django.git/docs/releases/6.0.3.txt, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2026-03-03T12:09:32Z Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation. 2026-03-03T12:09:32Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T21:03:20Z urn:sha1:019e44f67a8dace67b786e2818938c8691132988 This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Fixed CVE-2026-25673 -- Simplified URLField scheme detection. 2026-03-03T12:08:46Z Natalia 124304+nessita@users.noreply.github.com 2026-01-30T01:52:41Z urn:sha1:951ffb3832cd83ba672c1e3deae2bda128eb9cca This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Fixed #36961 -- Fixed TypeError in deprecation warnings if Django is imported by namespace. 2026-03-02T19:08:11Z Jacob Walls jacobtylerwalls@gmail.com 2026-02-27T19:43:55Z urn:sha1:c1d8646ec219b8b90ebdd463f40e5767876658a0 Fixed #36951 -- Removed empty exc_info from log_task_finished signal handler. 2026-02-25T18:52:23Z Elias Hernandis elias@hernandis.me 2026-02-18T07:10:40Z urn:sha1:497d9cdc67f0bdae929fcde677b5f441e94a6c8b Before, if no exception occurred, "None Type: None" was logged. Added stub release notes and release date for 6.0.3, 5.2.12, and 4.2.29. 2026-02-24T16:47:37Z Natalia 124304+nessita@users.noreply.github.com 2026-02-20T17:49:16Z urn:sha1:acd0bec51366e259b4c2b43e4c09755541cdf560 Fixed #36920 -- Fixed alignment of fieldset legends in wide admin forms. 2026-02-20T20:30:23Z usman muhammad.usman11914@gmail.com 2026-02-19T20:19:53Z urn:sha1:8d251b512bafd7b7f736cfcabeba0ae76106f2db Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Refs #36934, #35972 -- Forwardported release note for tolerating sequences in BuiltinLookup.as_sql(). 2026-02-20T14:18:57Z Jacob Walls jacobtylerwalls@gmail.com 2026-02-20T14:15:37Z urn:sha1:96984b9b0f1d88f096985a908ee67dc6f2b9a682 Instead of cherry-picking a larger changeset (787cc96ef6197d73c7d4ad96f25500910c399603) and removing changes unsuitable for a backport, a partial backport was applied directly to stable/6.0.x to resolve #36934, so the release note needs to be forwardported. Forwardport of f9b820f8ac50aad025949087e660a551691832e4 from stable/6.0.x. Fixed #36903 -- Fixed further NameErrors when inspecting functions with deferred annotations. 2026-02-10T21:51:55Z 93578237 43147888+93578237@users.noreply.github.com 2026-02-09T21:06:50Z urn:sha1:56ed37e17e5b1a509aa68a0c797dcff34fcc1366 Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04. Added stub release notes for 6.0.3. 2026-02-03T14:05:18Z Jacob Walls jacobtylerwalls@gmail.com 2026-02-03T14:05:18Z urn:sha1:e7e43f1f91b5e4822ace888d85645eada8535daa