette.s@gmail.com 2024-07-23T04:33:31Z urn:sha1:f359990e4909db8722820849d61a6f5724338723 This is the exact same issue as refs #30408 but for creating a model with a constraint containing % escapes instead of column addition. All of these issues stem from a lack of SQL and parameters separation from the BaseConstraint DDL generating methods preventing them from being mixed with other parts of the schema alteration logic that do make use of parametrization on some backends (e.g. Postgres, MySQL for DEFAULT). Prior to the addition of Field.db_default and GeneratedField in 5.0 parametrization of DDL was never exercised on model creation so this is effectively a bug with db_default as the GeneratedField case was addressed by refs #35336. Thanks Julien Chaumont for the report and Mariusz Felisiak for the review.